The UK’s Department for Digital, Culture, Media and Sport (DCMS) has released its latest Cyber Security Breaches Survey.
The annual survey takes a pulse check of UK businesses, charities and educational institutions to gain a better understanding of the threats they face and what they are doing to secure their organisations.
The Covid-19 pandemic has presented an unprecedented challenge for organisations across the UK over the last 12 months, prompting a huge shift in ways of working, which has built up compliance debt and made it harder for organisations to protect themselves against security threats.
Survey results this year confirm that cyber security breaches remain a serious threat to businesses across all sectors, with their frequency undiminished. Phishing (83% for businesses and 79% for charities) and impersonation attacks (27% for businesses and 23% for charities) remain the most common threat vectors.
The business threat landscape
While stats revealed that fewer businesses identified an attack or breach in 2021 (39%) than in 2020 (46%), qualitative analysis shows that the level of risk has potentially increased as a result of the Covid-19 pandemic, and that organisations are finding it harder to prevent and mitigate threats.
Adding to this, the report details how only 35% of businesses have deployed cyber security monitoring tools in the last year compared to 40% to year before, and only 32% are undertaking any form of user monitoring. According to further qualitative analysis, this monitoring has become more difficult as it’s harder for organisations to know if employees are following official processes and policies.
This ties in with NCC Group’s own research, which revealed that effective security monitoring with a remote workforce is a real challenge for businesses. The survey also highlights the increasing importance of situational awareness, where threat information is shared between government and private sector organisations, as well as within and across industry sectors, to create a full picture of threats and risks and what measures can be implemented to mitigate these.
Charities remain a target
Breaches suffered by charities remained the same throughout the last year, with 26% of UK charities reporting attacks. High-income charities remained a target for adversaries, with 51% reporting a cyber breach or attack.
The demand for security education and support in the charity sector is something NCC Group has seen first-hand through our partnership with the UK’s Small Charities Coalition (SCC). Over the last 12 months, over 40 individuals from 36 charities have benefitted from training workshops, helping to build the resilience of the charities’ 12,500 employees, trustees, volunteers, beneficiaries and service users.
Security remains a priority for boards
Despite the unprecedented challenges presented by the Covid-19 pandemic, awareness of security remains a priority across management boards. Organisations highlighted ambitions and improvements they will make, including the roll out of multi-factor authentication and tweaking policies and processes to cover Software as a Service (SaaS).
However, there’s a clear case for cyber security truly to be seen as a business enabler and become ever more embedded as a core part of business risk management. This is demonstrated by qualitative findings which showcase the need for cyber security priorities to become aligned with business strategies.
Commenting on the results of the survey, Ollie Whitehouse global CTO at NCC Group, said: “It comes as no surprise that cyber breaches remain a serious risk across all organisations in the UK, and that phishing and impersonation attacks have been the most common method of attack. Threat actors have taken advantage of the shift to remote working, playing on human factors through very personalised phishing and impersonation attempts that make it very difficult for people to tell them apart from genuine communications.
“It’s interesting to see that organisations have reported less severe impacts of breaches, which may show how good cyber hygiene, such as backups, can mitigate the impact of a ransomware attack and similarly the migration to cloud services. We know first-hand that IT leaders still struggle to quantify the benefits of cyber security spending to their boards and improved resilience and impact minimisation is one way to quantify that.
“These results highlight that there is still room for improvement, particularly when it comes to business governance through audits and the mitigation of supplier risk. To do this, businesses need to understand the threat and risk landscape through evidence-based insights, which can then guide on where to prioritise investment and actions.
“Overall, the survey underlines the criticality of having the right resilience measures in place when the human line of defence is breached. To combat this, it’s important that the government and the cyber security industry continue to educate organisations about the risks and how they can mitigate risks – particularly for charities, who remain a clear target for adversaries. At NCC Group, we are working closely with the charity sector in the UK through our partnership with the Small Charities Coalition (SCC), and will remain committed to supporting this sector in shoring up its defences.”