What’s New in Cyber Security?

Published by the Department for Digital, Culture, Media & Sport, the annual Cyber Security Breaches Survey 2020 seeks to help inform organisations about developments, trends and attitudes regarding cyber and information security across the UK.

As essential reading for all those involved with information security, this authoritative report is rarely without surprising, interesting and valuable results and findings; this year being no exception.

In the following, we examine some of the most informative changes and developments in the world of cyber and information security, hopefully allowing you to better understand the threat landscape and how to defend you and your organisation, with help from the Cyber Security Breaches Survey 2020.

Breaches

In the latest Cyber Security Breaches Survey, we found that just under half of all businesses (46%) and over a quarter (26%) of charities have reported cyber security attacks or breaches in the last twelve months.

This is an increase from the findings of the 2019 survey, which reported a respective 32% (businesses) and 22% (charities), but not a significant departure from 2018 or 2017. In fact, the fall in cyber attacks and breaches reported in 2019 is more anomalous, in terms of trends, than the rise we see this year.

Any optimism felt in 2019 towards this fall in cyber attacks was likely premature and though, in many ways, organisations are potentially better equipped to defend themselves, the sustained profitability of cyber crime continues to fuel this increase in attacks.

Medium and Large Businesses Hardest Hit

Like previous years, it is medium and large businesses which are being hardest hit with these incidents, with three quarters (75%) of all large businesses surveyed reporting breaches and attacks. Perhaps seen as more potentially profitable targets for scammers, high-income charities also suffer from an above average rate of attack/breach reporting (57%).

On the specific topic of breaches, what stands out most from the Cyber Security Breaches Survey is the data relating to attack frequency. A shocking 32% of businesses and 22% of charities report experiencing breaches or attacks at least once a week, with many forced to defend themselves every day.

When comparing this frequency with previous surveys, we see a significant change. For example, only 22% of businesses reported this high level of attacks in 2017, meaning those experiencing attacks or breaches at least once a week has risen 10% in just three years. Concerning statistics for all.

Phishing Attacks Increase

One of the most important topics we have in information security is phishing. Though it may seem relatively basic, phishing is involved in a significant proportion of all successful security attacks, just going to show, that without the foundations of security awareness in place, a secure culture is impossible.

This years Cyber Security Breaches Survey reports that phishing is still on the rise, with 86% of those businesses suffering attacks reporting fraudulent emails and phishing. Rising from 72% in 2019, the startling number goes to show how prevalent this information security threat still is.

What’s more, the survey also reports that 67% of the afflicted businesses reporting phishing attacks as the most disruptive breach or attack that they’ve had to respond to. Data that emphasises not only the frequency of phishing attacks, but the ability of fraudulent emails to effectively disrupt businesses.

As the threat of phishing attacks continues to grow, we also see that the relatively small number of targeted organisations reporting ransomware as a part of their reported breach or attack; only 8% amongst businesses and 10% for charities.

Though often thought of as a persistent and all-too-common threat, the frequency of ransomware attacks appears relatively minimal in comparison to the frequently underestimated risk of phishing attacks.

Higher Board Engagement

One significant and positive finding of the survey is the increase with which members of senior management are engaging with matters of cyber and information security. 80% of surveyed businesses now say that cyber security is a high priority for their boards, up 11% since 2016.

Likewise, charities are appreciating the need for senior management engagement, seeing a respective increase of 21% since only 2018.

Strong Password Policies

Though the Cyber Security Breach Survey 2020 primarily deals with attacks and breaches, the survey also looks at the policies of organisations and surrounding data relating to information security.

We learnt this year, for example, that a worrying 19% of UK businesses do not have a password policy to ensure users set strong passwords. Join this fact with the persistent threat coming from phishing attacks, it’s little surprise that hackers, scammers and cyber criminals continue to find their nefarious work profitable.

The survey also reports that a majority (53%) businesses have staff using personally owned devices to carry out regular work-related activities. Including phones, laptops, tablets, etc., this finding once again shows that businesses are failing to do all they can to protect and secure their information.

Moving Forward

Although there are certainly some positive trends and statistics shown within the Cyber Security Breaches Survey 2020, there are also plenty to suggest that not only are cyber threats, such as phishing attacks, still a significant and costly risk to organisations, but also organisations need to be doing more to properly defend against information security threats.

When the most common and effective attack vector is fraudulent emails, it would be wise to recognise that giving staff the tools and skills to mitigate this easily avoidable risk needs to be an essential for any businesses wishing to evade the rising costs of enduring a breach or attack.

Information Security Awareness Training

As with many preventative security measures, key to defending against information and cyber attacks is education. With robust information security awareness training an organisation can reliably reduce the risks associated with suffering a breach or attack. Minimising the frequency of human errors and helping to build a secure culture from within.