Nearly half (46%) of UK firms experienced a breach or cyber-attack last year, with many still failing to implement basic, formalized security despite spending money on threat defence, according to a new government report.
The Cyber Security Breaches Survey 2017 was commissioned by the Department for Culture, Media and Sport (DCMS) as part of the National Cyber Security Programme, and is based on interviews with over 1,500 businesses.
On the one hand there are some positives to be gleaned from the results. Three-quarters (74%) of respondents said cybersecurity is a high priority for senior management; over half (58%) have sought advice or guidance on dealing with threats; and 67% spend money on security.
In addition, over half (52%) said they've enacted basic technical controls across the five areas of the government’s Cyber Essentials scheme, while 57% said they’ve also used risk assessments and similar to try to identify cybersecurity risks to their organization.
However, best practice measures were far from commonplace. These include segregating wireless networks and encrypting data (37%); making specific board members responsible for cyber (29%); and staff training (20%).
That might explain why nearly half of respondents had identified at least one breach or attack in the past year, with the mean number standing at 998; pushed up by the minority of very small firms experiencing hundreds or thousands of attacks over the year.
One in five (19%) of these experienced some kind of material loss, most typically temporary loss of access to files or networks (23%), and software or systems becoming corrupt or damaged (20%).
Many security experts claimed even these figures could be an underestimate stemming from firms’ lack of insight into key IT systems.
Paul Calatayud, CTO at FireMon, described it as just “the tip of the iceberg”.
"As a cyber defender my entire career, this static tells me half the story given that half of those that were surveyed and responded with the belief they were not hacked simply are not aware that they may have been hacked and were never aware. This can be supported a number of ways but one alarming statistic is that the average hack usually is not detected for longer than 209 days,” he explained.
“British business need to realize there is an entire global cyber-criminal economy that out earns the illegal drug industry in terms of revenue. And as such, cyber programs need to wake up and adapt into a detect and response approach that places equal investments in prevention as it does detection of hackers."
A majority of respondents did identify an impact to the organization from an attack/breach: for example, the need to invest in security against future breaches (38%); staff time taken up dealing with the breach (34%) and through not being able carry out their day-to-day work (23%); and other repair or recovery costs (19%).
The average cost to a business from a breach/attack was just £1,570, rising to £19,600 for large firms.
Brian Lord OBE, former GCHQ deputy director for cyber operations and current MD of PGI Cyber, argued that the industry needs to simplify its message to businesses.
“In the last week alone I have dealt with major clients from the banking, energy, telecoms and retail sectors as well as many small businesses. The threats are very different but the common denominator is one of confusion of what exactly they need to do to protect themselves and their horror at what they had been quoted elsewhere to help resolve a problem they didn't understand,” he explained.
“The reason breaches are growing is because companies aren’t protecting themselves properly, because they are being made confused by the cyber security vendors. A ‘cyber mythology’ has been created by the industry, to sell unnecessarily expensive solutions through fear. All recent high profile cyber-attack incidents could and should have been prevented with relatively low cost solutions.”
The answer to combatting most threats doesn’t have to involve expensive solutions or complex strategies, he concluded.