The Department for Digital Culture, Media & Sport has issued its fifth Cyber Security Breaches Survey. Its aim is to support the UK government in shaping future policy in this area. It was carried out in late 2019/early 2020.
The extent of cyber security threats has not diminished. On the contrary, the survey shows that cyber attacks have evolved and become more frequent. Almost half of businesses and a quarter of charities reported having cyber security breaches or attacks in the past year. This was higher among medium businesses (68%), large businesses (75%) and high-income charities (57%).
The charity findings show a rising incidence. This may mean that more charities are being targeted but could also mean that they are better at identifying breaches than before. More organisations are experiencing breaches at least once a week.
The nature of cyber attacks has also changed since 2017. Over this period, there has been a rise in businesses experiencing phishing attacks, and a fall in viruses or other malware.
Organisations have become more resilient to breaches and attacks over time. They are less likely to report negative outcomes or impacts from breaches, and more likely to make a faster recovery. However, breaches that do result in negative outcomes still incur substantial costs.
Among the businesses that identify breaches or attacks, one in five have experienced a material outcome, losing money or data. Two in five were negatively affected, for example requiring new measures, having staff time diverted or causing wider business disruption. Similarly, among the 26% of charities reporting breaches or attacks, a quarter had material outcomes and over half were affected in a negative way.
Where businesses have faced breaches with material outcomes, the mean cost of all the cyber security breaches these businesses have experienced in the past year is estimated to be £3,230. For medium and large firms, this average cost is higher, at £5,220.
Over the last five years, there has been greater board engagement in cyber security and increased action to identify and manage cyber risks. These improvements may underpin the fact that organisations have become more resilient. Board engagement has increased over time among both businesses and charities, eight in ten businesses and three-quarters of charities say that cyber security is a high priority for their senior management boards.
51% of businesses and 38% of charities update their senior management on cyber security at least quarterly. The proportions that say they never update them have steadily declined, and around two-fifths of businesses have board members with a cyber security brief. Over 40% of charities have responsible board members or trustees.
Improvements over time, in terms of identifying and managing risks, include more organisations:
- seeking out information and guidance.
- carrying out cyber security risk assessments
- having staff whose job role includes information security and governance
- having written cyber security policies
- backing up their data on cloud servers.
Organisations appear to have maintained, but not necessarily enhanced, the technical controls and governance processes they introduced for the General Data Protection Regulation. While the overall trends since 2016 are positive and significant, the changes since the 2019 survey specifically are relatively modest.
Organisations could do more on a range of diverse topics such as audits, cyber insurance, supplier risks and breach reporting. For example, the quality of audits varies greatly. In some cases, external audits were broader financial audits that covered aspects of cyber security but did not focus on it.
A minority of organisations report being insured against cyber risks; have reviewed the cyber security risks presented by suppliers, or have reported cyber security breaches to anyone beyond their IT or cyber security providers.
The qualitative research also suggests that current communications, both around supplier risks and reporting of breaches, can be confusing for organisations.
Some interviewees considered supplier risks only in terms of IT providers, internet service providers and other digital service providers – not wider non-digital service suppliers. On the other hand, for charities, the term “supplier risks” can be too narrow, as it does not encompass the wider network of partner organisations that they interact with digitally.
Reporting meant different things in different contexts – reporting to IT or cyber security providers as part of incident response, reporting financial losses to banks and insurance companies, public declarations to customers or suppliers, or reporting to wider authorities. Organisations were also unclear on who to report to, and the effect of reporting.
Finally, findings also highlight opportunities and channels to spread good practice. Organisations are often primed to think about cyber security during financial audits, when filing tax returns, in meetings with insurance brokers and when undergoing broader technological changes, for example upgrades to operating system or moving to a cloud server.