Sealing off the breach

A major cyber security breaches survey of UK businesses and charities aims to help organisations to understand the nature and significance of the cyber security threats they now face

Fears over how cyber attacks have now hit new heights and will only go higher prompted the Department for Digital, Culture, Media and Sport (DCMS) to commission its 2019 Cyber Security Breaches Survey of UK businesses and charities. Part of the National Cyber Security Programme, its objective was to give organisations insights into the cyber security threats they are up against and what others are doing to stay secure.

It's more than timely, as cyber attacks are a persistent threat to businesses and charities. While fewer businesses have identified breaches or attacks than before, the ones that have identified them are typically experiencing more of them. Around a third (32%) of businesses and two in 10 charities (22%) report having cyber security breaches or attacks in the last 12 months. Very much as in previous years, this is way higher and specifically among medium-sized businesses (60%), large businesses (61%) and high-income charities (52%). Among this 32% of businesses and 22% of charities facing breaches or attacks, the most common types to emerge are:

• Phishing attacks (identified by 80% of these businesses and 81% of these charities)

• Others impersonating an organisation in emails or online (28% of these businesses and 20% of these charities)

• Viruses, spyware or malware, including ransomware attacks (27% of these businesses and 18% of these charities).

For businesses, the proportion identifying breaches or attacks (32%) is lower than in 2018 (when it was 43%) and 2017 (46%). The charities result is similar to 2018. At the same time, among the 32% of businesses that did identify any breaches or attacks, the typical (median) number that they recall facing has gone up from two attacks in 2017 to three times that - six - in 2019.

The fall in the number of businesses identifying any breaches or attacks is consistent with a similar trend found among the general public in the Crime Survey for England and Wales (CSEW). It has found that, between September 2017 and September 2018, the number of computer misuse incidents among individuals fell from circa 1.5 million to circa 1 million.

One plausible explanation for fewer businesses identifying breaches is that they are generally becoming more cyber secure. The survey shows that businesses have increased their planning and defences against cyber attacks since 2018. This may have resulted in fewer attacks overcoming their systems and fewer businesses recording any cases. Another possibility is a change in attacker behaviour, with more attacks being focused on a narrower (though still numerous) range of businesses. Although the survey does not directly measure attacker behaviour, this may help to explain the observed fall in the number of businesses identifying breaches, alongside the rise in the typical number of breaches among those that do identify them.

Alternatively, the trend may, in part, be explained by a change in the way business responded to the survey question, following the introduction of the General Data Protection Regulation (GDPR) in May 2018. GDPR might have changed what businesses consider to be a breach or led to some businesses becoming less willing to admit to having cyber security breaches. The findings also suggest that, where businesses have lost data or assets through cyber security breaches, the financial costs from such incidents have consistently risen since 2017.

Among the 32% of businesses recording breaches or attacks, this resulted in a negative outcome, such as a loss of data or assets, in 30% of cases. Among the charities recording breaches or attacks, this happened 21% of the time. In businesses that had these kinds of negative outcomes, the average (mean) cost to the business was £4,180 in 2019. This is higher than in 2018 (£3,160) and 2017 (£2,450). It indicates a broad trend of rising costs in cases where cyber attacks are able to penetrate an organisation's defences. Once again, the average costs faced by larger businesses in these cases tend to be much higher (£9,270 for medium firms and £22,700 for large firms in 2019). And for charities that are facing such negative outcomes from breaches, the average cost was £9,470 in 2019. The quantitative survey highlights that the costs of cyber security breaches can be substantial. However, qualitative findings suggest that, outside the survey, the indirect costs, long-term costs and intangible costs of breaches - things like lost productivity or reputational damage - tend to be overlooked. This means that, when organisations reflect on their approaches to cyber security, they may be undervaluing the true cost and impact of cyber security breaches.

The qualitative findings also highlight that GDPR has had some unintended consequences. It has led some organisations to frame cyber security largely in terms of avoiding personal data breaches. These organisations were less focused on other kinds of breaches or attacks and typically had a narrower set of technical controls in place. That is to say, GDPR appears to have had, on balance, a positive impact on cyber security to date - but, to make progress beyond this, organisations may need to think much more holistically about the issue.

Matthew Aldridge, senior solutions architect at Webroot, recognises the shift in attack methods. "In the last report, increased ransomware was the top finding for businesses. This year, phishing emails largely outweigh other methods, with 80% of businesses identifying these as the most common attacks. Despite being one of the oldest tactics, phishing attacks are still successful. Bad actors recognise that humans are the weakest asset in the organisation and will exploit any gaps in education to gain access. The financial and reputational losses following a successful breach can be devastating to a business, but we cannot discount the losses in productivity. If nearly one-third of businesses have had to stop work because of an attack, that can significantly impact the bottom line.

"Employee vigilance and education are absolutely critical to an effective defence, especially as phishing emails are getting more convincing and difficult to spot," adds Aldridge. "Aside from technology, employee education is where organisations will get the best bang for their buck. It must form a part of the overall cybersecurity strategy, bolstered by the appropriate technology, such as real-time phishing detection, web filtering and email filtering. Employees need to understand the risks to business, why installing software updates, and clicking links within emails should be done with great care."

Graeme Stewart, regional manager, Public Sector Cyber Security UK & Ireland at Cisco, welcomes how more UK businesses and charities are taking cybersecurity seriously. However, he also warns: "Whilst more UK organisations are recognising cybersecurity as a high priority, many are still falling for some of the oldest tricks in the book. Over 80% of identified breaches in the last year were caused by phishing attacks. As an attack method, phishing is as old as the world wide web… used to hoodwink people into giving up data or access to IT systems since the 1980s. That's thirty years of phishing hurt."

Stewart emphasises that more has to be done to ensure that UK businesses and charities have the right skills training and awareness programs in place to stop their staff falling victim to these classic cybersecurity mistakes. "It's great to see that the desire is there from these organisations to ensure their cybersecurity measures are strong enough to protect their staff and their data, but this desire now has to be transformed into purposeful and long-lasting action. The technology industry is particularly responsible for supporting UK companies with the implementation of these training and awareness programs.

"At Cisco, we're playing our part with helping UK workers avoid risky mistakes to their employers with our Network Academy, which offers people online cybersecurity training on everything from 'knowing the essentials' to the technical skills they need to develop a full career in cybersecurity because we recognise the need to ensure our future workforce is prepared for the modern world of work. And that certainly includes not clicking links in emails!" SIGNIFICANT RISK
According to Kirill Kasavchenko, principal security technologist at NETSCOUT: "Depending on which industry and geography is analysed, denial-of-service attacks might be one of the least likely attack types to hit businesses and charities, but these findings reveal the significant risk posed by these threats. Even if denial-of-service attacks are less common, the damage they can inflict can be much more destructive than more common threats like phishing. It's also worth considering that containing these attacks is likely to require specialist staff or services, so failing to have a robust mitigation strategy in place could mean hours if not days of disruption. That's not good enough for customers or employees - who expect to be able to use services they rely on, or just want to get on with their jobs."

Denial-of-service attacks can be particularly devastating for organisations, as they can act as a smoke screen for more damaging attacks, with hackers able to silently extract data or implant malware in the network whilst the security team are distracted, adds Kasavchenko. "The stakes are simply too high for organisations to leave their digital services vulnerable to being knocked offline. Especially when mitigation technologies, that can contain these attacks with no disruption in service, are available."

Adrian Jones, CEO, Swivel Secure, believes IT staff can face an uphill task making their data more secure, struggling to make time to add new processes to their workload or learn new systems. "Data protection solutions need to cause as little disruption as possible, so IT staff look to enhance their existing systems by improving their security, rather than replacing them outright with new software. Legacy enhancements can be effective, as the users are already familiar with the system and therefore may need minimal migration training," he says. "What is interesting to see is the disconnect between the perception and the reality of staff capabilities. This is important, especially when these individuals make the informed approach decision on what it takes to improve their organisation's cyber security."

He points to one aspect of the survey's findings where the majority of businesses (77%) and charities (69%) believe staff dealing with their cyber security have the right skills and knowledge. "Contrastingly, it suggests staff have only had cyber security training in 27% of businesses and 29% of charities. For public sector and not-for-profit organisations looking to juggle budgets, it makes sense to look at ways of enhancing existing systems, such an introducing multi-factor authentication. This could be one of the most cost effective and yet efficacious ways of preventing unauthorised access."

Out of the 36% of charities that created new security policies, only 4% actually changed firewall or system configurations to reflect the new posture, Jones also notes. "Working seamlessly with existing architecture, MFA platforms can be deployed throughout organisations with an extensive range of authentication factors to maximise adoption. Intelligent features, such as risk-based authentication, can adapt to user's scenarios, rather than using simple network access control thereby preventing unauthorised access to applications and ensuring the security applied reflects the value of the data attempting to be accessed."

Anthony O'Mara, VP EMEA at Malwarebytes, says the report shows that, given the complexity of networks today and of the threats to their security, traditional anti-virus solutions are no longer enough. "Instead, a layered approach to security, made up of a suite of different security solutions, is now the safest option. Some newer endpoint protection solutions can help remediate any damage, for example, and may contain a roll-back feature capable of restoring a compromised device to a pre-attack timeframe."

While recognising systems have to be fit for purpose, he states that so do the individuals responsible for it. "All staff members must understand the gravity of the threats posed, and the need to stay educated and updated about possible threats. That requires clearly understood chains of accountability and a workforce that is alert to the ramifications of bad internet and email habits. Education needs to be continuous --- not a one-off box-ticking exercise." FOLLOWING THE TRENDS
Jon Abbott, CEO of IT services provider Priority One and founder of cybersecurity platform ThreatAware, says the figures reflect the trends the industry is already seeing. "Attacks are becoming more targeted and costly, and cybercriminals are becoming more sophisticated. As IT teams shore up their defences, attackers are choosing softer targets and preying on people instead. They recognise that humans are now the weakest link and increasingly the targets are directors and senior decision makers.

"It demonstrates that cybersecurity is no longer just an IT issue but a company-wide challenge, one which involves people throughout the organisation and needs to be overseen at board level."

Further, the report reveals that 30% of all attacks suffered resulted in a negative outcome, where the breached organisation endured a loss of data or assets, with the average (mean) cost to the business being £4,180 - higher than in 2018 (£3,160) and 2017 (£2,450). Around three in four businesses (78%) say cybersecurity is now a high priority for senior management - up from 74% last year. One in three businesses (33%) now has a written cybersecurity policy; 27% have had staff attend training in the past 12 months; and 56% have implemented the five types of controls recommended in the government's Cyber Essentials scheme - all up on last year's figures. As mentioned earlier, the report says GDPR has helped to change behaviour, with 30% having made some type of change as a result, but it has also led to organisations focusing on data breaches, rather than wider risks. They might need to "think more holistically about the issue" and could do more - only 35% cent have a board member responsible for cybersecurity.

Abbott adds: "Dealing with the changing threat landscape requires a more integrated approach than before. Patching, web browsing protection and anti-virus software are critical, but businesses also need the right policies, procedures and culture. As cybercrime becomes more complex, boards need to lead the fightback and work closely with IT teams and managers throughout the organisation to ensure they are in the best possible position to defeat themselves against the threats."

According to the survey itself, in 2019 both businesses and charities see cyber security as a higher priority than in previous years. The qualitative interviews indicate an enhanced level of understanding among organisations - they recognise that cyber attacks can no longer be prevented with common sense alone and require action.

The quantitative data suggest that, while fewer businesses overall are identifying breaches or attacks, the attacks that penetrate organisations' defences and cause the most disruption are also having more severe financial impacts than before.

Add the survey authors: "Our findings continue to highlight the importance of board-level engagement with cyber security. Board members and trustees are updated more frequently about cyber security in 2019 than in the previous years of the survey. More businesses in 2019 have board members with a cyber security brief, although this is still a minority among all but large businesses. Even among large businesses, four in ten (41%) do not have this. Instilling better knowledge and understanding of cyber security across board members can be the difference between cyber security being treated as a fairly high priority or a very high priority."