The majority of UK businesses now recognise the importance of cyber security. This, in part, has been driven by the fact that E-commerce has become much more important to UK companies and has doubled since 2008. Added to that, media coverage of high-profile breaches and their consequences has moved cyber security up the corporate agenda.
Despite increased awareness, many businesses have not yet taken adequate action around cyber security. While businesses largely see cyber security as important, they may not fully understand how their organisation is at risk and what action they need to take. By the end of 2016 only half of all businesses have attempted to identify the security risks that confront their organisation. However, this is higher among medium sized companies (78%) and higher still among large organisations (94%).
The majority of businesses have some controls in place for cyber security, although these often fall short of best-practice standards. Only about 50% of companies have basic technical controls across all five areas of the Cyber Essentials scheme. While it is now normal for businesses to regularly update software and malware signatures and to have correctly configured firewalls in place, it is not as common to find businesses restricting IT access to specific users, or place security controls on company-owned devices.
Policy and Process
Many businesses still need to do more to formalise their approach to security. Only 30% have written security policies, and just 10% have formal incident management processes. Just 17% of companies have carried out some form of cyber security training in the last 12 months and only a third of companies have specific rules around personal data encryption, which has been a major factor in a number of high-profile breaches in recent months.
Supplier management also need to be improved. Whilst now most businesses have some form of security controls within their organisations, less than 15% per cent set minimum security standards for their suppliers. This stands out given that one of the key drivers of investment in cyber security is demand from customers.
Security breaches can affect all kinds of businesses and the costs can be substantial. A quarter of businesses reported that they detected at least one cyber security breach in the last 12 months. This is higher among medium and large organisations. It seems that larger companies are more frequently targeted and a quarter of those that report breaches having been breached at least once a month.
Cost of Breach
Across all sectors, the most common breach types are viruses, spyware and malware. The next highest breach type involves impersonation of the organisation. Of businesses that detected breaches, the estimated average cost of breaches over the last 12 months is £3,480. And, for large organisations, it is much higher at £36,500. There are difficulties in accurately accounting for the effects of breach. For example, it is more difficult to account for lost opportunity costs, lost staff time and brand damage so costs could be significantly higher.
Cyber Security Breaches affect virtually all UK businesses, and most businesses are now treating it as a higher priority. But, despite increased recognition, there is room for improvement across all types of businesses, particularly in defining rules, policies and incident management procedures.
Smaller companies still need to implement the basic security controls and user-access controls on their organisation’s devices. Many medium and large businesses have more developed approaches, but could still improve around data encryption rules, staff awareness training and having formal incident management. They could also do more to raise standards among their smaller suppliers.