43% businesses, 19% of charities hit by data breaches: Cyber Breach survey
In a month from now, the UK will welcome GDPR which will give the ICO more powers to defend consumer interests and issue fines of up to £17 million or four percent of global turnover on organisations in the event of data breaches.
In a month from now, the UK will welcome GDPR which will give the ICO more powers to defend consumer interests and issue fines of up to £17 million or four percent of global turnover on organisations in the event of data breaches owing to poor cyber-security credentials.
With little time to prepare, it is expected that businesses and charities across the UK have already prepared cyber-security policies, appointed CISOs, elevated cyber-security matters to the board level, restricted IT admin rights to specific individuals, placed security controls over company-owned devices, and installed firewalls with appropriate configurations to ensure the security of enterprise and customer data.
However, the government's latest Cyber Security Breaches Survey 2018 has revealed that even though some progress has been made, many businesses and charities are still unprepared to meet emerging cyber-threats and are, in some aspects, woefully unprepared when it comes to complying with the GDPR's requirements or steps mandated under the government's Cyber Essentials Scheme.
With 85 percent of the UK's adult population using smartphones and many others using other connected devices to access the Internet, it is but natural that 98 percent of UK businesss and 93 percent of registered charities use websites and social media platforms to communicate with customers, clients, and contributors to sell products and services and to accept payments.
Websites and other digital assets owned by many businesses and charities contain a lot of sensitive enterprise and customer data and it falls upon the controllers and handlers of such data to ensure their security and to prevent their breach under any circumstance. However, the survey revealed that in the past 12 months, 43 percent businesses and 19 percent charities experienced cyber-security breaches or attacks.
On average, large businesses bore the brunt of cyber-attacks and 72 percent of them experienced cyber-security breaches or attacks in the past 12 months, suffering financial losses of £9,260 on average with some attacks costing significantly more. Most of these breaches occurred due to spearphishing attacks, malware or virus intrusions, or due to cyber-criminals impersonating organisations online (CEO Fraud).
The survey also revealed that that businesses and charities "with more potential risk factors" were more likely to experience cyber-security breaches. These risk factors included incomes of £5 million or more, storing and processing customer data, and having BYOD (Bring Your Own Device) policies at the workplace.
Out of those that suffered cyber-security breaches or attacks, 53 percent of businesses and 59 percent of charities suffered either financial losses or had to suspend operations as a result. Some of them also had to devote more resources to prevent future attacks, and some had to devote extra staff time to deal with data breaches.
While it is encouraging to note that 74 percent of businesses and 53 percent of charities are now considering cyber-security as a high priority, they have a lot to do to demonstrate their cyber-security credentials and to truly comply with requirements of the GDPR.
The survey of 1,519 UK businesses and 569 registered charities revealed that only 30 percent of businesses and 24 percent of charities have board members or trustees who are responsible for cyber-security, 20 percent of businesses and 38 percent of charities never update their senior managers on cyber-security issues, only 20 percent of businesses and 15 percent of charities have had any staff attend internal or external cyber-security training in the last 12 months, and just 10 percent of businesses and 22 percent of charities reported cyber-skills gaps.
At the same time, 56 percent of businesses and 55 percent of charities that hold personal information of customers have rules and controls around encryption, 27 percent of businesses and 21 percent of charities have cyber-security policies in place, and only 13 percent businesses and eight percent of charities have cyber-security incident management processes in place.
Only 51 percent of businesses and 29 percent of charities have so far implemented all five basic technical controls recommended by the NCSC and listed under the latter's Cyber Essentials Scheme. These controls include applying software updates as and when available, ensuring malware protection, installing firewalls with appropriate configurations, restricting IT admin and access rights to specific users and ensuring security controls on company-owned devices.
“Protection from disruptive breaches must become a staple measure in all organisations, which is why it's alarming that only around half of businesses and charities have contingency plans in place to deal with these attacks. Email has once again been reported as the most common type of breach – it only takes one person to open a malicious email attachment and the attacker is in," says Steve Malone, director of security product management at Mimecast.
"The recommendation for businesses and charities to consider their organisational culture is a good one. It is imperative to adopt a comprehensive cyber resilience strategy to better manage email risks. This involves strong methods of protection, combined with a reliable archive and recovery strategy which will help the organisation remain operational if something does get through," he adds.
On the question of cyber-preparedness of charities, Martyn Croft, former CIO of The Salvation Army UK and co-founder of Charities Security Forum, told SC Magazine UK that even though there has been a growth in awareness in terms of cyber-security becoming a priority, there is still much more work to do in improving cyber defences overall.
"Cyber-security is still seen by many charity boards as a technical problem that needs an IT solution, which is not enough. It seems logical that cyber-security risk would start to appear as a regular item in board conversations. But coupled with a belief that charities have nothing of interest to hackers, investment in adequate defences tends to take a back seat to investment in services to beneficiaries," he said.
Terming the fact that 53 percent of charities now consider cyber-security as high priority as "good news", he added that there's still work to do to approach the 74 percent seen in the business sector.
"GDPR will clearly be on a few minds and no doubt will have raised questions about how cyber-security plays into overall compliance. What's more concerning is the lack of formal cyber-security policies for both business and charities alike. Only by having an information security policy will both businesses and charities have a good basis to implement good controls, defences and mitigations," he added.
While complying with the NCSC's Cyber Essentials Scheme, appointing experienced CISOs who can determine cyber-risks, and discussing cyber-security at the board level will surely help organisations improve their response to cyber-threats. James Romer, chief security architect for EMEA at SecureAuth told SC Magazine UK that cyber-threats can also be effectively addressed through complete identity management platforms, combining identity access controls alongside user awareness programmes.
"It appears from the report that businesses and charities have not correctly identified the importance of implementing strategic identity solutions as a priority to improve their cyber- defences. It's clear that with identity and credentials accounting for the majority of data breaches, more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations' defences and prevent cyber-attacks in the future.
"Organisations need to go further than just two-factor authentication, utilising Identity platforms that join silos of data together to create comprehensive Identity controls. Part of those controls should be to implement adaptive authentication that combines techniques such as geographic location analysis, device recognition, IP reputation-based threat services, and phone fraud prevention to address the threats at the identity level efficiently," he added.