The cyber security risk to UK organisations continues to increase in severity and impact, according to an audit firm’s survey. But nearly one in five (17pc) admit they don’t prepare or drill for cyber attacks, and fewer than half (49pc) conduct penetration tests to examine their defences.
According to PwC’s Global State of Information Security Survey 2018, more than a quarter of UK organisations (28pc) don’t know how many cyber attacks they suffered in the past year and a third (33pc) admit to not knowing how the incidents they faced occurred. The annual study is based on interviews with 9,500 senior business and technology executives from 122 countries, including 560 UK respondents spanning large to small businesses and public sector organisations.
Richard Horne, cyber security partner at PwC, said: “Cyber attacks could happen to any organisation at any time, so it’s important that all businesses and public sector organisations are getting the basics right and continually testing their approach to prepare themselves in the right way. In that critical moment when an attack hits, the ability to act quickly and effectively is key to minimising business disruption and reputational harm.”
UK organisations remain more reluctant than their global peers to join forces with others in the fight to reduce cyber risk. Only two in five UK respondents (44pc) formally collaborate with others in their industry to improve security and reduce the potential for future risks, compared with 54pc across Europe and 58pc globally. Even within their own organisation, only just over half of UK respondents (53pc) have a cross-organisational team in place – including leaders from finance, legal, risk, human resources, and IT/security – which meets regularly to coordinate and communicate information security issues.
Richard Horne said: “Cyber security needs to be viewed as a ‘team sport’ rather than just an issue for the IT team. To be most effective, everyone in an organisation should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top. Working with others across the public and private sector is key too. Forging close working collaborations and sharing intelligence is often the best way to tackle the latest threats. New forms of attack require new ways of working to defend our society.”
While only 14pc of UK companies reported facing direct financial losses as a result of security incidents, and the average total financial cost of incidents actually decreasing this year to £857,000, the impact of these breaches was felt more widely across both business operations and data:
• UK organisations faced an average of 19 hours down-time due to security incidents;
• 23pc had customer records compromised;
• 20pc had employee records compromised; and
• 21pc reported loss or damage of internal records.
Despite this, fewer UK organisations have a cyber insurance policy in place to cover the various impacts of breaches (UK: 44pc; global: 58pc). Breaching UK organisations by targeting their employees is increasingly the most common cause of incidents, responsible for over a quarter of all attacks (27pc; up from 20pc last year). Whereas the average global attack is most likely to come from a mobile device being breached (29pc).
The average information security budget amongst UK businesses and public sector organisations last year was £3.9m. The majority (64pc) of organisations surveyed have an overall security strategy in place and 53pc agree that spending is based exclusively on risk. However, only 34pc have boards actively participating in the strategy compared to the global average of 44pc.
Andrew Clarke, EMEA Director at One Identity, an IAM (Identity and Access Management) product firm, said: “Historically an organisation’s cyber security strategy was focused on securing the enterprise but now having implemented core infrastructure security components such as Firewalls; Intrusion Detection and Malware prevention it is now about enabling the business. As businesses focus on the people – or identity – they are thinking more about the controlling mechanisms that provision and de-provision users. They are becoming more pro-active and taking advantage of new security tools. They are gaining pre-emptive actionable insights to reduce risk before bad behaviours impact the business. And with that they are leveraging operational efficiencies to address compliance requirements. They are getting smarter about risk. They are now able to analyse identity data to prioritise decisions, actions, and thoroughly remediate risk. And as result are spending less in the process – and limiting the financial impacts caused by targeted attacks.”
Pete Banham, Product Manager at Mimecast, said: “Phishing scams top the list yet again but businesses are still not doing enough to protect their employees from these attacks. For many years organisations have underinvested in email security and as a result it’s become the easiest entry point for cybercriminals. All email systems contain valuable and confidential information, meaning that a compromised email server is a business’ worst nightmare.
“A cyber resilience strategy for email must involve strong methods of protection, combined with a reliable archive, a recovery strategy for data and operational systems, and an education programme for employees.”
And Javvad Malik, security advocate at AlienVault, said: “It’s hard to pin down specific reasons as to why cyber security budgets have been cut for many enterprises. It could be that despite years of increased spend, the breaches continue to roll on – forcing companies to rethink their strategy on cyber security. Greater spend doesn’t always equate to better security; rather investing in the right areas is what is needed more often than not. Alternatively, it could be one of the unintended consequences of Brexit; where the falling value of the pound has caused UK businesses to cut spending.”