The Department for Digital, Culture, Media and Sport (DCMS) published its Cyber Security Breaches Survey 2019 last week which brings together quantitative and qualitative data drawn from an extensive telephone survey and 52 in-depth interviews. The survey shows the continued upward trajectory of cybersecurity as both a risk and near-universal concern for organisations. Indeed, both businesses and charities see cybersecurity as a markedly higher priority than in previous years.
32% of businesses and 22% of charities report having cybersecurity breaches or attacks in the last 12 months. As in previous years, this is much higher specifically among medium-sized businesses (60%), large businesses (61%) and high-income charities (52%). The most common types are phishing attacks (identified by 80% of these businesses and 81% of these charities); others impersonating an organisation in emails or online (28% of these businesses and 20% of these charities); and viruses, spyware or malware, including ransomware attacks (27% of these businesses and 18% of these charities).
For businesses, the proportion identifying breaches or attacks (32%) is lower than in 2018 (when it was 43%) and 2017 (46%). At the same time, among the 32 per cent of businesses that did identify any breaches or attacks, the typical (median) number they recall facing has gone up, from 2 attacks in 2017 to 6 in 2019.
It is not clear whether this trend for fewer businesses identifying breaches is driven by them generally becoming more cyber secure, a change in attacker behaviour (with more attacks being focused on a narrower range of businesses) or an overall heightened awareness of the potential implications of cyber breaches (and therefore reluctance to discuss them) following the introduction of the General Data Protection Regulation (GDPR) in May 2018. It is probably a combination of these factors.
GDPR as a positive force
The GDPR has certainly focused minds. The report identifies the GDPR as a key driver for the recent acceleration in the trend toward greater prioritisation for cybersecurity across organisations. Undoubtedly, the GDPR has compelled many organisations to tackle this issue with a much greater degree of seriousness – indeed the drop-off in the number of businesses, especially micro businesses and charities, experiencing breaches or attacks since 2018 may be partly explained by this cross-industry raising of the bar.
Also key has been a greater understanding among organisations of the complexity of the challenge cyber attacks present, requiring a response considerably beyond simple common sense. For those organisations that have experienced cyber attacks first hand, the disruption caused and the impact on the bottom line have been more substantial than ever which has led to a redoubling of efforts.
The survey also reveals a sharp rise in organisations introducing new policies, technical controls and staff training. Although still only taken up by a minority of organisations, cyber insurance has become a mainstream product particularly for medium and large businesses as they calculate that their own control mechanisms can only go so far.
Despite these promising signs, there are crucial areas for future focus for organisations as they build their cyber resilience. The majority of organisations (of all sizes) don’t yet have written cyber security policies, a formal cyber incident management process, or undertake staff cyber security training. Having senior staff with a specific responsibility for cyber security as part of their job role also remains less likely than not.
There are some perhaps unsurprising sectoral trends with non-data-heavy industries such as catering and construction lagging behind. However, it’s worth noting the huge disruption and potential liabilities players in such sectors could face if, for instance, their increasingly autonomous machines were hacked. An urgent game of catch-up is needed assuming technological developments will continue as they currently are.
GDPR: the risk of fatigue
The survey also highlights the dangers for organisations of GDPR fatigue turning many off anything to do with data governance. Many staff may have been left with the impression that 2018 was the year of the GDPR (and it can effectively be put back in a box and forgotten about). After all, 2019 is the year of Brexit. The fact that cyber is much more than about data protection, of course, is also lost to some extent in the 2018 noise.
Organisations need to guard against this confusion-led complacency and consider cyber security more holistically including the potentially much wider impacts such as those on business continuity, on reputation and on client-supplier relationships.
Board-level engagement and the skills gap
Some undoubted progress has been made in board-level engagement but room for improvement is substantial. Boardmembers were updated much more frequently about cybersecurity in 2019 than in the previous years of the survey and more boards now have members with a cybersecurity brief. This is the case, however, for only a minority except in large organisations where 41% still do not have an accountable boardmember.
More worrying is the survey appears to pick up signs of an unacknowledged skills gap within many organisations in relation to cyber security. Relatively few organisations (27% of businesses and 29% of charities) have sent staff on cyber-specific training and far higher proportions claim they have no skills needs.
Looking beyond the organisation
While there are some positive signs of organisations taking a more enlightened to third party risks in relation to cyber risk, the majority do not systematically consider their supply chain. This feels like a gap that needs to be closed quickly. Relatively few, for instance, demand minimum cyber security standards from suppliers. Interviews suggest that suppliers are often overlooked as a potential source of cyber risk. Many expressed the view that more guidance or checklists would help with this.
Overall awareness of the Government’s official guidance on cyber security, in particular its Cyber Aware campaign, has not increased in the past year which is a key concern. The survey could therefore provide the launch pad for a more assertive programme to educate organisations by both DCMS and the National Cyber Security Centre (NCSC).
For further guidance on cybersecurity generally, see Practical Law’s Cybersecurity toolkit.