The survey includes data from 2,080 organisations including 1,566 businesses and 514 charities. The anonymous survey is designed to understand how significant the cyber threat is to businesses and provide advice as to what they can do to safeguard their organisations.
Within the last year, GDPR legislation has been brought into force which requires that organisations adopt “technical and organisational measures” to safeguard personal information. In addition, the National Cyber Security Centre has been active in promoting best practice through the Cyber Essentials scheme at businesses of all sizes and there is more free advice being targeted directly at the board room to help organisations understand the critical steps they need to take.
The key question is - are we in a better state, or is there more to do?
1. Cyber Security is a priority but not yet a board level responsibility
Cyber security is a priority for senior management however, the ownership of this critical topic has not yet been fully adopted by the majority of Boards. This year 78% of organisations highlighted that cyber security was a high priority for senior management within their organisation compared with 74% the previous year, which in part may be linked to the prominence of the GDPR legislation coming into force.
However, the survey also highlights that only 35% of businesses have cyber security as a board level responsibility despite legislation such as GDPR putting this responsibility firmly at the board level in the case of a personal data breach or failure to uphold an individual’s right to privacy.
In our view, a more holistic approach is required which starts with ownership of security in the board room. Our advice to clients is to make use of free resources such as the NCSC board toolkit which is an excellent starting point to turn this strategic topic into a plan of action.
2. The cyber threat is increasingly targeting people rather than technology
Last year 43% of businesses experienced a cyber security breach or attack. Encouragingly we’re now seeing this number fall through the statistics released today and the figure now stands at 32% of businesses and 22% charities experiencing a data breach. GDPR has clearly been a catalyst for improvement and in part, this explains why the number of organisations experiencing a cyber-security breach has fallen this year.
However, we’re also seeing a rise in attacks that are targeting people rather than technology. In many cases, it’s far easier for a malicious party to convince a user to provide their user name and password than to compromise a technical system. This is supported by the figure that 80% of organisations have been subject to phishing attacks and fake websites designed to steal usernames and passwords in the last 12 months.
However, the survey highlights that only 27% of business have deployed training to equip their staff. More than ever this means that organisations need to be focusing on user training and awareness to fight the evolving cyber threat on all fronts.
3. GDPR has led to improvements but many still need to get the basics right
30% of business and 36% of charities say they have made changes to cyber security because of GDPR and we now see 33% of businesses and 36% of charities have cyber security policies in place (up 6% and 15% respectively from the previous year) however the majority still need to take action.
This is illustrated by the notable statistics from this year’s survey which show that many organisations have yet to adopt some of the basic technical security controls. At present only 56% of business and 41% of charities have implemented measures across the 5 areas of the government’s Cyber Essentials scheme which focusses on the technical cyber basics.
The freely available, 10 steps to cyber security advice, is also a key resource for organisations, allowing them to consider how to protect their organisations from a people, process and technology perspective. This framework is an ideal follow on to the technical advice included in Cyber Essentials and helps organisations to consider aspects such as user training, risk management and security monitoring. However, the survey reveals that only 6% have adopted all 10 controls (4% the previous year).
Where do we go from here?
Cyber security needs to be owned by the board room. This critical starting point will ensure that organisations have the mandate to implement change throughout the organisation. In doing so they will be able to ensure that their organisation is resilient to the evolving threat and that the appropriate level of focus is placed on legal and regulatory requirements demanded by legislation such as GDPR.
A security programme also needs to be holistic, focussing on people, process and technology. In our experience, and supported by the figures released today, cyber-attacks are increasingly targeting people and therefore user training and controls such as multifactor authentication are now more important than ever.
Finally, it’s important to remember that you are not on your own when embarking on your cyber security journey. There is a range of best practice advice freely available on the NCSC website, there are communities of support increasingly being established such as the Cyber Security Information Sharing Partnership (CiSP) and there are a range of partners who can assist you when independent advice or validation is required.
The key thing to remember is that cyber security is not about investing in expensive new technologies but starts with getting the topic on the board room agenda and getting the basics right to ensure that your organisation is truly cyber resilient and not just another statistic!