Analysis of government figures on UK companies’ investment in cyber-security has provided a breakdown by vertical sectors, showing finance and insurance firms invested the most on cyber-security in 2017-18, at an average of £17,900 – up 85 percent on the previous year’s £9,650 spend.
The figures produced by SavoyStewart.co.uk come from analysis of Gov.uk findings on expenditure in cyber security by 811 UK firms from a range of sectors between April 2017 and March 2018.
Quite some way behind comes the second placed transport and storage sector which spent an average of £6,570 on cyber-security, a small increase of nine percent on the previous financial year (£6,040).
At the bottom of the list came firms in the entertainment, service and membership sectors who spent an average of £770 – an 82 percent decrease compared to 2016-17.
Just above them were firms in food and hospitality, averaging £900 on cyber-security, but despite this low sum, food and hospitality firms still managed to achieve the second highest increase in cyber-security investment when compared to their average 2016-17 outlay of only £620.
Darren Best, managing director of SavoyStewart.co.uk commented: "As the scale and sophistication of cyber-attacks/breaches intensifies, firms cannot afford to sit back and take the importance of cyber-security lightly. As firms now remain reliant on an online ecosystem to conduct business, they must realise their websites and digital communications can be easily targeted and exposed to cyber-attacks and breaches. So key decision makers need to put an urgent spotlight on cyber-security by placing it high on their agenda. This includes investing a sufficient amount of money to ensure their IT estate has the capabilities to consistently get basic defences right and establishing adequate governance on cyber security for employees to thoroughly follow".
Unfortunately the spend being made is not working, according to the 2017 Thales Data Threat Report Retail Edition which reports 52 percent of US retailers surveyed experienced a breach despite 77 percent increasing their IT security expenditure. Admittedly, data breaches dropped from 22 percent in the previous year’s survey to 19 percent this year. But 11 percent of US retail organisations (over half of those breached in the last year) failed to learn from previous mistakes and were breached both in the last year and the previous year.
Putting to the risk into context, Price Waterhouse Coopers (PwC) reports that the average annual cost incurred by the UK firms who have fallen victim to cyber-attacks/breaches is £857,000. And the likelihood has increased to the point where the Business Continuity Institute (BCI) shows that most UK firms (53 percent) now consider a cyber-attack as the main threat facing them in the near future.
Security professionals surveyed by Cisco put operations (38 percent) of a firm as likely to be most affected by any potential cyber-attack/breach, followed by finances (29 percent), intellectual property (27 percent), brand reputation (27 percent) and customer retention (25 percent).
Of the threats faced, a recent survey of 900 cybersec professionals by Alien Vault found that internally, phishing (55 percent) and ransomware (45 percent) lead the worries faced by security departments, with cloud threats as the most concerning external threat at 28 percent.
But these worries do not necessarily correspond to the actual threats faces with the Q2 'Cybercrime Tactics and Techniques' report from Malwarebytes noting how backdoor detections against businesses soared by 109 percent from last quarter and up 442 percent for detections against consumers
This increase is attributed to a particular campaign spreading malware known as Backdoor.Vools. Cryptominers take the number one spot for business detections. Despite this, the number of infections has plateaued, suggesting criminals are not gaining the ROI expected. GandCrab is the new ransomware ruler. However ransomware detections against businesses overall droped 35 percent.
2018 has also seen a resurgence of zero-day exploits with critical flaws exposed in popular software such as Adobe Flash Player and Internet Explorer, but there has been a move away from drive-by attacks to social engineering schemes with malicious spam being the main distribution vector.