Interpreting the Cyber Security Breach Survey 2017
What does the Cyber Security Breach Survey 2017 tell us?
On Wednesday we saw the publication of the Government’s latest Cyber Security Breach Survey report.
The survey of 1,523 businesses, reveals that cyber security has never been so important to us with 74% of business sighting it as a high or very high priority for senior managers. However, only 29% of businesses have security responsibilities at boardroom level and only 20% have invested in security training for staff in the last year.
So if Cyber Security is such a priority why are so few committed to putting some of the essential controls into practice? We think the problem is that with all the “noise” around security and with media headlines and scaremongering tactics it’s difficult to know where to start. However what does the data in this latest report tell us about how we can target our investment and help our organisations to be truly cyber secure?
Security is often not seen as a boardroom responsibility
Less than 1 in 3 organisations have assigned responsibility to security at board room level while 3 out of 4 business see it as a high or very high priority. This supports the myth that “security is a job for IT” with many organisations delegating the task to the techies. However few businesses can afford to make this mistake as often people and process changes across the business can significantly reduce the likelihood of suffering a cyber-attack.
It’s essential that security improvements are sponsored from the board as without management buy-in most security programmes lose momentum and have little lasting impact. What’s more, with the changes to data protection legislation coming into force in May next year as part of the General Data Protection Regulation (GDPR) the security of personal data is going to be a hot topic for every boardroom. In our experience lasting success comes from management buy in and a holistic security programme which mobilises the whole organisation to fight the threat of cyber-attacks.
People are the focus of attacks and we need to equip them for the fight
The survey reveals that almost half of all businesses (46%) reported being impacted by a cyber security breach or attack in the last 12 months. When we dig down into these figures, of the organisations who reported a breach 72% were targeted by phishing emails followed by 33% being impacted by Malware.
What this tells us is that while technical solutions can help to reduce the number of fraudulent emails it will never entirely eliminate the problem. In our experience a holistic approach to being cyber secure includes user training and awareness to help them spot potential threats and report these to help drive future security improvements. However the survey also reveals that only 1 in 5 businesses have carried out any form of user cyber security training in the last year. In order to deal with these evolving threats targeting our people we need to work with staff across the business to equip them to take action against the cyber criminals.
We need to increase the awareness of security best practice
ISO 27001 is often regarding as the gold standard in information security management best practice, yet only 1 in 5 of the organisations surveyed are aware of this standard. While ISO 27001 may be a high bar, most organisations can start their journey through alignment with pragmatic security standards such as the Government’s Cyber Essentials scheme. This scheme certifies organisations for doing the basics well, yet according to the survey only 8% of businesses have come across the Cyber Essentials standard.
The task ahead of us is to promote the benefits of these security standards which are often sighted as providing a competitive edge and customer confidence leading to increases revenues. At present the survey indicates that only 13% of businesses required their suppliers to have any form of cyber security certifications (such as Cyber Essentials and ISO 27001). This will no doubt be an area of significant change in the coming months as more organisations look for reassurance that their supply chain are taking the evolving threat of cyber-attacks seriously.
Where to start on the cyber security journey
Above all the findings in this survey do not significantly vary from the findings from the same exercise completed last year. While awareness is slightly increased, the story for most businesses is that they are yet to engage with the journey of security maturity and adopt an approach which extends to the domains of people, process and technology.
Our top 3 tips to business would be to:
- Start engaging the board with security. This may start with a security health check or gap analysis and start to expose where the key security risks are located. Once managers are briefed, the decisions of how to target investment can be made to ensure an organisation’s most critical data and assets are protected.
- Engage your people. The survey supports the view that training and awareness is a critical control in the fight against cyber-crime. However organisations can go further by engaging all areas of the business in a programme of security maturity, through risk workshops and security forums, all areas of the business can contribute to this initiative.
- State with putting the essentials in place. The breach survey demonstrates that the majority of security breaches are avoidable if the basic were in place. A great starting point is the Government’s Cyber Essentials standard which can often be achieved in a matter of weeks and provides reassurance that the basic safeguards are in place to stop the majority of cyber threats.
If you’re interested in finding out more about how you can improve security in your organisation, we’re holding a seminar in conjunction with the police’s North East Cyber Crime unit on 25th May. Click here for more information and to sign up.