The UK government, in the form of the Department for Digital, Culture, Media and Sport (DCMS) has published its fourth annual breaches survey: the Cyber Security Breaches Survey 2019. It was carried out by Ipsos Mori in partnership with the Institute for Criminal Justice Studies at the university of Portsmouth.
The survey (PDF) queried more than 1,500 businesses, ranging from ‘micro’ to ‘major’, and more than 500 charities. It focuses on awareness and attitudes toward cybersecurity; approaches to cybersecurity; the nature and impact of breaches; and differences by size, sector and geography.
Two results stand out in this survey. In general, the number of breaches is down on those from 2018; and the majority of firms have indicated GDPR-motivated security improvements.
Thirty-two percent of businesses reported suffering breaches or attacks, compared to 43% in 2018, and 46% in 2017. The number of breaches or attacks experienced by individual companies, however, rose from 2 in 2017 to 6 in 2019. This downward trend in business breaches and attacks mirrors a similar trend among the general public: between September 2017 and September 2018, the number of computer misuse incidents among individuals fell from about 1.5 million to about 1 million.
The report offers two possible explanations for the declining figures. Firstly, businesses might genuinely and generally be becoming more secure. This could be linked to GDPR-related developments. Secondly, the report suggests a change in attacker behavior, “with more attacks being focused on a narrower (though still numerous) range of businesses.” This would explain the fewer number of businesses detecting a higher number of breaches/attacks — although this could equally be explained by better security being more able to detect the attacks.
Phishing is the most common form of attack, identified by 80% of businesses. Second at 28% is impersonation, either in email or online. Viruses, spyware and malware (including ransomware) came third at 27%.
Graeme Stewart, regional manager for public sector cybersecurity in the UK and Ireland at Cisco, is concerned that phishing is still so prolific and effective. “While more UK organizations are recognizing cybersecurity as a high priority, many are still falling for some of the oldest tricks in the book. Over 80% of identified breaches in the last year were caused by phishing attacks. As an attack method phishing is as old as the world wide web… used to hoodwink people into giving up data or access to IT systems since the 1980s. That’s thirty years of phishing hurt.” He believes that more effort needs to be put into ensuring staff have the right knowledge and training to prevent phishing successes.
Although the number of breaches is declining, the associated cost continues to rise. The figure quoted within the survey describes costs directly related the breach, and do not include associated losses such as brand name and ongoing business costs. These figures consequently might appear to be very low in comparison to the ‘cost of breach’ figures generated elsewhere in the security industry. Nevertheless, since the methodology is consistent across each annual survey, the indication of an increase or decrease in cost is relatively accurate.
The average cost of a business breach in the UK in 2019 is £4,180. This is up from £2,450 in 2017, indicating a rise in the cost of a breach in excess of 41% over the last two years.
The second result of this survey is the extent to which GDPR has affected security postures. Thirty percent of UK businesses have made GDPR-related security changes. Sixty percent of these have created new policies, 15% have increased staff training, 11% have changed their firewall or system configurations, and 6% have created new contingency plans. Thirty-one percent (up from 24% in 2018) have done a cyber risk assessment in the last 12 months.
Combining the declining incidence of security breaches with improving GDPR-related cybersecurity suggests that GDPR has already had a beneficial effect on business security. It is not, however, entirely straightforward. The report notes that GDPR “has led some organizations to frame cyber security largely in terms of avoiding personal data breaches. These organizations were less focused on other kinds of breaches or attacks, and typically had a narrower set of technical controls in place. That is to say, GDPR appears to have had, on balance, a positive impact on cyber security to date, but to make progress beyond this, organizations may need to think more holistically about the issue.”
Joseph Carson, chief security scientist and advisory CISO at Thycotic, sees greater value in relating the GDPR influence to the increasing cost of a breach. “With good news,” he told SecurityWeek, “there also comes bad news, which is that while the number of cyberattacks has declined, the impact of a cyber breach is increasingly devastating with the costs rising further. This means the improvements must continue and good regulations do make organizations move in the right direction; though it must always be a business risk approach, and this appears to be where organizations can make the biggest enhancements.”
The implication, he suggests, is that business still isn’t making sufficient investment in incident response: there are fewer breaches, but their cost is rising. “Good incident response is what can reduce the cost of a cyber breach and this is why organizations must make the urgent improvements on how to continue their business, even when a cyber-attack is ongoing, and how to survive.”
Although this survey is full of facts, figures and details on the UK’s experience of cyber-attacks over the last 12 months, it still needs to be interpreted with care. “Breaches — and their impact — are not categorized,” points out Peter Cohen, global sales director of Countercept by MWR InfoSecurity, “meaning that an email being sent to the wrong person (extremely common) is given the same weighting as a sophisticated organized crime attack (rarer but carrying a much higher financial cost). Firms should understand which scenarios pose a genuine risk to their business and then plan accordingly.”
He is also concerned about the way in which the cost of breaches is calculated. “The financial impacts articulated in the report are self-measured – by which function in the business is unknown,” he told SecurityWeek. “By its own admission it does not include indirect costs (such as loss of productivity), ongoing or longer-term costs (such as the recurring cost of new measures put in place after a breach), or relatively intangible costs (such as reputational damage). Furthermore,” he warns, “the longer-term impact of IP theft, for example, is disregarded given the short (12 month) impact frame.”