According to the latest Thales Data Threat Report published today, the UK holds the dubious honour of being the most breached country in Europe across the last 12 months. So why is that?
Historically, more organisations within Sweden (78 percent) and the Netherlands (74 percent) admitted they had been breached compared to 67 percent in the UK. That still represents a rise of 24 percent for the British from the year before though.
Point the research lens at just the last 12 months, however, and a different picture emerges. Some 27 percent of Netherlands businesses admitted to being breached, 30 percent of Swedish businesses and 33 percent of German ones. The figure for the UK was the highest across Europe though, at some 37 percent.
Despite this, the report reveals that only 31 percent of UK organisations felt either very vulnerable or extremely vulnerable to data threats. The vast majority, some 69 percent, apparently feeling somewhat vulnerable at worst or not vulnerable at all. The scale of this disconnect with the threatscape reality is highlighted when the UK numbers are compared, once again, with others in Europe: Swedish businesses felt the most vulnerable (49 percent), followed by those in the Netherlands (47 percent) and Germany (36 percent).
The security disconnect also appears in financial terms. Although 15 percent of British organisations reckoned their security spend was much higher than the previous year, this too falls short compared to others in Europe. Some 39 percent of Swedish respondents said their security budgets were much higher, the Netherlands sits on 29 percent and France 24 percent.
When it comes to GDPR compliance, however, UK organisations fared much better. While 49 percent of Swedish businesses had missed the mark for GDPR compliance, and the Netherlands not doing much better on 38 percent or Germany on 33 percent, only 19 percent of UK PLC admitted to failing data security audits in the last year.
So that's the numbers, but what about the reasons behind them? SC Media UK reached out to the infosec community for answers. James Hadley, CEO & founder of Immersive Labs, points towards the well-documented fact that there's a global cyber-skills shortage. For the UK to forge ahead, and shore up the cyber-defences, it will need to adopt a new approach to recruiting talent. "The recruitment process should adjust to identify those with demonstrable skills, rather than involve CV scanning for university degrees" Hadley told SC Media UK, continuing "this will help close the skills gap, thus helping to reduce the amount of breaches we see in the UK."
Meanwhile, Dr Jamie Graves, CEO and founder of ZoneFox, blames the old stiff upper lip attitude. "All too often, we seek an entity or individual to blame when there is a hack or breach or loss of data" he explains, continuing "this hampers learning and sharing best practice; compared to other European countries." Graves insists there needs to be an overarching shift in how the aftermath of security and data incidents are handled by UK organisations. "Previous coverage of incidents has led British employees to become scared of the repercussions and public lambasting they might receive if they fall foul to a phishing scam or similar incident" Graves says, concluding "if this fear isn't addressed, then the conversation and learning both in and between companies will never move forward."
Then there's that security spending issue that was highlighted in the Thales report. "In the last year there have a been several major attacks on the UK (WannaCry, Bad Rabbit) which has led to many organisations increasing their security and IT budgets" Sam Haria, Global SOC Manager at Invinsec, told SC Media UK, "however the purse holder is not necessarily the best placed person to be making these decisions."
And what should UK PLC be doing to escape the 'most breached' position? Richard Walters, chief security strategist with CensorNet, says he would be surprised if there's a huge amount more businesses in other countries are doing than their UK counterparts. "We're suffering the consequences of security being an afterthought for too long and only in recent years have organisations and the government properly started to baton down the hatches" Walters says, concluding "businesses need to make sure that they have proper tools in place that deal with a range of threats, both internal and external, and make sure that employees are trained in best practices to avoid costly mistakes."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout