The UK government’s Department for Digital, Culture, Media and Sport (DCMS) has released its 2022 Cyber Security Breaches Survey. It offers an in-depth analysis of the current cyber threat landscape, including the types of threats that businesses are being exposed to and how resilient they are when it comes to dealing with them. This survey is important because it helps to inform government policy around cybersecurity, but it also offers an extremely valuable barometer for businesses when evaluating their own cybersecurity strategies. Where should their focus be? What are their likely vulnerabilities? How should they direct their cyber Security budget?
In this blog we’ll offer a brief summary of the key findings from the survey, why they’re important and what they might mean for your organization.
At the peak of the pandemic, a quarter of UK businesses reported experiencing cyberattacks. Any hopes that the uplift in cybercrime was just a temporary fallout from the pandemic, however, have since been dashed. Even as businesses get on with the “new normal”, including some now returning to the office, the risk from cyber threats remains high. As well as the number of attacks increasing, the frequency of attacks has also ramped up, with 31% of commercial businesses and 26% of charity organizations reporting they were attacked at least once per week in the past 12 months.
What this tells us is that businesses cannot afford to let their guard down, particularly if their attack surface has expanded with the addition of remote or hybrid working practices.
Reports of ransomware incidents to the ICO (Information Commissioner’s Office) have doubled since 2020 and continue to rise. Education, finance and insurance are the most impacted sectors. The good news is that businesses now seem to be taking the ransomware threat more seriously, with more than half (56%) of organizations putting official policies in place to not pay extortion demands in the event of a ransomware attack.
However, while this might be good news from a zero tolerance perspective, businesses should be mindful that such a rigid policy could actually hurt them in the long run, depending on the nature of the attacks they face. For instance, if the cost of paying a ransom is less than the cost of recovering and rebuilding, it becomes a case of cost-benefit analysis vs. ethics. The takeaway is that this policy simply should not be needed if organizations have robust and/or air-gapped backup and recovery systems in place.
Of all the UK businesses that said they’d experienced an attack, more than 8 in 10 (83%) said that phishing was the primary vector. So, even though technology and security continue to improve across the board, humans remain the weak link when it comes to defending against ransomware and other threats. Social engineering tactics like phishing have become increasingly common in recent years, particularly since the beginning of the pandemic and the surge in remote working. They have primarily been used as a way for threat actors to acquire sensitive information such as usernames and passwords.
Using the National Cyber Security Centre’s (NCSC) “10 steps” guide to cybersecurity, the survey found that less than a third (29%) of businesses train their staff or undertake mock exercises to test susceptibility to phishing attempts.
The survey revealed that 82% of boards or senior-level managers within UK companies now rate cybersecurity as a “very high” or “fairly high” concern, up from 77% in 2021. This includes businesses, registered charities and educational institutions. However, while it’s good news that cybersecurity is an increasing concern for decision-makers, translating that engagement into demonstrable cyber resilience remains a challenging prospect. More than half (54%) of businesses said they’d taken action to identify cybersecurity risks in the past year, such as real-time network monitoring, but the survey also revealed a “limited board understanding” of cyber risks and an over-reliance on insurance companies to bail them out in the event of a breach.
What’s needed here is better and clearer communication between upper levels of management and those in charge of assessing and monitoring cyber risk. Those in charge of cyber risk should be given a seat at the top table or clear communication channel to explore how businesses might best guard against the broadening threat landscape.
The survey also looked at third party risk, something that’s become more important as the risk of software supply chain attacks has increased. Organizations don’t necessarily need to be targeted themselves to become victims of a supply chain attack; quite often they are the collateral damage because they’re using the same tools and services as the actual targets. In response to the survey, a significant number of organizations said they didn’t have the time, budget or expertise to thoroughly assess risks across their supply chain. In fact, only 14% of businesses said they actively do this.
A blend of in-house expertise and outsourced security management is what’s needed to help these organizations get better visibility over their digital footprint and exposure. In fact, getting external, objective support when it comes to assessing risk from a trusted managed service provider is in the NCSC’s top ten cybersecurity steps.