Government is urging UK organisations to defend against cyber crime, as newly released figures show that large numbers of businesses and charities suffered at least one cyber attack in the past year.
More than four in 10 UK businesses suffered a data breach or cyber attack in the past 12 months, according to the government’s latest Cyber security breaches survey report.
With just one month to go until new data protection laws come into force, UK businesses are being urged to protect themselves, with statistics showing that more than four in 10 businesses (43%) and two in 10 (19%) charities suffered a cyber breach or attack in the past year.
This figure rises to more than two-thirds for large businesses, 72% of which identified a breach or attack in the past year. For the average large business, the financial cost of all attacks over the past 12 months was £9,260, with some attacks costing significantly more, according to the report based on a survey of more than 1,500 UK businesses and 569 UK registered charities.
The most common breaches or attacks were via fraudulent emails, often attempting to trick staff into revealing passwords or financial information, or opening dangerous attachments. These were followed by instances of cyber criminals impersonating the organisation online, then malware and viruses.
Minister for digital and the creative industries Margot James said: “We are strengthening the UK’s data protection laws to make them fit for the digital age, but these new figures show many organisations need to act now to make sure the personal data they hold is safe and secure.
“We are investing £1.9bn to protect the nation from cyber threats and I would urge organisations to make the most of the free help and guidance available for organisations from the Information Commissioner’s Office [ICO] and the National Cyber Security Centre[NCSC].”
As part of the government’s Data Protection Bill, James said the ICO would be given more power to defend consumer interests and issue higher fines to organisations, of up to £17m or 4% of global turnover for the most serious data breaches. The bill requires organisations to have appropriate cyber security measures in place to protect personal data.
“The government is also introducing regulations to improve cyber security among the UK’s critical service providers in sectors such as health, energy and transport, and we have established the world-leading National Cyber Security Centre as part of plans to make the UK one of the safest places in the world to live and do business online,” she said.
Ciaran Martin, CEO of the NCSC, said: “Cyber attacks can inflict serious commercial damage and reputational harm, but most campaigns are not highly sophisticated.
“Companies can significantly reduce their chances of falling victim by following simple cyber security steps to remove basic weaknesses. Our advice has been set out in an easy-to-understand manner in the NCSC’s small charities and business guides.”
Raft of cyber security advice freely available
However, the survey shows more businesses are now using the government-backed, industry-supported Cyber Essentials scheme, which the government describes as a “source of expert guidance” showing how to protect against cyber threats.
The survey reveals that nearly three-quarters of businesses (74%) and more than half of all charities (53%) rank cyber security as a high priority for their organisation’s senior management.
Organisations have an important role to play to protect customer data, the government said. Small businesses and charities are urged to take up tailored advice from the National Cyber Security Centre. Larger businesses and organisations can follow the 10 steps to cyber security for a comprehensive approach to managing cyber risks and preventing attacks and data breaches.
Organisations can also raise their basic defences and significantly reduce the return on investment for attackers by enrolling on the Cyber Essentials initiative and following the regularly updated technical guidance on Cyber Security Information Sharing Partnership and the NCSC website.
Information commissioner Elizabeth Denham said: “Data protection and cyber security go hand in hand: privacy depends on security.
“With the new data protection law, the General Data Protection Regulation (GDPR), taking effect in just a few weeks, it’s more important than ever that organisations focus on cyber security. That’s why we’ve been working with the Department for Culture, Media and Sport (DCMS) and the NCSC to offer practical security steps that organisations can consider to keep data safe,” she said.
Organisations which hold and process personal data are urged to prepare and follow the guidance and sector FAQs freely available from the ICO. Its dedicated advice line for small organisations has received more than 8,000 calls since it opened in November 2017, and the Guide to the GDPR has had over one million views. The ICO also has a GDPR checklist, and 12 steps to take now to prepare for GDPR.
Organisations still neglecting basic security
Unsurprisingly, the survey data shows that a huge proportion of all organisations are still failing to get the basics right. A quarter of charities are not updating software or malware protection, a third of businesses do not provide staff with guidance on passwords, and more than one in 10 (11%) of large firms are still not taking any action to identify cyber risks, such as health checks, risk assessments, audits or investing in threat intelligence.
On the topic of security controls, James Romer, chief security architect for Europe at SecureAuth + Core Security, said many of the threats organisations were facing could be addressed through complete identity management platforms, combining identity access controls alongside user awareness programmes.
“It appears from the report that businesses and charities have not correctly identified the importance of implementing strategic identity solutions as a priority to improve their cyber defences. It’s clear that with identity and credentials accounting for the majority of data breaches, more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations’ defences and prevent cyber attacks in the future,” he said.
Organisations need to go further than just two-factor authentication, said Romer, using identity platforms that join silos of data together to create comprehensive identity controls. “Part of those controls should be to implement adaptive authentication that combine techniques such as geographic location analysis, device recognition, IP reputation-based threat services, and phone fraud prevention to address the threats at the identity level efficiently,” he said.
This article originally appeared in ComptuterWeekly.com on April 25, 2018