The Government has published the findings from its Cyber Security Breaches Survey: a survey of UK businesses, charities and education institutions on the topic of cyber resilience and cyber security.
The results confirm that the majority of businesses and charities have a broad range of 'cyber-hygiene' in place: the most common being updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. Unsurprisingly, larger businesses and high-income charities are the most advanced when it comes to identifying and preventing cyber risks; whilst smaller organisations have struggled to allocate sufficient resources.
Overall, cyber security has dropped down the agenda where organisations are juggling competing priorities and have fewer resources to deploy. Investment in cyber security has typically come following an attack, with one example where a charity had increased their cyber security budget, refreshed their policies around the use of hardware and mobile phones, brought in mandatory training on phishing, and was planning to formally test their business recovery plan later in the year. The survey warns against taking a reactive approach but recognises senior managers are often responsible for multiple areas of compliance and the technical nature means that organisations are heavily reliant on cybersecurity experts.
How often are senior managers updated on cyber security?
Three in ten businesses (30%) and a similar proportion of charities (31%) have board members or trustees taking explicit responsibility for cyber security as part of their job.
About 80% of businesses and charities update their senior managers at least once a year, with a significant proportion updating their senior team at least quarterly. Among large businesses, senior management's discussion of cyber security is now more of a business-as-usual approach. Individuals taking day-to-day responsibility for cyber security highly valued engagement from senior board members, as it helped them to get the buy-in of wider staff, to challenge and improve their own approaches, and to get quicker approval for new measures.
One high-income charity had webinar training designed specifically for their chief executive and trustees that explained their specific role in supporting cyber security in the organisation, including supporting resource allocation and setting a good example.
What are the common risks?
A third of businesses (32%) and a quarter of charities (24%) reported having experienced a cyber security breach or attack in the last 12 months. The most common by far is phishing – defined in the survey as staff receiving fraudulent emails or being directed to fraudulent websites and commonly considered the most disruptive type of attack. This reflects that most cyber actors use social engineering techniques. One of the consistent lessons across the series of surveys has been the importance of organisations ensuring that their staff are aware of the risks, through training and other awareness-raising activities.
Geopolitical events were felt to have a more limited impact on organisations’ behaviour, either because the organisation did not consider itself to be a relevant target or because it had limited information on the source of the attacks they were facing. Cyber security in supply chains is still an issue, due to a lack of risk awareness, an absence of formal due diligence and a struggle to monitor and enforce contracts.
Alternatives to costly experts?
The qualitative findings show the impact of good, ongoing communication between those in technical cyber or IT roles, wider staff and management boards. Instilling a security-conscious work culture often relies on two-way feedback, where staff report suspicious activity and hear back from those in technical roles on the actions taken. It also requires IT and cyber teams to be visible, to build trusting relationships with wider staff and management boards.
The survey also revealed a lack of awareness of government guidance, initiatives, and communications. For example, the NCSC guidance is directed to specific sizes of businesses or towards charities:
the NCSC’s Small Business Guide and Small Charity Guide, which outline more basic steps that these smaller organisations can take to protect themselves; and
the NCSC’s Board Toolkit, which helps management boards to understand their obligations, and to discuss cyber security with the technical experts in their organisation.
The survey contains further detail on how well businesses and charities deal with breaches or attacks, the financial cost of these breaches and attacks and an analysis of the frauds that occur as a result of cybercrime, with a separate annex detailing the findings of education institutions.
We welcome your thoughts and questions if these findings have given you cause to review your cyber security strategy.