UK Cyber Security Breaches Survey 2016 – Some Quick Stats

The UK government has just published the Cyber Security Breaches Survey 2016 (PDF here).

Commissioned by the Department for Culture, Media and Sport, as part of the National Cyber Security Programme. It was carried out by Ipsos MORI, in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth, and comprised:

▪ a representative telephone survey of 1,008 UK businesses from 30 November 2015 to 5 February 2016
▪ a total of 30 in-depth interviews undertaken in January and February 2016 to follow up businesses that

Here’s some pertinent stats lifted from the report:

(69%) say cyber security is either a very high (33%) or fairly high (37%) priority for their organisation’s senior management.

Just half (51%) of all businesses have attempted to identify the cyber security risks faced by their organisation, for example through health checks, risk assessments or audits. However, this is higher among medium firms (78%) and large firms (94%).

Businesses that restrict IT access to specific users (77%), or place security controls on company-owned devices (62%).

(29%) have written cyber security policies, and just one in ten (10%) have formal incident management processes.

(17%) of firms have had their staff undergo some form of cyber security training in the last 12 months.

(34%) have rules specifically around personal data encryption.

(13%) set minimum cyber security standards for their suppliers.

(24%) of all businesses detected one or more cyber security breaches in the last 12 months higher among medium firms (51%) and large firms (65%).

Viruses, spyware or malware (68%) and breaches involving impersonation of the organisation (32%).

Average cost of all breaches over the last 12 months is £3,480. This is much higher for large firms, at £36,500.

(26%) of businesses report that their senior managers are never given an update on any actions taken around cyber security.

(37%) say they have some form of cyber security insurance – Here, the qualitative research suggests that cyber security insurance is often a bolt-on to broader insurance policies, such as professional indemnity insurance. In these cases, businesses had not sought out cyber security insurance specifically and there was a general lack of knowledge about what was covered within these policies. This finding chimes with previous insurance industry estimates, which suggest that in actual fact the overwhelming majority of businesses are not insured specifically against cyber security breaches. In other words, while two-fifths think they are insured, they may not be covered if they have a breach.

(28%) businesses have cyber security represented within their senior management boards.

(51%) of all businesses, and the overwhelming majority (94%) of large businesses have taken some form of action to identify cyber security risks.

Investing in threat intelligence is particularly uncommon (8% overall, and 34% among large firms).

Businesses that invest in cyber security are more likely to have experienced breaches than those who do not spend anything on it (33% versus 8%).

Micro firms are more likely to say that they have suffered a loss of revenue due to breaches (18%, versus 10% overall).

The organisations that say online services are core to their business to a large extent are more likely to cite reputational damage from breaches (14%, versus 4% overall).

(78%) took less than a day to recover from their most disruptive breach in the last 12 months.  (45%) are dealt with immediately.

In over four-fifths of cases, even the most disruptive breaches were identified either immediately (51%) or within 24 hours of occurring (35%).

Intentional attacks are frequently seen to succeed because of human error. This is the most common single factor that businesses see as having led to their most disruptive breach (in 14% of cases overall, and 28% of cases among large firms).

Email attachments or websites are most commonly identified as the source of the most disruptive breaches (by 28% of organisations overall, and 41% of large organisations).

(21%) of the most disruptive breaches were externally reported.

Relatively few have created or updated cyber security policies in response to their most disruptive breach, and a fifth (20%) have taken no action at all.

Some other interesting snippets:

There was a sense from some participants that they would probably not be a target for serious attacks because they felt they had nothing worth stealing. Some specifically mentioned that this was because they were not a bank, or did not collect customers’ financial details.

[….]

In terms of where people have sought information, the top specific unprompted mentions were external security or IT consultants (28%), Google or general online searching (9%) and security product vendors (6%). Overall, businesses are more likely to mention non-Government sources (34%) than Government ones (2%)

[….]

It is worth noting that even among businesses where staff regularly use personally-owned devices for business reasons, three in ten (29%) of those who have policies do not have this aspect covered in their policies. Similarly, within businesses that use cloud-based servers and have cyber security policies, it is still only in six in ten (58%) cases that the policy covers cloud computing.

[….]

When asked unprompted why in the main they invest in cyber security, the two most common reasons offered by businesses are around protecting company-owned data or intellectual property (44%) and protecting customer data (36%). Relatively few organisations see cyber security mainly in terms of business continuity, with just 13 per cent saying one of their main reasons for investing is about keeping the business going, and just three per cent saying they invest to prevent downtime and outages. This does seem to be a bigger driver for larger businesses however, with two in ten (18% of medium firms and 19% of large firms) citing keeping the business going as one of their main reasons. Cyber security is also largely not viewed as a compliance issue, with just five per cent saying compliance with laws and regulations was one of the main reasons behind their investment. This was slightly higher among small organisations (9%).

Ed Vaizey MP, Minister for the Digital Economy- Commented in the foreward:

“Clearly there is still much work to be done, so I want businesses to change their behaviour as a result of this survey. When I speak to businesses it is clear awareness of the cyber threat is now very high. Everyone I talk to agrees the threat is significant and needs to be tackled, but there is a gap between awareness and action, which is highlighted in this report. We see a steady stream of breaches and attacks on firms which assume they are on top of security, but still haven’t got a good understanding of the possible impact on their business or what they should do about it.”

These are just some highlights that jumped out at me. The report is well worth reading.