The DCMS today announced its 2019 Cyber Breaches Survey. The latest report highlights the threats that UK businesses face from cyber-attacks.
One of the points that the report raises is that more senior managers are being updated on cyber security issues (57% of businesses do so at least once a quarter) than ever before. This is a positive step that indicates cyber security is finally becoming a regular boardroom issue, rather than just something that is discussed during times of crisis.
Piers Wilson, Head of Product Management at Huntsman Security:
“Both board executives and cyber security leaders will welcome the finding that senior management is taking more of an interest in cyber security, with 57 per cent of businesses updating senior management on cyber security issues at least every quarter. However, security teams must ensure that the information they are sharing with senior executives is relevant and business focussed – couched in terms of business risk rather than technical issues. This is vital if it is to be understood in terms of the impacts, recognised in the context of the business, and acted upon decisively.
If the board, and wider senior management, can be given an understanding of their organisation’s cyber security posture, it enables them to make the right choices when it comes to future investment and management of the most crucial issues. Establishing what needs thought and discussion, and what should be handled operationally or automatically.
One way this can be achieved is by making cyber security metrics simple to understand and digest, especially for business audiences that might lack in-depth technical or security knowledge. Low-level technical reports or manually-derived, subjective opinions have much less value than an automated, trustworthy measurement and reporting system that can objectively assign scores to risks and threats as part of a clear status report. The last thing organisations want is for important information on cyber security to be ignored due to its complexity or lack of verification, leading to delays or unwillingness to make decisions or realise the nature of the potential impacts.“
Matthew Aldridge, Senior Solutions Architect at Webroot:
“In the last report, increased ransomware was the top finding for businesses. This year, phishing emails largely outweigh other methods, with 80% of businesses identifying these as the most common attacks. Despite being one of the oldest tactics, phishing attacks are still successful. Bad actors recognise that humans are the weakest asset in the organisation and will exploit any gaps in education to gain access. The financial and reputational losses following a successful breach can be devastating to a business, but we cannot discount the losses in productivity. If nearly one-third of businesses have had to stop work because of an attack, that can significantly impact the bottom line.
Employee vigilance and education are absolutely critical to an effective defence, especially as phishing emails are getting more convincing and difficult to spot. Aside from technology, employee education is where organisations will get the best bang for their buck. It must form a part of the overall cybersecurity strategy, bolstered by the appropriate technology, such as real-time phishing detection, web filtering andemail filtering. Employees need to understand the risks to business, why installing software updates, and clicking links within emails should be done with great care.”
Justin Coker, Vice President EMEA at Skybox Security:
“Although these latest numbers imply that businesses are identifying fewer breaches and attacks, the reasoning behind this drop is extremely nuanced. According to the report, only 33% of businesses have cybersecurity policies in place. This suggests that there might not actually be a reduction in the volume of hacking attacks, rather that more are slipping through the net and unknowingly causing huge damage. In 2018, cryptomining malware became the most popular form of attack – this is malware that often goes undetected for too long, leaving businesses worryingly exposed.
“It is important to point out that 27% of organisations which were victims of a hack reported that too much time and resource was devoted to dealing with the event. This level of firefighting is unwanted and is, frankly, unsustainable. Instead of taking a reactive approach to vulnerability management and always having to play on the back foot, leaders should be establishing more proactive strategies that enable them to see, and understand the context of, every vulnerability within their complex and increasingly fragmented environment. This is the only what that they’ll be able to stay ahead of the curve and make better use of their existing resource – faced with a growing cybersecurity skills crisis, it’s unlikely that many businesses are going to be able to solve their issues simply by hiring more staff.
“There’s also a strong business case here to prioritize the implementation of automated cyber monitoring tools with some processes and technologies. Change management and audits, for example, should be automated. Doing so will help organisations to save on financial and resource outlay when faced with an attack.
“While the report suggests GDPR has been a catalyst for change, the effects don’t seem to be as wide-reaching as might have been hoped. Despite the new regulation, only 16% of companies have formal cybersecurity incident management processes in place. This number is shockingly low. The report also claims that GDPR may have led some firms to narrow their focus too much. While working to avoid personal data breaches is undeniably important, it’s only one aspect of a business’ cybersecurity estate which needs to be protected. If a business is purely concentrated on limiting personal data breaches, it’s entirely possible that they’ll end up dropping the ball elsewhere.
Despite the recorded drop in breaches and attacks, businesses shouldn’t let their guard down. Quite the opposite. Phishing scams and malware attacks remain rife and cybercriminals are continuously evolving their tactics. Business leaders need to have a firm grasp on their risk posture. They need to know where their ingress and egress points are, which vulnerabilities exist in their networks and how to develop rapid, robust and relevant remediation strategies. If they don’t understand the context of their risks, nor whether an exploit in the wild could negatively impact their business, it’s impossible for them to know which tools to employ to make sure they are safeguarded from attack. It’s like standing on the frontline with no plan of defence.”
Ollie Whitehouse, Global Chief Technical Officer at NCC Group:
“It is encouraging that organisations are increasingly rating cyber security as a high priority. That 59% of businesses and 47% of charities have sought external support with cyber security in the last 12 months is particularly welcome, and suggests that more organisations are shaking off the elephant in the boardroom when it comes to cyber.
“However, there is room for improvement, with just over a third of businesses appointing specific responsibility for cyber security to a board member or trustee, and just 16% having formal cyber security incident management processes in place. This has to change in the near future.
“Businesses must allow cyber security knowledge to drip down through their organisations from the top, and make use of initiatives like the government’s 10 Steps to Cyber Security Guidance to bolster their overall cyber resilience.
“The survey also shows that many businesses had changed their cyber policies as a result of GDPR. This is to be welcomed, but it’s important that businesses take a holistic, proactive approach to cyber security, and do not solely hook their strategies on major pieces of regulation. These do not cover every aspect of an organisation’s cyber defences, and do not always stay ahead of the constantly evolving threat landscape.
“Overall, the survey suggests that businesses and government can work more closely to improve cyber security across the board. There are simple steps that businesses can take today, but this must be underpinned by clear access to support and information from the government and public-sector bodies.”