New research released this week by the UK Government provides striking insights into the resilience of UK organizations when it comes to facing down cybersecurity threats. The UK Cyber Security Breaches Survey provides comprehensive insights on how businesses and organizations are responding to this critical challenge, including details on decision making, current threats, responses and the scale and cost of cyber crime.
Recent months have seen breaches and attacks that have impacted major international brands including retailers WH Smith, telecoms provider T Mobile, and media organization The Guardian. As well as negative headlines, businesses affected by a cyber breach can expect disruption to their day-to-day operations, the destruction of data or even large-scale financial losses. In fact, the latest data gathered in this report indicates that the average cost per business of all cyber-crime experienced in the last 12 months sits at approximately GBP £15,300. The risks are real, and the repercussions can last long after the incident is resolved.
The scale of the challenge
Authors of the report estimate that in the last 12 months there were nearly 2.4 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime across all UK businesses.
When it comes to cybersecurity breaches and attacks, the new figures indicate that 69% of large businesses recall a cybersecurity breach or attack in the last 12 months, indicating that cyber breaches and attacks remain a common threat.
The sectors most at risk, according to the data, are information and communications businesses, and professional, scientific and technical businesses which are more likely than average to have experienced breaches or attacks.
Worryingly, as businesses are finding, these cyber attacks are unlikely to be ‘one-off’ events. Of those experiencing breaches or attacks in the past 12 months, 40% of businesses told researchers that it happens once a month or more often, and 21% as frequently as at least once a week.
What does a cybersecurity breach look like?
Of course, not all cyber breaches and attacks look alike – and the infinite variety and range of possible issues that can confront businesses in this area is one of the barriers that has been cited for organizations looking to protect themselves effectively.
The data indicates that larger organizations tend to experience a greater variety of cyber incidents, with the most common being phishing attacks, followed by impersonation, malware and unauthorized access by people within the organization.
How are businesses responding?
Elev8 works with commercial and governmental organizations around the world to help their people develop the skills and knowledge they need to counter these threats, and we know how seriously they take the challenge. The research indicates that cybersecurity is a particular priority for organizations in finance and insurance, professional, scientific and technical sectors and information and communications.
Are businesses missing opportunities to boost cyber resilience?
To us, this report highlights a number of opportunities for organizations looking to increase their ability to withstand cyber attacks.
Training required across the business. No matter how effective a firewall or antivirus software is, it is an organization’s people who often inadvertently open the door to issues, by for example falling foul of a phishing or whaling approach. The best defense is good training and regular refreshers, both of which form an integral part of creating a digitally literate workforce who are alert to cyber threats, and aware of how to respond. The data presented in this latest report indicates that just 18% of businesses have provided some form of staff training in the last 12 months – though that figure is higher (77%) when broken down for large businesses. The right training, tailored for team members at every level is a key part of any business’ first line of security.
Lack of specialist skills and knowledge is a barrier for businesses who want to do more. Though the risks that can come to an organization via its suppliers are well-known – for example in allowing third party access to systems, the research indicates that only just over half (55%) of large businesses are actively reviewing these risks. Moreover, researchers explored the barriers that exist here, finding that businesses cited not knowing what checks to carry out (25%), and lacking the skills to do the required checks (18%). In the same vein, the report indicates that more than 30% of large businesses do not have a formal cybersecurity strategy in place – with qualitative responses indicating that a lack of the in-house expertise required to develop a robust strategy, including an understanding of what to include and how to measure progress, is one of the factors stopping organizations taking positive steps forward in this area. These are spheres where expert support from a specialist can go a long way and make a material difference in a short space of time.
Good communication turbo-charges cybersecurity. We have long advocated for the value of supporting employees to develop ‘power skills’ to boost their impact and productivity. These include communication, empathy and collaboration, and it is interesting to see the report highlight just how important effective communication is between IT teams and the wider business. Authors highlight that effective communication across functions raises the profile of tech professionals, develops closer working relationships, and creates a shared understanding of the importance of cybersecurity – all essential building blocks in creating a cyber resilient culture.
Organizations understand the need for training, but don’t know how to evaluate it. Ensuring that the business derives both value for money, and effective outcomes from training is key – and businesses responding in this survey cited not being clear on how to evaluate training as a common issue. Building in evaluation mechanisms is key and should be an integral part of any program.
Put cybersecurity at board level for maximum impact. The data indicates that only just over half (53%) of large businesses have a board member or trustee who is explicitly responsible for cybersecurity. We would endorse the view expressed by some respondents that making sure this critical issue is visible at board level is vital. More than that – the board member who takes responsibility for this area must have access to the training and knowledge-building they need to be effective. As the survey highlights, with the right skillset, senior level input in this area can help by asking challenging questions and championing buy-in across the business.
Plan and train for success
These survey results underline that for many organizations, fending off cyber threats is an almost constant challenge, and one that can, if not handled well, result in reputational and financial damage.
Fortunately, with the right protections in place the risks can be effectively mitigated, and as the report highlights the most common cyber threats tend to be unsophisticated. Many of these protections rest on the cyber literacy of the whole workforce, and the ways in which technical skills and knowledge are embedded throughout the organization, creating a culture of cybersecurity awareness. Though many organizations are experiencing skills gaps that can hamper their work in this field, with the support of specialists, like those in the elev8 team, businesses can make sure their existing people are equipped with the tools they need to keep the business safe.
