Cyber-incidents are rising. However, more and more firms report repeated cyber-incidents in the past 12 months, says the UK government’s breaches survey.
More than 45 percent of all businesses and 25 percent of charities report cyber-security breaches. Large businesses (75 percent), medium businesses (68 percent) and high-income charities (57 percent) report the highest number of incidents, said the Cyber Security Breaches Survey 2020.
“The business findings are in line with those in 2017 (when the question was first asked). The charity findings show a rising incidence, from 19 percent in 2018 (when charities were first surveyed) and 22 percent in 2019, to 26 percent in 2020. This may mean that more charities are being targeted but could also mean that they are better at identifying breaches than before,” said the report.
“Among this 46 percent of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 (32 percent versus 22 percent in 2017). There is a similar pattern over time for charities, although the changes across years are not statistically significant. In 2020, a fifth of these charities (22 percent) say they experience breaches at least once a week.”
Businesses experiencing phishing attacks went up from 72 percent in 2017 to 86 percent, while viruses and other malware fell from 33 percent to 16 percent. Costs of data breaches have gone up, while 19 percent of those reported breaches lost money or data.
Industry insiders have welcomed the findings, though it is worrying that the threats keep repeating and the cost of breaches continue to rise. Cyber-criminals and threats are constantly evolving, as is the landscape within which they operate, noted Jérôme Robert, cyber-security specialist for active directory at Alsid.
“Take the current Covid-19 pandemic that is gripping the world: massive changes in workstyles driven by remote working are a gift for hackers. Likewise, we talk a lot about the rise of AI applications to boost security, but don’t forget that cyber-criminals also have access to AI which they can use to launch more dangerous, targeted attacks in higher volumes thanks to automation,” he said
Ransomware is seen as a common threat these days and it is downplayed in the report, but daily headlines show how punishing it can be, he added.
The challenge the industry faces is no longer one of awareness of the threats, but how to put in place defence and mitigation measures for cyber-risks, observed Chris Miller, regional director UK & Ireland, RSA Security.
“One such digital risk that the survey highlights is that of suppliers. There’s no doubt that third parties are hugely important in today’s hyper-connected business environment, but they’re also a potential source of data breaches and are often targeted by malicious parties to leapfrog into other businesses’ networks. When it comes to working with external parties, there has to be a balance between risk and business reward,” he said.
Boards have started treating breaches as serious business risks, shows the survey.
“Over the last five years, there has been greater board engagement in cyber-security and increased action to identify and manage cyber-risks. These improvements may underpin the fact that organisations have become more resilient,” said the report.
Eight in ten businesses surveyed (69 percent in 2016) said cyber-security is a high-priority matter for their senior management boards. Three-quarters of charities (74 percent, up from 53 percent in 2018) said this about their senior management.
“The 2019 Data Breach Investigations Report by Verizon found that senior executives are 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previous years,” observed Ali Neil, international security solutions director at Verizon.
The increase of success that cyber-criminals enjoy from phishing attacks can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cyber-crime, he explained.
“Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next, or have assistants managing email on their behalf, making suspicious emails more likely to get through.”