A government survey of British businesses has praised those who read El Reg to keep up to date with security news – while claiming to have revealed that fewer firms have spotted cyber attacks against them over the past 12 months, when compared to last year.
The government, which used data drawn from surveys to make its conclusions, would have us believe that 32 per cent of British companies and charities spotted a cyber attack in the last 12 months, down from 43 per cent in 2017/18.
The report partly put this down to the EU GDPR law introduced in May last year, arguing that some of its survey respondents “made changes to their cyber security policies or processes”.
In fairness, UK.gov also admitted that GDPR had, for some organisations, reduced security discussions to the level of “avoiding personal data breaches” instead of actual security, a negative side-effect of a well-intentioned law. The survey doc (PDF, 66 pages) authors said: “These organisations were less focused on other kinds of breaches or attacks, and typically had a narrower set of technical controls in place.”
An anonymously quoted large business (surprise!) agreed with UK.gov, saying: “Cyber security is one in a long list of costs of doing business, so no one’s going to get excited about it unless you have regulatory focus.”
Our wise overlords also praised those with the good eyesight, insight and foresight to read The Register and keep themselves up to date with all the important snippets coming out of the IT security industry:
Not everyone who read the survey was impressed by its methodology or conclusions. Justin Coker, veep of Skybox Security, opined: “Although these latest numbers imply that businesses are identifying fewer breaches and attacks, the reasoning behind this drop is extremely nuanced. According to the report, only 33 per cent of businesses have cybersecurity policies in place. This suggests that there might not actually be a reduction in the volume of hacking attacks, rather that more are slipping through the net and unknowingly causing huge damage.”
Mark Nicholls of threat detection biz Redscan chipped in to say: “Interpreting the results is also clouded by the fact that half of organisations surveyed were micro businesses with fewer than 9 employees.” He added: “As to the statistic that two-thirds of businesses can identify a breach instantly, this is patently false. Real-world data from the ICO suggests it takes closer to 60 days on average.”
The clunking fist of British bureaucracy clearly needs to learn to tickle those it hopes to serve, even as it praises their reading habits. ®
Sponsored: Becoming a Pragmatic Security Leader