As a nation, are we cyber security aware?

In the following blog post, we are going to shine a spotlight on the general cyber threat landscape in the UK, examine the most prevalent forms of attack and look at the detrimental implications these attacks have on organisations.

After reading this post, we hope you’ll be able to see where your company figures in this overall picture and that you’ll come away with a clearer idea of how to best mitigate against attacks to your company’s information & cyber assets.

How is the UK cyber threat landscape looking?

It’s a mixed picture. On the plus side, year on year, fewer companies have identified breaches or attacks. Yet, the companies that do identify cyber attacks are reporting that they are experiencing more of them than ever before. It is plausible to posit that one of the core reasons fewer companies are identifying successful cyber attacks is that our government and organisations themselves are doing a better job in spreading the need for organisations & individuals to be cyber security aware. In saying this, we are also seeing the cost of a cyber breach rising steadily year on year.

In 2019 the DCMS Cyber Security Breaches Survey 2019 found that the average annual cost of a cyber breach to the following sectors was:

  • Small to medium-sized businesses: £4,180
  • Charities / Not for Profits: £9,470
  • Larger companies: £22,000

However, this is by no means the full picture and companies should not be lured into a false sense of security by these comparatively low annual figures. When you look at the cumulative, total cost of a breach over several years, taking into consideration aspects such as long-term costs and intangibles such as loss of productivity, reputational damage and potential future punitive levies the figures can be much, much higher.

The IBM 2019 security study cites the total average cost to UK organisations coming in at £2.99 million!

What is the nature of the most common cyber-attacks?

Over the last few years we have seen phishing attacks (see our blog post “Why you should deploy Simulated Social Engineering Testing against your workforce” for more information on phishing attacks) rise exponentially and become more targeted and sophisticated in their nature. Around 80% of all the organisations surveyed cited a phishing attack as the source of their breach.
The remainder was made up of viruses, spyware or malware and this includes ransomware attacks. Ransomware attacks have historically been responsible for the largest individual costs to companies, but this has recently been overtaken by targeted phishing attacks.

Actions that organisations are taking to mitigate/respond to these attacks:

  • 57% update senior management on their cyber security undertakings at least once a quarter
  • 33% of businesses have written security policies
  • 27% have undertaken some form of cyber security training in the last 12 months
  • 56% of businesses have implemented prescribed security controls
  • Around 30% of companies have taken out cyber security insurance

How to mitigate against cyber attacks

Let’s have a look at some of those statistics mentioned above and consider:

If you’re going to update the board on your security activity there is little point unless part of that update is to demonstrate the importance and potential cost saving of undertaking annual penetration testing (see blog post “The business case for penetration testing – preaching to the unconverted”).

Writing security policies is a good start but these policies need to be engaging and to the point, if they’re not employees are not going to read them, or if they do read them, they won’t retain the information contained within.

Pushing dull, uninspiring eLearning on your workforce and expecting them to complete it in their own time won’t make them cyber-security aware, it’s a tick box exercise that will achieve nothing more putting a tick in a box. The way to truly get the information into their heads and keep it in their heads is to implement a 3-year programme of Information Security Awareness: eRiskology™.

If you’re a small to medium-size company the NCSC have developed a certification that covers 5 controls: Cyber Essentials or you can go for Cyber Essentials Plus and have the added element of on-site and remote verification. Cyber Essentials is a good starting place, but if you truly want to demonstrate your commitment to Information Security you should consider going for UKAS accredited ISO 27001 Certification.

As a nation, comparatively, we shape up quite well when compared to some others across the globe, but this isn’t going to stop your company suffering a cyber-attack. We recommend that you digest the points we have made in this blog. You need a robust and comprehensive Information & Cyber Security Risk Management programme in place.

Having the latest cyber intrusion detection software on its own won’t do the job and neither is relying on your workforce to “do the right thing”.

Whatever the stance of your information risk management profile is, Risk Crew can help.

security starts with people

Risk Crew