On 19 April 2017, the Government published its Cyber Security Breaches Survey (see here). This measures how well UK businesses approach cyber-security, and the level, nature, and impact of cyber-attacks on businesses.
According to the survey, nearly half (46%) of British businesses discovered at least one cyber-security breach or attack in the past year, a proportion which rose to two-thirds among medium and large companies. According to the survey in 2016 (see here), a quarter (24%) of all businesses detected one or more cyber security breaches in the last 12 months. The cyber-security problem is therefore only getting worse. It is noteworthy that, although three in ten (31%) businesses now say that cyber-security is a “very high” priority for senior management, a “sizable proportion” of businesses have failed to put in place basic protections or formalise their approach to information security.
The survey, commissioned by Department for Culture, Media & Sport as part of the Government’s National Cyber Security Programme, found that the most common types of breaches related to staff receiving fraudulent emails (72% of those who identified a breach or attack), followed by viruses and malware (33%), people impersonating the organisation online (27%) and ransomware (17%).
As we have discussed previously (see for example here), cyber-security breaches were often linked to human factors. However, relatively few organisations currently provide staff with cyber-security training (20%) or have formal policies in this area (33%).
The Government’s survey finds that that breaches frequently result in a financial cost to the business. Among the 46 per cent of businesses that detected breaches in the last 12 months, the survey finds that the average business faces losses of £1,570 as a result of these breaches. This is much higher for the average large firm, at £19,600 in losses. Cyber-security breaches can have regulatory consequences for organisations, particularly for those that handle personal data within the meaning of the Data Protection Act 1998. According to the survey, 61% of firms now hold personal data on their customers electronically.
At present, external reporting of breaches remains rare. Only a quarter (26%) reported their most disruptive breach externally to anyone other than a cyber-security provider. There is currently no general requirement to report security breaches to the Information Commissioner’s Office. This will change when the General Data Protection Regulation comes into force in May 2018. In event of a breach, organisations will be required to demonstrate they have robust technical and organisational measures in place to manage and store data.
For large and small businesses alike, this latest survey shows that cyber-security breaches are becoming a near certainty. Organisations need to take this threat seriously.