Click to enlarge
The Department for Culture, Media and Sport has released findings from its annual Cyber Security Breaches Survey, where 69% of organizations believe security to be a top priority for the business, though only 29% have a formal written policy.
Within the large organizations category, those with 250 or more employees, 90% considered security as a ‘very high’ or ‘fairly high’ priority, though this percentage dropped to 69% when taking an average of the UK as a whole.
“The UK is a world-leading digital economy and this Government has made cyber security a top priority,” said Minister for the Digital Economy Ed Vaizey. “Too many firms are losing money, data and consumer confidence with the vast number of cyber-attacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum, companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves.”
Of the companies who participated in the survey, 24% said they had experienced a breach within the last twelve months, though this is higher for medium and large businesses, 51% and 65% respectively. Large organizations would appear to be the more attractive target for cyber criminals, with 25% of the larger organizations experiencing at least one attack per month over the last year. In terms of financials, the average breach costs organizations £3,480, though this increases to £36,500 for organizations in the large category.
Although a healthy proportion of organizations claim security is a top priority only 29% have written cyber security policies, and only 10% have formal incident management processes. The survey also highlighted only 17% have had their staff undergo some form of cyber security training in the last 12 months.
“One of the most shocking revelations in the Government’s research is the fact that just 10 per cent of UK businesses have an incident management plan in place,” said Jens Puhle, UK Managing Director of 8MAN. “Given that two thirds of large businesses were breached this year alone, organisations need to think in terms of “when”, not an “if” they are attacked, and it is vital they have a solid response plan in place.
Security priority – click to enlarge
“Businesses that are equipped with the ability to identify how the breach occurred and which systems were affected will be able to mitigate the damage the impact and resume normal operations much sooner. They will also be able to take control of the aftermath, disclosing the incident on their terms and working with the authorities to catch the perpetrator. Being unable to perform these basic tasks will make it much more likely that a business is seen as inviting disaster on itself and its customers through negligence, rather than as a blameless victim of crime.”
From an employee perspective, only 34% of organizations currently employ staff whose job role specifically includes information security or governance, which could be perceived as relatively low considering 67% believe security is a top priority. These jobs were most common within finance (60%) and education, health or social care (52%), sectors which could be viewed as having more stringent regulation surrounding data protection.
While hiring people with the right skills is an important step in becoming more secure Lee Meyrick, Director of Information Management at Nuix, believes these individuals also need to have a firm grasp how and where a company’s data resides, a task which might not be as simple as first imagined.
“The first step towards responding efficiently to breaches and closing information security gaps quickly, is understanding where important data is stored. This is easier said than done, as about 80% of organisational data is unstructured, meaning it’s in complex formats – such as emails, databases, photos, and presentations– that are difficult to search and understand.
Security spend – click to enlarge
“The key principle is making sure the only people who can access high-risk data are those who need to for day-to-day work. In order to achieve this, information security, information governance and records management specialists need to become “good shepherds” of their data.
“They should know where all their sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep are healthy. In this way, even if a wolf manages to get into one of the fields, most of the flock will be safe.”
While the survey does demonstrate good intentions from organizations throughout the UK in respect to attitudes towards security, it would appear the practical implications from these intentions have largely remained unfulfilled to date. Large organizations would appear to have a more solid grip on security within their own environments, though this does not seem to extent to their own supply chain where only 13% of UK businesses set minimum cyber security standards for their suppliers.
The report states the attitudes within medium and large organizations towards security is positive, though more could be done to implement data encryption rules, offer staff training and having formal incident management processes. It also states more could be done to raise standards within their own supply chains, which could have a ripple effect on smaller organizations throughout the UK.