Getty Images

Almost half of UK businesses suffered a cyber attack in past year

Latest government statistics reveal the scale of the cyber security challenge facing UK plc, but reveals some cause for optimism

Almost half of UK businesses suffered a cyber security breach or attack during the past 12 months, rising to 68% of medium-sized firms and 75% of large enterprises, according to statistics released by the Department for Digital, Culture, Media and Sport (DCMS).

In its fifth annual Cyber security breaches survey, DCMS reported that the volume of cyber attacks was growing in virtually every case – notably against charities – as the cyber criminal underworld develops and takes advantage of new techniques and vulnerabilities.

While it is important to note that some of the increase in volume can potentially be attributed to greater awareness of cyber security, out of the 46% that said they had been attacked, more said they were experiencing incidents at least once every week – 32% compared to 22% in 2017.

The nature of cyber attacks is also in flux, said DCMS. For example, since 2017, there has been a rise in businesses experiencing phishing attacks – from 72% to 86% of the 46% attacked – and a fall in viruses and other malware – from 33% to 16%. However, it is important to note that very often, phishing attacks go hand-in-hand with malware attacks.

Fortunately, organisations have generally become more resilient to breaches and attacks, are less likely to report negative outcomes or impacts, and tend to recover quicker.

“Over the past five years, there has been greater board engagement in cyber security and increased action to identify and manage cyber risks. These improvements may underpin the fact that organisations have become more resilient,” wrote the report’s authors.

“Eight in 10 businesses say that cyber security is a high priority for their senior management boards (80%, up from 69% in 2016). Three-quarters of charities said this about their senior management (74%, up from 53% in 2018).”

The study also found businesses are now more inclined to seek out information and guidance relating to cyber security – such as that provided by the National Cyber Security Centre (NCSC) – possibly as a result of legally mandated General Data Protection Regulation (GDPR) compliance.

However, DCMS said there was still more work to be done, particularly in areas such as internal and external security audits – only half of businesses have done this in the past 12 months and the quality of auditing varies wildly – and insurance against security incidents, which is held by just 32% of businesses.

In terms of incident outcomes, DCMS reported that one in five of the 46% had lost money or data, two in five were negatively affected in some other way, such as diverting staff time or wider business disruption. However, since 2018 the proportion of businesses listing any income has dropped by 19%, and the proportion being negatively affected is down 18%.

In cases with material outcomes, the average (mean) cost of all security incidents to a business in the past year is estimated to stand at £3,230, rising to £5,220 for medium and large organisations.

The ‘ultimate stress test’

Mark Deem, a partner at London-based law firm Cooley, said the study largely confirmed his own view of the past year in cyber security.

“This is borne out of a combination of enterprises being better able to identify weaknesses and where attacks occur; recent legislation (GDPR and the Cybersecurity Directive) leading to enhanced engagement of senior teams within the enterprise; as well as a reduced stigma attaching to making public the existence of an incident,” said Deem.

“The fact that medium and larger businesses and higher income charities have reported higher incidents reflects the motives of the particularly active threat actors, who are generally seeking financial gains or greater publicity for their actions.

“For all the discussions about the size of regulatory fines which have accompanied the new legislative regime of the past few years, the significant costs exposure of any incident for an enterprise, however, will still relate to the costs of investigation, the deployment of internal and external resource to assist with incident response and legal compliance and the impact on day-to-day operations,” he added.

Deem said he expected the trends identified in the report in relation to attack volume and cost to continue through 2020, particularly given the huge numbers of attacks now being linked to the Covid-19 coronavirus crisis. In this light, he said, DCMS’s report stood as a salutary remainder of the importance of maintaining security resilience in a suddenly very uncertain world.

Commenting on the statistics, Dob Todorov, CEO of HeleCloud, an AWS consultancy, said that the findings showed how UK organisations are facing “the ultimate stress test”, particularly when it comes to growing uptake of cloud services.

“The mismanagement of cloud data can be rife in these circumstances. Many organisations have, and will continue to, find themselves unintentionally exposing sensitive personal data – presenting the opportune environment for a cyber-attack or accidental data breach,” said Todorov.

“Yet, with economic uncertainty a very real challenge for UK organisations currently, taking on a huge fine or, even worse, serious reputational damage cannot be an option.

“The good news is that security is the number one priority for business and IT leaders alike – and they are taking very real steps to tackle security issues. The downside is, all too often, organisations assume that they have the necessary cyber security skills onboard without recognising the specialist knowledge and experience needed.

“Take, for example, public cloud platforms like AWS. While they offer an unprecedented level of security to UK organisations, those charged with managing these cloud services often lack expertise to use them appropriately causing accidental data leaks or allowing for comprise of system or data integrity and availability,” said Todorov.

Big discrepancy

However, Mark Nicholls, CTO at Redscan, a London-based supplier of security services, said believes that the numbers provided by DCMS do not add up. He said it was highly unlikely that so many businesses were reporting weekly security incidents while so many others said they had had no incidents at all.

“The most concerning thing for me is the significant number of organisations that have been targeted and aren’t aware of it. While a significant percentage of businesses identify multiple attacks each week, more than half say they haven’t had a single one in 12 months. There’s clearly a big discrepancy in the report’s findings,” said Nicholls.

“Being able to swiftly detect attacks is key to minimising damage, but many organisations still lack the appropriate controls and a deep awareness of what activity to look for.

“It is great to see that cyber security features more highly on the radar of senior management teams. To ensure that security receives the attention it warrants, security teams must ensure that they are able to effectively communicate the value of investments in ways that can be understood by leaders across other areas of the business,” he added.

The full Cyber security breaches report, including further information on its statistical reliability and sampling, can be found on the DCMS website.

Read more about cyber attacks

  • Prudential, the UK’s largest listed insurer, is turning to artificial intelligence to protect its computer networks in the US, Asia and Africa from malware hackers and internal threats.
  • All too often it’s the CISO who carries the can for an enterprise security failure, but this might not be a bad thing. There’s lots of evidence to suggest that falling victim to a cyber attack may actually be good for your CV.
  • The key lesson to take from the Travelex breach is that an effective response to a breach is a critical business function and no longer the sole province of the IT department.

Read more on Hackers and cybercrime prevention