On Wednesday, the Department for Digital, Culture, Media and Sport (DCMS) published its fifth Cyber Security Breaches Survey for 2020. The objectives of the survey are to study how organisations in the UK perceive and experience cyber security risks and what they are doing to guard against them.
The 2020 Survey shows that cyber security breaches remain a persistent threat for many: 46% of businesses and 26% of charities report facing some form of attack in the past 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%).
The data suggests an increase in attack incidence, with nearly a third of targeted businesses reporting experiencing such issues at least once a week in 2020. Phishing emails and websites have, once again, come out on top as the most common type of incident.
Organisations are, however, also becoming more resilient and recovering faster from cyber security incidents. Severe attacks, which cause lasting disruption and loss of money or data, are also decreasing in frequency. However, breaches that do result in negative outcomes still incur substantial costs.
Over the last five years, there has been greater board engagement in cyber security and increased action to identify and manage cyber risks. These improvements may underpin the fact that organisations have generally become more resilient. However, while greater audits, staff vigilance and board engagement have undoubtedly supported these positive trends, areas of improvement remain according to DCMS.
Only a third of businesses report being insured against cyber risks in some way. Beyond being a means to recoup costs, cyber insurance can have wider, equally valuable, benefits such as access to specialist forensic and incident response teams, reputation management advice and legal support.
Supplier cyber security risk is also too often underestimated. Only a small minority of organisations (mainly in the insurance and finance sectors) report monitoring the cyber defences of their immediate suppliers. In particular, supplier risk tends to be narrowly construed, focusing solely on digital service providers and therefore neglecting the cyber preparedness of the wider supply network.
Finally, while cyber security is becoming a common feature of many audits, the ways in which cyber risks are assessed vary greatly. These range from informal conversations with key stakeholders in the organisation or external accountants and IT providers to more sophisticated processes involving infrastructure patching and penetration testing.
DCMS also recently closed a consultation on ways to improve the Cyber Security Breaches Survey, so watch this space.
"There was a sense that bespoke cyber insurance offered fuller coverage. Some interviewees commented that the cyber security elements of broader business insurance packages had looser definitions or excluded certain types of breaches. For one business, this made them sceptical about being able to make a successful claim under general business insurance, which is why they took out bespoke cyber insurance policy." (DCMS, Cyber Security Breaches Survey 2020)