The British Government has just released the results of an annual survey into cyber-attacks on businesses and charities – and it’s not pleasant reading.
The Cyber Security Breaches Survey 2019 results reveal that organisations subject to cyber-attacks are experiencing more breaches than ever before.
And whether it’s a phishing attack or a virus, the cyber breaches are hitting businesses and charities where it hurts, on the bottom line.
Here, we look at the report’s top five key findings – followed by tips on what you need to do to protect your organisation from hackers.
32% of businesses and 22% of charities report having cyber security breaches or attacks in the previous 12 months. As in previous years, this is higher among medium-sized businesses (60%), large businesses (61%) and high-income charities (52%).
The most common types are:
For businesses, the proportion identifying breaches is lower than in 2018 (when it was 43%) and 2017 (46%). The charities’ result is similar to 2018.
But, for affected businesses, the typical number of breaches over 12 months has soared from two attacks in 2017 to six in 2019.
The findings also suggest that, where businesses have lost data or assets through cyber security breaches, the costs from such incidents has consistently risen since the 2017 survey.
Among the 32 per cent of businesses recording cyber breaches, this resulted in a negative outcome, such as a loss of data or assets, in 30 per cent of cases. The figure for charities was 21%.
For businesses suffering these kinds of negative outcomes, the average cost to them was £4,180 in 2019 – higher than in 2018 (£3,160) and 2017 (£2,450).
Once again, the average cost faced by larger businesses tends to be much higher (£9,270 for medium firms and £22,700 for large firms). And for charities facing such negative outcomes from breaches, the average cost was £9,470.
One positive thing to take from the survey is that more businesses and charities have taken positive steps to improve their cyber security. This is in partly linked to the introduction of the GDPR, the report states.
78% of businesses and 75% of charities say that cyber security is a high priority for their organisation’s senior management. These proportions are higher than in 2018 (when it was 74% of businesses and 53% of charities).
Alongside this change in attitudes, there have also been various shifts in behaviour and action taken:
Over half of all businesses (56% vs 51%) and two-fifths of charities (41% vs 29%) say they have implemented controls in all the five technical areas listed under the Government’s Cyber Essentials scheme.
“There is still more that organisations can do to protect themselves from cyber risks,” states the survey’s summary. “This includes taking important actions that are still relatively uncommon, around board-level involvement in cyber security, monitoring suppliers and planning incident response.
“In some areas, the increasing prioritisation of cyber security has not always been matched by increased engagement and action.”
Organisations are open to receiving guidance for these areas, and for other aspects of cyber security. But the survey found that they expect such guidance to be pushed out to them.
The survey states that one plausible explanation for fewer businesses identifying breaches is that they are becoming more cyber secure and have increased their planning and defences against cyber-attacks since 2018.
We like to think that CertiKit has played a part in that. Our toolkits guide organisations through the process of applying for various certifications, including those related to cyber security, in a simple step-by-step process.
Cyber Essentials: This toolkit is designed to help implement the five key controls of Cyber Essentials quickly and effectively.
The controls cover firewalls, passwords, administrator accounts, malware and security updates. Certification lets your customers know you’re serious about cyber security, and opens up the doors to enable you to bid for certain Government contracts.
ISO27001: While Cyber Essentials is a relatively simple scheme in the UK and Canada, the ISO27001 International Standard takes things to the next level by helping you create and run your own Information Security Management System.
Again, our toolkit takes you through the process of applying for the standard. We at CertiKit are certified to ISO27001 Standard and Cyber Essentials, so we don’t just talk the talk, we live it.
GDPR: Finally, our GDPR Toolkit can help you meet the requirements of the EU’s General Data Protection Regulation. The survey itself states that the law’s introduction has led to organisations stepping up their cyber security.
The GDPR covers the privacy of EU citizens and what steps organisations must take to protect their personal data. Again, our toolkit will guide you through what needs to be done to ensure compliance.
Visit our blog for recent news updates on all three of these CertiKit toolkits.