British businesses have a high awareness of cybersecurity risk, but do relatively little about it. This is one of the key findings of a new government-sponsored survey into cyber security and data breaches in the UK.
The Cyber Security Breaches Survey 2016 is an ambitious attempt to provide a statistically accurate view of the state of security in British business. It was commissioned by the Department for Culture, Media and Sport, and conducted by Ipsos Mori and the Institute for Criminal Justice Studies at the University of Portsmouth. To compile the report, 1,008 UK businesses were surveyed via telephone between November 30, 2015 and February 5, 2016.
While 69% of businesses say cyber security is a high priority for senior managers, only 29% have formal written cyber security policies, and a mere 10% have a formal incident management plan. Since current thinking suggests that companies should consider not whether they will be breached, but rather when they will be breached, this lack of an incident response plan demonstrates remarkable complacency.
One weakness of the survey is that it does not define the terms it uses. For example, the foreword by Ed Vaizey MP comments, “We see a steady stream of breaches and attacks…”; but the report nowhere defines what it means by either term. If an ‘attack’ includes a virus or phishing email detected and rejected at the gateway, then anything less than 100% of businesses being attacked would be surprising.
Similarly, ‘breach’ is not defined. If a fairly common virus gets onto the network and is immediately detected, is it still a breach? Or should ‘breach’ be reserved for an attack that actually leads to the loss of data?
Nevertheless, the security industry tends to believe the figures returned by the survey are probably accurate. The survey suggests that 65% of large firms detected a cyber breach or attack in the last year; and 25% of those experience a breach every month. 68% of the breaches were caused by malware, while 32% by ‘impersonation of the organization’ (which presumably includes insider breaches).
These “figures seem reasonable to me,” David Emm, principal security researcher at Kaspersky Lab told SecurityWeek. “It’s also reflected in the 2015 breaches survey conducted for the government by PwC. It’s worth noting,” he continued, “that not all attacks result from activities of outsiders – some are insider attacks, where the use of malware isn’t necessary. The same is true, for different reasons, of hacks of specific resources (a corporate web site, for example) designed to obtain credentials for use in cyber crimes that don’t further affect the company breached.”
Nevertheless, he remains concerned about the lack of incident response planning. “It would be unwise, in my view, for any organization to assume that perimeter defense alone is sufficient to block attacks. What’s required is a defense in-depth approach that includes protection at all layers.” This is standard security advice that doesn’t seem to be followed in the UK. “To mitigate the impact of targeted attacks, further measures are required – including specific anti-targeted attack technology, as well as an incident response strategy that allows the company to respond quickly and effectively against any attack.”
David Harley, ESET Senior Research Fellow, also has some concerns. “Assuming that these figures are reasonably representative of UK businesses as a whole, there are certainly indications of areas that could do with serious attention – for example,” he commented, “in the provision of policies covering BYOD, home and mobile devices, user education, formal risk management, and even security enforcement by external suppliers. The survey suggests that these are areas lightly addressed, with companies preferring to rely on technical solutions such as network and desktop security applications and administration. Technological solutions are certainly critical to the defense of an enterprise, but they can’t offer 100% protection or anything like it.”
Whatever way you look at the figures coming out of the Cyber Security Breaches Survey 2016, it would seem that British business has a way to go before it is doing all that is necessary to be and remain secure against cyber crime.