One size does not fit all - current cyber security practice as revealed by the DCMS Breaches Survey

Like a good wine the annual Cyber Security Breaches Survey improves every year. It has evolved from a simple survey of the cost of breaches to a statistically sound snapshot of the evolving threats to businesses, charities and educational institutions and how they are responding. The sample sizes and structures are now sufficient to show some of the differences in policies and priorities by size and sector.

Those differences help explain the problems faced by those who try to provide generic guidance or one-size-fits-all solutions for an “average” organisation. The result fits no-one. They need interpretation before most of the target audiences appreciate its relevance to them. The annex covering educational institutions is also worth reading to see the scale and nature of attacks they face, including from students whose talents need to be harnessed before they go to the dark side. While only 39% of businesses (and 36% of primary schools) have noticed attacks or breaches, 58% of secondary schools and 75% of FE colleges have seen attacks. The number of universities in the survey is too small to be statically significant but almost all (26 out of 28) have been attacked. The nature of the attacks and the response are similar to those against business if one regards primary schools as small businesses, secondary schools as medium-sized businesses and FE colleges as large. The main difference is that they are more likely than businesses to follow government guidance.

A key finding from the main survey was that the NCSC guidance is often not perceived as relevant by many businesses until put into a context they recognise.  Hence the importance of helping the new Police Cyber Resilience Centres to “industrialise” (their term not mine) the NCSC messages for SMEs in, for example, the food and hospitality sector, as they re-open for online bookings after the lockdown. Those messages also need to be linked to the provision of affordable support to implement the necessary action plans. This is one of the drivers of the increased uptake of cyber insurance.

The summary/review below is structured as:

  1. Headlines, including what changed and what did not
  2. Profiles, Priorities and Digital Footprints
  3. Awareness, Attitudes, and Drivers of Change
  4. Policies and Actions
  5. Incidence and impact of breaches or attacks
  6. Response
  7. Conclusion (Mine not the Report) Cybersecurity professionals need to try harder to see the world through their employers’ eyes.

 1. Headlines, including what changed and what did not

The prioritisation of cyber security has held steady across the last three years, after a rise attributed to the impact of GDPR. There is evidence from the qualitative interviews that the pandemic has sometimes spurred investment in cyber security and led to planned security upgrades being accelerated. Some IT and cyber leads used the pandemic to make the case for extra recruitment.

There was an increase in the proportion of businesses with some form of cyber insurance (43% up from 32%), driven in part by fear that the organisations may be unable to fund a recovery, or the specialist skills to deal with incidents or reputational damage.

The proportion of businesses reporting attacks/breaches is down (from 46% to 39%). This is believed to be because trading levels have fallen and businesses have put business continuity and survival ahead of monitoring security (down from 40% to 35%) and user behaviour (from 38% to 32%) as they rapidly moved online with large numbers of home-based workers, usually without changing security policies.

Those reporting attacks/breaches saw a rise in phishing (up from 79% to 83%) and impersonation (up from 23% to 27%). But only one in five lost money as opposed to having to divert staff time or suffer business disruption. The average cost of attacks/breaches is falling year on year, despite rising volumes. That is presumably because of the effect of the security measures introduced after GDPR and the rising use of cloud storage and backups.

Note however that this report is confined to the cost of cyber breaches, not of fraud or of lost business because of intrusive security and/or customer reluctance to transact online.

The proportion with cyber security policies covering home working (23%, rising to 72% in large organisations)  and the use of personal devices for work (18%, rising to 66% or large businesses) did not change over the past year, although around half of respondents have staff working from home. The qualitative interviews, however, indicate an increase in investment in security, usually with the objective of improving business continuity, in the face of radical changes to digital infrastructures to support home working.

There are signs that in a new post-pandemic “blended” working environment, users may be less receptive to any cyber security approaches that involve locking down user activity, and instead expect IT and cyber security staff to place more emphasis on functionality and flexibility. Organisations are keen to make continuous improvements to their approach to cyber security management. They are also open to government guidance on the steps they can take and what good looks like.

Organisations of all sizes could take potentially more action around supply chain risk management, and staff awareness and training. More organisations are engaging with including multi-factor authentication, software as a service (SaaS) and smart devices and could from specific cyber security guidance or incentives.

Those who changed policies to handle Covid found three sets of challenges:

  • Direct user monitoring was much harder where staff were working remotely. This potentially delayed organisations from catching and dealing with cyber attacks. It was increasingly important for staff to be vigilant and adhere to cyber security policies but impossible to know if they were doing so. There were also difficulties of carrying out training remotely and the licensing cost of remote user monitoring software.
  • Hardware and software changes and upgrades was more difficult, particularly for large organisations with more endpoints to keep track of, plus the issues of supplying and retrieving hardware (e.g. to upgrade old operating systems).
  • There was a perceived conflict between prioritising IT service continuity and maintenance work, and aspects of cyber security such as patching and a lack of time and personnel also made it harder to carry out cyber security training and awareness raising. This indicates an opportunity for cyber security teams to reframe discussions, to show that cyber security is an integral component of business resilience.

2. Profiles, Priorities and Digital Footprints

The proportion of business giving a very high priority (e.g. a board member responsible) varies by sector:

  • Financial services and insurance (65%)
  • Information and communications (62%)
  • Health, social work and social care (56%).

The average is 37%. The bottom three are:

  • Food and hospitality
  • Entertainment (24%).
  • Construction (20%), The average is 37%.

The standards to which businesses aspire differ by sector:

  • PCI-DSS is targeted by 28% (54% in food and hospitality, 50% in retail and wholesale and 42% large)
  • ISO 27001 by 7% (rising 19% in health and social, 16% in finance and 24% of large businesses)
  • NIST by 5% (rising to 10% in finance)
  • Cyber Essentials is followed by 4% (29% of large businesses)
  • Cyber Essentials Plus is claimed by 1% (9% or large businesses)

Half have taken action against five or more of the NCSC Ten Steps (rising to 85% of large firms) but only 4% have undertaken action on all ten. This rises to 25% within large firms

 The priority given to PCI DSS relates in part to digital footprints and risk profiles

  •  82% of business have online bank accounts, up from 75% in 2020
  • 59% have social media accounts
  • 58% hold personal customer information (80% or more in finance, health, social work and social care
  • 46% have network connected devices
  • 30% (up from 23%) take orders, booking or payment online. (40% in retail/wholesale, 57% in food/hospitality
  • Around one in five have older versions of Windows, rising to one in three in large firms.

The rise of Cyber Insurance

Some 43% (60% in finance) report some form of cyber insurance, up from 32% in 2020.  6% of these (rising to 21% in large firms) have a specific cyber-security policy and 37% (falling to 30% in large firms) believe they have it as part of a wider insurance policy. Only 1% (rising to 7% in large organisations) have made a claim.

Access to post-breach services was a particularly important aspect of cyber insurance policies. Some were expected to notify breaches whether or not they expected to claim. Others received informal threat intelligence from the insurer. There was speculation as to whether this might become part of the policy. If so it might become a major incentive to purchase cyber insurance in the future.

The importance of Outsourcing

38% (58% of large firms, 74% in finance and insurance) have an external security provider

3. Awareness, Attitudes, and Drivers of Change

Half of businesses (53% down from a GDPR related peak of 59% in 2018-19) but fewer charities (45%) sought outside guidance in the past year. It is more in large businesses (75% up from 57%) and Finance, Insurance, Information and Communications.

The most common sources are:

  • external cyber security consultants, IT consultants or IT service providers (26% businesses, 13% charities)
  • general online searching (9% of businesses and 3% of charities)
  • any government or public sector source, including government websites, regulators and other public bodies (8% of businesses and 13% of charities). Only 1% mention NCSC by name, rising to 3% of large businesses. 6% of charities mention a charity regulator

Awareness of public sector guidance is increasing but limited beyond large organisations:

But guidance appears to be liked and effective when found: 37% of businesses and 38% of charities (54% of those with over £5m) reported changes to their cyber security measures as a direct response to seeing government guidance. Feedback from interviewees shown the materials was similarly positive though there was some uncertainty as to the target audience.

There was a greater emphasis on continuous improvement and integration of new technologies, as opposed to the step change that GDPR had brought about in 2018. Some were gradually moving away from an approach of locking down user activity, towards one that prioritised functionality and flexibility. Some said staff would have to take on more personal responsibility for cyber security if continuing to work from home post-pandemic.

As in previous years, experiencing a cyber security incident was a big driver of change. Competitors experiencing cyber security breaches could also grab the attention of board members and lead to significant action. Other drivers included security demands from clients and/or requirements written into contracts.

4. Policies and Actions

 Barely a third have risk assessments or policies:

  • 34% have undertaken a cyber security risk assessment.
  • 33% (69% in Finance and 75% of large firms) have formal policies covering cyber security risks

Only a third of those with polices have reviewed them within the past year (down from 50% in the previous year). This compares with 80% having a policy to do so – indicating postponements during the Covid lockdown

  • 31% (76% in Finance and 72% of large firms) have a business continuity plan including cyber.
  • 20% (49% of large businesses) have tested staff (e.g. mock phishing exercises)
  • 15% (48% of large businesses) have carried out vulnerability audits.

Micro businesses are most likely to have had only an internal audit (43%). Small (51%) and medium (40%) firms are most likely to have had only an external audit. Large firms are most likely to have had both (50%).

  • 13% (52% of large businesses) have had a penetration test.
  • 12% (36% of large firms) have looked at the risks posed by immediate suppliers.
  • 5% (20% of large firms) have looked at risk in their wider supply chains.

Lack of time, information (from suppliers) and skills/knowledge are roughly equal barriers to assessing supply chain risk.

The Policy Contents include:

  • 88% have backups either on cloud servers or elsewhere
  • 83% Up-to-date malware protection
  • 79% A password policy that ensures that users set strong passwords
  • 78% Firewalls that cover the entire IT network, as well as individual devices
  • 75% Restricting IT admin and access rights to specific users
  • 70% Backing up data securely via a cloud service
  • 64% Only allowing access via company owned devices
  • 62% Security controls on company-owned devices (e.g. laptops)
  • 58% (85% among large users) agreed process for staff to follow with fraudulent emails or websites
  • 58% Backing up data securely via other means
  • 49% Rules for storing and moving personal data securely
  • 43% A policy to apply software security updates within 14 days
  • 34% (83% of large businesses) A virtual private network, or VPN, staff connecting remotely
  • 32% Monitoring of user activity
  • 29% Separate Wi-Fi networks for staff and 32% ore).
  • 14% (47% among large firms) training/awareness sessions in past year

 5) Incidence and impact of breaches or attacks

Four in ten businesses (39%) and a quarter of charities (26%) report having had any kind of cyber security breach or attack in the last 12 months. Larger businesses are more likely to identify breaches or attacks than smaller ones. Last year the identification gap widened between micro (37%) and small firms (39%) on one hand, and medium (65%) and large (64%).  Half of all high-income charities and 68% of those with over £5 million recorded breaches and attacks.

Administration and real estate firms were more likely to have identified breaches or attacks. So too were those in information and communications (47%). As in previous years, businesses that hold personal data are more likely than average to have reported breaches or attacks (43%, vs. 39% overall).

The most commonly reported attack is phishing – staff receiving fraudulent emails or being directed to fraudulent websites. Well behind come impersonation, viruses and other malware. The vast majority come via staff members’ user accounts. Half have only experienced phishing attacks and no other kinds of breaches or attacks.

In order, the attacks reported by the 39% (down from 46% last year) which reported any attacks are:

  • Phishing attacks: 83% of businesses (up from 72% last year), 79% of charities
  • Others impersonating organisation in emails or online: 27% of businesses, 23% of charities
  • Viruses, spyware or malware (excluding ransomware): 9% of businesses (down from 33%), 16% of charities
  • Denial of service attacks: 8%, 8%
  • Hacking or attempted hacking of online bank accounts: 8%, 5%
  • Takeovers of organisation’s or users’ accounts: 7%, 8%
  • Ransomware: 7% (down from 17%), 6%
  • Unauthorised accessing of files or networks by outsiders: 2%, 4%
  • Unauthorised accessing of files or networks by staff: 2%, 2%
  • Unauthorised listening into video conferences or instant messages: 1%, 5%
  • Any other breaches or attacks: 5%, 9%

This fall in those reporting any attacks is greatest among small businesses (down from 62% to 39%) and large businesses (down from 75% to 64%).

The possible reasons include:

  • Reduction in the deployment of technical controls and employee monitoring leading to reduced detection
  • A change in attacker behaviour to focus on mid-sized organisations.
  • Reduced trading activity:

The Covid-19 pandemic (at the midpoint of fieldwork for the survey, ONS data showed that only 77 per cent of businesses were trading and 47 per cent had  decreased in turnover. This may have made some businesses temporarily less prone to cyber attacks.)

The breaches and attacks considered most disruptive, excluding those reporting only phishing attacks were:

  • Phishing attacks 28% (both business and charity)
  • Others impersonating organisation in emails or online 22% business, 20% charity
  • Viruses, spyware or malware (including ransomware) 14%
  • Hacking or attempted hacking of online bank accounts 11% business, 4% charity
  • Denial of service attacks 7%
  • Takeovers of organisation’s or users’ accounts 2% business, 9% charities

Among those identifying any breaches or attacks, half of businesses (49%) and almost half of charities (44%) say they happen once a month or more often. Around a quarter (27% of businesses and 23% of charities) say they experience breaches or attacks at least once a week.  Fewer businesses and charities are reporting breaches or attacks as one-off events over the course of a year. Not all breaches or attacks lead to loss of money or data. Of the 39% business that identify breaches or attacks, 21% experience negative outcomes (rising to 35% for large organisations). The proportion of charities is similar.

The main direct impacts were:

  • Temporary loss of access to files or networks 8% of businesses and 6% of charities
  • Disruption to websites, applications or online services 6% of businesses and 10% of charities
  • Software or systems corrupted or damaged 4%, 5%
  • Money stolen 4%, 1%
  • Lost access to relied-on third party services 4%, 1%
  • Damage to physical devices or equipment 3%, 5%
  • Lost or stolen assets, trade secrets or intellectual property 1%, 2%
  • Compromised accounts or systems used for illicit purposes 1%, 2%
  • Personal data altered, destroyed or taken 1%
  • Permanent loss of files (not personal data) 1%
  • Money was paid as a ransom less than 1%

The effort necessary to prevent future cases and staff redirected to deal with the breach included:

  • New measures needed for future attacks 23%, 24%
  • Added staff time to deal with breach or inform others 19%, 25%
  • Stopped staff carrying out daily work 12%. 9%
  • Other repair or recovery costs 7%, 9%
  • Prevented provision of goods and services 4%, 2%
  • Discouraged from carrying out intended future business activity 3%, 2%
  • Loss of revenue or share value 3%. 1%
  • Complaints from customers 3%. 1%
  • Goodwill compensation to customers 2%. 2%
  • Reputational damage 1%. 2%
  • Fines or legal costs 0%, 1%

As in previous years, the impact is most substantial for large businesses. 43 per cent of large businesses say they have had to take up new measures to prevent or protect against future cases (vs. 23% of all businesses facing breaches or attacks) and 37% say they needed extra staff time to deal with breaches (vs. 19% overall).

The vast majority of businesses (89%) and charities (86%) restore operations from their most disruptive breach or attack within 24 hours while 71% of businesses and 67% of charities said it took no time at all to recover. Of those reporting incidents with a material outcome, 34% of businesses take a day or more to recover.

The trend towards increasing resilience to cyber security breaches appears to have levelled off this year, perhaps because of focus on service continuity rather than on their proactive cyber security planning and defences.

Most attacks and breaches have no material outcome. In consequence those organisations which do not lose data or assets run the risk of systematically under-appreciating the seriousness of cyber security breaches and attacks.

  1. Response

Of the 39% of businesses who experienced incidents, 66% have an incident response process. These include:

  • Attempting to identify the source of the incident 44%
  • Debriefs to log any lessons learnt 43% (55% in admin and real estate)
  • Roles and responsibilities assigned to specific individuals 43%
  • Assessment of the scale and impact of the incident 42%
  • Formally logging incidents 36% (47% in admin and real estate, 75% of large businesses)
  • Written guidance on who to notify 34%
  • Communications and public engagement plans 17%

Communications plans are more common in health and social care (28%), Information and Communications (36%),  finance and insurance (35%) ,and large businesses (45%)

93% of businesses but only 59% of charities informed senior manager/directors/trustees of their most disruptive breach. Only 37% of businesses (28% of charities) informed those outside their organisation. This drops to 29% and 23% when reports only to external cyber security providers are removed.

The outside reports are to:

  • Bank, building society or credit card company  19%
  • Internet service provider 14%
  • Police 10%
  • Clients or customers 10%
  • Another government agency 5%
  • Suppliers 5%

There are few mentions of specific organisations like the National Cyber Security Centre (NCSC) or Action Fraud.

Over 60% (79% of organisations) take action to prevent further breaches including:

  • Additional staff training or communications 18% (rising to 19% if material impact)
  • Installed, changed or updated antivirus or anti-malware software 14% (19% where material outcome)
  • Changed or updated firewall or system configurations 11% (24% where material outcome)
  • Other new software or tools (not antivirus or anti-malware 5% (12% where material outcome)
  • Started outsourcing some aspects of cybersecurity – 6% of those where material outcome)

More  businesses have made technical changes (36%) compared to people-related changes (23%). In charities, this is more evenly balanced (31% and 33%). Fewer changed governance processes (10% and 11%).

7. Conclusion (mine not the report): Cybersecurity professionals need to try harder to see the world through their employers’ eyes.

The report is an excellent snapshot but it also illustrates why most business leaders (large or small) find it so hard to take cyber security seriously until it is put into the context of their own business.  They can understand the need to take action regarding business continuity, impersonation (including of themselves or the brand), fraud and reputation  (even if privately they regard GDPR as flummery).

But “cyber” has to be put into context. And that context varies by sector and size.  Hence the critical importance of working national and locally to provide “joined up” guidance.

Hence the importance of the plans of Police Cyber Resilience Centres and of the members of the new Digital Policy Alliance Cyber Security Skills and Partnerships SubGroup to use the CRCs as a focus for joining up and customising activities locally, across organisational and professional boundaries, in ways which make sense to the target audiences.  To aid that process I am making changes each week to the evolving list of the activities (including sources of guidance and support) identified in my blog on the Changing Cyber Policing and Skills Scene  where I extend “cyber” to include all of its manifestations and  consequences, online abuse, fraud, harms, impersonation.

That, however,  is not what blogs are for. I therefore look forward to hearing from those who would like to help (and are acceptable to the others involved), so that I can hand over this task to a suitable permanent home in the near future.