The cybersecurity landscape is continuously evolving. It has led businesses to question how they are protecting themselves and their consumers from data breaches. Since 2014, the Department for Digital, Culture, Media and Sport (DCMS) has commissioned the Cybersecurity Breaches Survey of the UK to understand what protections are in place, and where the UK can improve for future security postures.
The National Cyber Strategy 2022 supports researching cyber resilience amongst UK educational institutions, businesses, and charities to better understand the threats these industries face. By breaking down survey responses, the market research provider, Ipsos UK, looked for the breadth of cybersecurity threats and how organisations are working to protect user and organisational privacy.
The findings of the survey reveal how businesses of various sizes are targeted by cyber-attacks and the extent of the impact to these organisations. Continue reading to learn more about what this survey discovered and the areas to improve on for 2023 and beyond.
Business Profiles by Digital Footprint
As businesses continue to grow by building online platforms, they’re more susceptible to cyber-attacks. Particularly, if they use personal devices or Managed Service Providers (MSP). Though most, if not all, businesses have some digital exposure, a minority of organisations (an average of 30%) accept online payments and bookings. There has also been an increase in the use of IoT and smart devices, especially among the largest charities and organisations, which poses an additional threat risk.
Staying on trend, 40% of businesses use MSPs, the individual percentages increasing as businesses become larger. When asked if cybersecurity was an important factor in their decision for an MSP, many organisations chose price over security. This is especially true in businesses with smaller IT budgets. Though some confirmed the MSP security protocols prior to signing contracts, the overall findings were that they trusted the security of the providers over their own and did not follow up once the contract was signed. This lack of due diligence could be costly in the event of a security incident, as a primary tenet of the industry is that an MSP is responsible for security, but the data owner is accountable in the event of a security incident.
Lastly, 45% of businesses and 65% of charities confirmed that their staff regularly bring their own devices. Since organisations have less oversight when employees work from home, the room for error is also higher.
Cybersecurity Awareness
Though the majority of organisations (82%) and charities (72%) agree that cybersecurity is a high priority, there is still room for improvement. The finance and insurance, health and social care, and information and communications sectors take security the most seriously. Priority is increasing, but a broadening of cybersecurity efforts is not growing at the same rate, leaving a gap in opportunity.
Qualitative analysis suggests roadblocks to cybersecurity budgets are widely attributed to a lack of board-level expertise around what constitutes successful cyber risk management. With the lack of budget and expertise, the need to build a clear narrative around cybersecurity will help organisations navigate privacy threats in the coming year. Organisations rely heavily on their own IT teams for cybersecurity, and 25% confirmed they rely on outsourced expertise if security has been breached, choosing to reach out to IT consultants, research on their own using online databases, or check in with government sources.
Along those lines, 16% of organisations and 23% of charities never update the senior team or board on cybersecurity threats or attacks. This happens most often in the retail, food and hospitality, utilities/production, and manufacturing industries.
Approach to Cyber Risk Management
Cybersecurity amongst larger businesses and enterprises often has a broader budget for security measures. This is where they utilise penetration testing and threat intelligence to mitigate security breaches more often than smaller companies. Similarly, larger organisations are more likely to report cybersecurity risks due to having more stakeholders involved. Though, as remote work continues, many companies of all sizes have not recovered to pre-pandemic security monitoring. This includes perceived supplier risk, particularly cloud-based services, as impenetrable.
Less than a quarter of businesses have generated formal cybersecurity strategies. However, 43% of organisations and 27% of charities have invested in cybersecurity insurance. Many have done so for expertise on breach recovery, threat management, and building cybersecurity frameworks. Only 7% have made a claim with their insurance. As with the lack of due diligence, reliance on insurance alone as a security strategy is infeasible, as many insurers will not only fail to underwrite an organization that lacks reasonable cybersecurity practices, but it will also not pay on claims where an organization is deemed negligent.
Even with the efforts provided through DCMS, charities are still falling behind on cybersecurity policy and monitoring. It’s believed to be due to budgets and personal device usage they have looked to increase their security-related policies more effectively. The study provides some suggestions that within the data, charities may be re-evaluating their security improvements due to a lack of resources or other lack of security posture issues.
Types of Cyber Attacks
Of those surveyed, 4 in 10 organisations, and 3 in 10 charities have reported cybersecurity breaches or attacks. Phishing scams were reported the most, with over half of the organisations reporting these as the only attack type. This was followed by emails that impersonated the organisation (27%) or charity (26%). Surprisingly, contradictory to the impression derived from media reports, the survey indicated that there has been a decrease in viruses and other types of malware, as well as ransomware.
Phishing scams are considered the most disruptive, with organizations and charities confirming attacks at least once a month. With the disruptions, though, only one in five organisations are reporting a loss of data or money due to attacks. Following the trends of previous reports, non-phishing breaches cost organisations more money. Though they occur less frequently, the damage is often more significant. Low budgets within charities, along with a lack of board engagement in more extensive charities as well as limited experience in smaller ones, points to a plateaued security resilience. This ultimately has made charities a great target for attack.
Impacts and Responses
Two-thirds of businesses and charities have generated a formalised incident response plan, taking action in at least five areas. However, the threat of ransomware attacks has encouraged just over half of businesses and four in ten charities to build policies defining whether or not they will make ransomware payments. Many believed that ransomware posed a high risk for their business. However, numerous businesses were more concerned about the impact of their reputation would face when dealing with a ransomware attack or paying a ransom within this attack vector. It ultimately showed that organisations risk of reputational damage was often a key reason not to pay ransoms in order to regain access to their systems.
The percentage of organisations reporting cybersecurity breaches remains low, however. They tend to only report to outsourced cybersecurity providers; otherwise, they’ll usually only report if they’re legally obligated, or their banks are involved. Some businesses see the benefits of reporting breaches to add to threat intelligence feeds to prevent similar future attacks. Among those who have suffered breaches, nearly two-thirds have action plans to prevent future breaches.
Key Findings and Areas of Improvement
Budgets for organisations can create gaps in cybersecurity initiatives. With lower budgets and a lack of expertise, there is room for improvement, as experts predict an ongoing skills gap. Many larger organisations rely heavily on their IT teams or outsourced IT and cybersecurity networks to keep them involved, but with a lack of IT knowledge, security initiatives become stalled.
Some data was difficult to confirm due to the use of personal devices in the age of working from home. And as cybersecurity budgets vary widely across different organisations, it’s important to utilise security features to keep networks and data secure. A forward approach to cyber risk management, then, includes leading with a proactive approach before a breach has occurred.
Cyber hygiene has remained consistent over the last few years. However, as new technologies emerge, so do the threats, which highlights the importance of building the narrative around cybersecurity within, and across all organisations.
About the Author:
Amanda Scheldt is a freelance technical content writer based in Illinois. She has a Master of Science in Cybersecurity from Webster University. Understanding a lack of emphasis on cybersecurity awareness and education, she blends this with a passion for informative and engaging writing.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.