Increasing numbers of firms have begun to report repeated cyber-incidents in the past 12 months as documented in recent UK government figures.
It is a fact that Cyber-incidents are rising. An escalating number of firms though report repeated cyber-incidents over the past year, says the UK government’s latest survey of breaches.
More than 45% of all businesses and 25% of charities document cyber-security breaches. Large businesses (75%), medium businesses (68%) and high-income charities (57%) report the highest number of incidents, said the Cyber Security Breaches Survey 2020.
“The business findings are in line with those in 2017 (when the question was first asked). The charity findings show a rising incidence, from 19% in 2018 (when charities were first surveyed) and 22% in 2019, to 26% in 2020. This may mean that more charities are being targeted but could also mean that they are better at identifying breaches than before,” said the report.
“Among this 46% of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 (32% versus 22% in 2017). There is a similar pattern over time for charities, although the changes across years are not statistically significant. In 2020, a fifth of these charities (22%) say they experience breaches at least once a week.”
Businesses suffering phishing attacks increased from 72% in 2017 to 86%, while viruses and other malware fell from 33% to 16%. Costs of data breaches have gone up, while 19% of those reported breaches lost money or data.
Industry professionals have broadly welcomed the findings, though it is worrying that the threats keep repeating and the cost of breaches do continue to rise. “Cyber-criminals and threats are constantly evolving, as is the landscape within which they operate”, noted Jérôme Robert, cyber-security specialist for active directory at Alsid.
“Take the current Covid-19 pandemic that is gripping the world: massive changes in workstyles driven by remote working are a gift for hackers. Likewise, we talk a lot about the rise of AI applications to boost security, but don’t forget that cyber-criminals also have access to AI which they can use to launch more dangerous, targeted attacks in higher volumes thanks to automation,” he commented.
Ransomware is seen as a common threat these days and it is downplayed in the report, but daily headlines show how punishing it can be, he added.
The challenge the industry faces is no longer one of awareness of the threats, but how to put in place defence and mitigation measures for cyber-risks, observed Chris Miller, regional director UK & Ireland, RSA Security.
“One such digital risk that the survey highlights are that of suppliers. There’s no doubt that third parties are hugely important in today’s hyper-connected business environment, but they’re also a potential source of data breaches and are often targeted by malicious parties to leapfrog into other businesses’ networks. When it comes to working with external parties, there has to be a balance between risk and business reward,” he continued.
Serious Business Risks
Boards have started treating breaches as serious business risks, shows the survey.
“Over the last five years, there has been greater board engagement in cyber-security and increased action to identify and manage cyber-risks. These improvements may underpin the fact that organisations have become more resilient,” commented the report.
80% of businesses surveyed (69% in 2016) said cyber-security is a high-priority matter for their senior management boards. Three-quarters of charities (74%, up from 53% in 2018) said this about their senior management.
“The 2019 Data Breach Investigations Report by Verizon found that senior executives are around 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previously,” noted Ali Neil, international security solutions director at Verizon.
The increasing success that cyber-criminals are finding from phishing attacks can be linked to the unhappy combination of a stressful business environment, added to by a lack of focused education on the risks of cyber-crime, he went on to say.
“Typically, if they are time-starved and under pressure to deliver, senior executives will quickly review and click on emails prior to moving on to the next and then the next, or there are assistants managing email on their behalf, all making suspicious emails vastly more likely to actually get through.”