More than four in 10 UK businesses have suffered a cyber breach or attack in the past 12 months, according to research by the Department for Digital, Culture, Media and Sport (DDCMS), which is urging companies to take action ahead of the introduction of the General Data Protection Regulations (GDPR) next month
The department says its study, carried out by Ipsos MORI, in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth, found 43% of business and 19% of charities had experienced cybersecurity problems in the past year. This figure rises to 72% for large businesses.
The average cost of breaches is put at £3,100 for businesses and £1,030 for charities, rising to £16,100 for medium businesses and £22,300 for large businesses when there is material loss of assets or data. Moreover, the research suggested the estimated total cost of breaches has consistently increased for medium businesses specifically, even when including breaches that do not result in lost assets or data (from £1,860 in the 2016 survey and £3,070 in the 2017 survey, to £8,180 in 2018).
Among those experiencing breaches, large firms identified an average of 12 attacks a year and medium-sized firms an average of six attacks a year. Smaller firms are still experiencing a significant number of cyber attacks, with 42% of micro and small businesses identifying at least one breach or attack in the past 12 months, which could impact profits and reduce consumer confidence.
The most common breaches or attacks were via fraudulent emails - for example, attempting to coax staff into revealing passwords or financial information, or opening dangerous attachments - followed by instances of cyber criminals impersonating the organisation online, then malware and viruses.
Breaches were more likely to be found in organisations that hold personal data and where employees use their own personal devices for work. Around half of the more than 2, 200 business and charities surveyed had bring your own device (BYOD) policies, with charities highly likely to do so.
Despite 74% of businesses and 53% of charities reporting cyber security is a high priority for their organisation’s senior management, the survey uncovered a lack of adequate controls.
A quarter (25%) of charities are not updating software or malware protections and a third of businesses (33%) do not provide staff with guidance on passwords. In addition 11% of large firms are still not taking any action to identify cyber risks, such as health checks, risk assessments, audits or investing in threat intelligence.
Only 30% of businesses and 24% of charities had board members or trustees with responsibility for cyber security, while 20% of businesses and 38% of charities say their management boards have never discussed cyber security.
Sheila Pancholi, a technology risk assurance partner at RSM, said: ‘There is much more that organisations need to do when it comes to raising staff awareness through training, identifying and managing cyber related risks and adopting good-practice technical controls. Cyber security must be made a board level issue to ensure it gets the required level of focus in a business.
‘It’s particularly interesting that the survey found that cyber breaches are more prevalent when staff are allowed to use their own personal devices for work. This is an area that we have been warning our clients about for some time and caution is needed.
‘This is ever more important given the impending 25 of May deadline for GDPR coming into force to strengthen personal data governance. The reality is that organisations are only as strong as the weakest link in their network.’
The survey found 38% of businesses and 44% of charities were aware of GDPR and 27% of businesses and 26% of charities had made changes to their operations as a result. Of these, just under half of those businesses and over one third of charities, made changes to their cyber security practices.
Elizabeth Denham, Information Commissioner, said: ‘With the new data protection law, the GDPR, taking effect in just a few weeks, it’s more important than ever that organisations focus on cyber-security.
‘We understand that there will be attempts to breach systems. We fully accept that cyberattacks are a criminal act. But we also believe organisations need to take steps to protect themselves against the criminals.’
Report by Pat Sweet