As part of its National Cyber Security Programme, the Department for Culture, Media and Sport (DCMS) recently released its latest Cyber Security Breaches Survey. This response serves to highlight the important statistics that techUK members (and other business with an online presence) could benefit from understanding.
Carried out by Ipsos MORI and the University of Portsmouth’s Institute for Criminal Justice Studies, these findings were gathered from a representative survey of 1008 UK businesses via telephone and contextualised by a further 30 in-depth interviews with respondents.
The research shows that two thirds of large UK businesses suffered some form of cyber breach or attack in the twelve months leading up to the survey. Further analysis of the government’s report reveals that a quarter of these organisations experienced a breach at least once per month.
As internet sales continue to rise, (between 2008 and 2014 e-commerce sales rose by over 71% to £573 billion across non-micro businesses), over half (53%) of surveyed businesses consider online services to be a core part of the goods, services, and products that they provide.
A comparatively small number of businesses (34%) have policies that specifically deal with encrypting personal data, which has been recently targeted by several highly-publicised cyber attacks. Despite this, only a small percentage (6%) of all businesses were aware of the government-backed Cyber Essentials scheme, particularly the small (8%) and medium (11%) companies that could benefit the most. Overall, only 18% of all businesses – including 24% of small, 39% of medium, and 60% of large firms – were aware of ISO20001, the first international standard for Information Security Management, despite it being developed in 2005.
The research also shows that almost a quarter (24%) of all UK businesses have experienced one or more cyber security breaches in the past 12 months, rising to almost two-thirds (65%) when applied to large firms.
The vast majority of attacks were in the form of viruses, spyware or malware (68%), followed by (32%) attackers impersonating the organisation (either via email or other online means). About half (49%) of all businesses experienced more than one attack, with a quarter (25%) of larger business experiencing a breach on a monthly or more frequent basis.
While relatively few (10% overall) businesses suffered financial losses in revenue or share value, over half (55%) were required to invest in new countermeasures to prevent against future or repeated attacks, including a quarter (23%) incurring repair and recovery costs. Further effects included the loss of productivity while contacting customers and dealing with the immediate consequences of an attack (42%) and the disruption to day-to-day working (31%). Additionally, 12% of businesses were prevented or delayed from providing goods and services to customers, often resulting in reputational damage (4% overall).
Most organisations appear to consider accepting online payments to be the characteristic that defines them as an online business, as a vast majority (86%) of companies that make financial transactions via the internet believe this to be a core part of their business, to at least some extent. Alarmingly, this statistic implies that the remaining 14% of respondents see themselves as offline businesses, and therefore continue to underestimate the likelihood or potential consequences of cyber attack. Indeed, the survey concludes that one in five ‘offline businesses’ are still subject to cyber security breaches.
Some participants believed that they held nothing of value, because they were not a bank or did not hold their customers financial details, thus neglecting to consider the potential for disruptions to their operations that could cause significant losses. Information such as personal (non-financial) details of customers could be stolen for purposes of conducting secondary attacks on those customers. It could also be argued that businesses have a responsibility to safeguard their customers.
Nevertheless, the five areas of basic technical controls found in the Cyber Essentials initiative were implemented by about half (48%) of all businesses, and roughly the same proportion (51%) have undertaken five or more of the steps in the Government’s 10 Steps guidance. (Notably, progress on all 10 steps has only been achieved by 5% of all firms).
Around two-thirds of businesses spend some amount on cybersecurity, with just under half (44%) choosing to outsource to external providers. This is more common among small (63%) and medium (66%) enterprises (SMEs) than among microbusinesses (31%) or large organisations (49%). Additionally, just over a third (37%) have some form of cyber security insurance, but this was shown to be as part of a wider policy and may indicate a lack of understanding the terms of cover.
The two most commonly cited reasons for these investments are protecting company-owned data or intellectual property (44%) and protecting customer data (36%).
As we await the publication of the Government’s new National Cyber Security Strategy later this year, the research above shows that much more needs to be done by businesses to ensure that they are better protected, and can respond, to the threat of cyber criminals.