UK's cyber security breaches survey and Verizon's data breach report suggest progress – but more to do

April 2017 welcomed two insightful publications on the current cyber security landscape. The UK Department for Culture, Media and Sport's annual Cyber Security Breaches Survey (the "Survey") and Verizon's 2017 Data Breach Investigations Report (the "Report"), highlight the changing attitude of businesses toward cyber security, the specific threats facing organisations, and the opportunities for mitigating cyber crime. Whilst the results of these two publications suggest some advances in cyber security awareness, they also highlight a lack of preparedness which makes the extent of the recent "WannaCry" cyber attack in May 2017 (see above) somewhat unsurprising.

The Survey highlights that as the number of businesses with an online presence and those storing data on the cloud increase, there has been an increasing prioritisation of cyber security. The main findings of the Survey, which questioned just over 1500 UK businesses, were:

• Businesses increasingly see cyber security as an important issue: 74% of the UK businesses surveyed said that cyber security is a high priority for senior management, while 31% said it is a very high priority. Encouragingly, those considering it to be a low priority fell from 13% in 2016 to 7% this year. The threat of ransomware, having a senior individual responsible for cyber security in the firm, educated board members and cyber attacks (e.g. phishing emails) outside of work all contributed to pushing cyber security issues up the agenda.
• More businesses could still seek information or take further action to protect themselves: While 58% of firms had sought information or advice and 67% had spent money on cyber security, a considerable number still did not have basic protections or a formalised approach to cyber security. These results broadly align with those of the Institute of Directors' Policy Report on cyber security published in March 2017, which found that whilst 95% of the almost 850 business leaders surveyed considered cyber security to be very or quite important, only 55% had a formal strategy. Only 37% of firms in the Survey had rules around encryption of personal data, 33% had a formal policy that covered cyber security, and as little as 11% had an incident management plan in place. 19% were worried about suppliers' cyber security yet only 13% required suppliers to adhere to particular cyber security standards.
• All kinds of businesses continue to suffer financial and other implications as a result of cyber security breaches: Loss of data or network access, corruption of systems, time spent on resolving the issues and implementing new protective measures, in addition to the financial cost (averaging at £19,600 for large firms) were highlighted as material outcomes of an attack. Only one quarter of firms reported the breach externally to anyone other than a cyber security provider, pointing to a lack of awareness as to notification requirements in the event of a breach. This is only likely to be exacerbated further next year in light of the statutory notification requirements under both the EU General Data Protection Regulation and the Cyber Security Directive (see article above).

Meanwhile, Verizon's Report, which analysed 42,068 incidents and 1,935 breaches, found that 73% of breaches were financially motivated, 62% featured hacking (81% of which used either stolen and/or weak passwords), just over 50% included malware (66% of which was installed via email attachments), and 43% were social attacks. Three quarters of attacks were committed externally, meaning one quarter involved internal actors. The report listed common categories of attack and provided examples of how organisations might minimise vulnerabilities:

• Complete regular software updates to avoid crimeware – "watch out for macro-enabled MS Office documents"
• Help curb cyber-espionage with security awareness training
• Implement and regularly test distributed denial-of-service mitigation services
• Protect the misuse of organisational data by limiting, logging and monitoring large data transfers and the use of USB devices
• Train staff to identify the signs of tampering with payment terminals
• While the majority of data breaches involved hard copy documents, use encryption for soft copies and consider having a policy that limits printing of certain sensitive data
• Encourage customers to vary passwords and use two-factor authentication
• Restaurants and small businesses have become the new focus of point of sale attacks – request a review of the security practices of third-party point of sale vendors
• Ask IT to mark external emails with an unmistakable stamp

Click here to view the Cyber Security Breaches Survey 2017.

Click here to view Verizon's 2017 Data Breach Investigations Report.