UK Government publishes results to the annual Cyber Security Breaches Survey

The Cyber Security Breaches Survey (“CSBS”) is an annual study of UK businesses and charities that began in 2015. The latest CSBS was conducted during the winter of 2019/2020 and the results published on 25 March 2020. The CSBS influences how the government shapes future policy, allows organisations to compare their cyber security with others and demonstrates the trends in this rapidly evolving area.

As expected, the CSBS 2020 identified that cyber-attacks continue to become more frequent and have evolved in nature. It found that 32% of businesses and 22% of charities are experiencing breaches at least once a week (compared to 29% and 18% in 2019, respectively) as well as a rise in phishing attacks and a fall in viruses or other malware. It also found that organisations have become more resilient to attacks, are less likely to report negative outcomes or impacts from breaches, and are more likely to make a faster recovery. It is encouraging that the number of businesses experiencing negative impacts from these breaches or attacks has declined. It indicates a growing resilience to cyber-attacks based on the changes that organisations have made over the last five years, primarily in response to new legislation, including the General Data Protection Regulation 2016 (“GDPR”).

Breaches that do result in negative outcomes still incur substantial costs. The CSBS 2020 asked whether breaches that had been identified in the last 12 months led to a material outcome, such as losing money or data, or a negative impact, such as requiring new measures, having staff time diverted or causing wider business disruption. 19% of businesses and 25% charities who had identified breaches suffered a material outcome, with an average estimated cost between £3,230 and £5,220. 39% of businesses and 56% of charities who had identified breaches were negatively impacted.

Over the last five years, the survey found that there has been greater board engagement in cyber security and increased action to identify and manage cyber risks. The highest proportion of organisations to date say that their senior management consider cyber security to be a “high priority” (80% of businesses and 74% in charities) and in both sets of organisations, senior managers receive much more frequent updates about cyber security than in the past. Furthermore, organisations are seeking information and guidance on cyber security, taking more action to identify cyber security risks, and managing these risks through a mixture of technical rules and controls, governance processes and policies. It is clear from the trend findings that the GDPR has played a major role in getting organisations to review and update cyber security policies and processes but the CSBS 2020 demonstrates that many of these improvements have been maintained but not necessarily enhanced.

Areas in which organisations could aim to improve include carrying out audits, obtaining cyber insurance, assessing supplier risks and reporting all breaches. The CSBS revealed that some organisations are confused about how they should be considering these topics and what best practice is. For example, the term “supplier risks” does not necessarily convey the entire digital ecosystem that organisations are part of and reporting can mean different things in different contexts. The guidance in these areas might be reframed to give organisations clarity on these issues.

Finally, the CSBS 2020 highlighted that there are trusted and influential voices on cyber security outside of government that organisations deal with regularly including banks, insurance companies and accountants. Organisations reported that they tend to discuss cyber security during financial audits, during annual meetings with insurance brokers and when engaging with HMRC for their tax returns. In addition, organisations are likely to make changes to their cyber security in response to broader technological changes like upgrading their operating system or moving to a cloud server. All of these may be additional channels through which to distribute the existing government guidance materials on cyber security.