There’s been a flurry of new research published recently regarding the state of cyberattacks in the UK.
The Department for Digital, Culture, Media and Sport (DCMS) published its latest Cyber Security Beaches Survey at the end of March. Overall, the results don’t significantly differ from the 2021 report. The proportion of UK businesses identifying cyberattacks remained at 39%. That’s flat compared to 2021, down from 46% in 2020.
I’m sure the DCMS methodology is sound, but those numbers seem low to me. Other reports show increasing numbers of attacks. For example, just the day before the DCMS report was published, the Financial Conduct Authority FCA) revealed a 52% increase in cybersecurity attacks – 116 incidents in 2021 compared to 76 in 2020.
Also, just days before the DCMS report launched, research based on data from the Information Commissioner’s Office (ICO) showed that the number of ransomware attacks in the UK doubled in 2021 from 326 to 654.
And the Osirium Ransomware Index research published in late 2021 found that 68% of businesses had suffered a ransomware attack in the previous year.
I suspect that many attacks are not being reported, which may explain the lower number in the DCMS report. The DCMS report concedes potential under-reporting when estimating the cost of an attack which they put at an average of £4,200 (£19,400 for medium to large enterprises) as there is “a lack of a framework for financial impacts of cyber-attacks”. Those estimated costs are significantly lower than the widely respected Ponemon “Cost of a Security Breach” report which estimates the average cost of a breach in the UK to be $4.67m. It’s a huge difference, but that lack of a formal framework means comparing the two may not be a good idea. For example, Ponemon tries to put a value on many intangible costs such as reputational damage and potential remediation costs.
There is a lot of confusion about what needs to be reported, by whom and when.
Interestingly, the US has recently introduced legal requirements for businesses to report attacks and ransomware payments formally. Although, so far, it only applies to critical infrastructure.
Perhaps there is a trend towards forcing organisations to be more open about attacks.
The DCMS report found that the perceived importance of cyber-security is growing (82% compared to 77% in 2021). However, visibility at the highest management levels is still worryingly low. Only 50% of businesses update senior management on cyber security at least quarterly, and 23% of charities don’t update their leadership at all.
Only around a third (34%) of businesses have board members accountable for cyber security in their job at the board level. Most of those(62%) are in larger enterprises, which may not be a surprise.
An implication of this lack of visibility and accountability at senior levels, according to the DCMS report, is that funding for cybersecurity is harder to secure.
The DCMS report highlights many actions businesses are taking to improve security. Two are worth taking a closer look at.
As admin accounts are so powerful, protecting them is a critical part of a cybersecurity strategy (after all, if you can’t protect admin access to the cyber security tools, those tools lose their value). The report claims72% have policies to restrict admin rights.
That number is surprisingly (and worryingly) small.
I suspect it’s somewhat skewed because, in a small business, it may be that the few people that work there have access to every application and system. That isn’t clear in the published data. My view is that a higher number of businesses would say they have policies to restrict admin access but a minority do anything to enforce controls over those powerful admin credentials. That’s certainly our experience when organisations come to Osirium to discuss how privileged access management (PAM) can be used to implement that control.
The best insurance policy is to take as many steps as possible to prevent an attack in the first place, but it’s pragmatic to assume that, at some point, a breach will occur, and insurance could be a vital part of a recovery plan.
Cyber insurance is a relatively new option and another where there’s little in the way of formal frameworks to define the cover a business can expect. According to the DCMS report, 43% of businesses have some kind of cyber insurance. Surprisingly only 6% have Cyber Essentials certification and 1% Cyber Essentials Plus, which include some level of insurance in most cases.
The NCSC published very useful advice on selecting cyber insurance and made clear that businesses have to be very clear on what the policies cover and the requirements for the business to ensure they are covered. Many policies, for example, expect regular reporting to show security controls are in place and being used. PAM is a common requirement to show that those powerful admin accounts are being protected.
It’s clear that there is some confusion about the statistics being reported on cyber security. Some look very low in terms of incident counts and costs, while others look very high. With no formal definitions and little requirement for publication of data by businesses, the numbers may not become any simpler to understand soon.
Some general trends seem to be supported by the data though: