The latest Government Cyber Security Breaches Survey shows that the risk level for businesses is potentially higher than ever under COVID-19. Businesses are finding it harder to administer cyber security measures during the pandemic as organisational resources are diverted to facilitating home working. Fewer businesses are also taking recommended cyber security measures, leading the Government to urge organisations to follow the NCSC's "expert guidance” to boost their online resilience.
The annual survey, which the Government has run since 2016, looks at how UK businesses, charities and education institutes are affected by, and manage, cyber risk. The aim is to help organisations understand the risks they face and what others are doing to stay secure. It can also help larger businesses understand where smaller firms (many of whom sit within their supply chain) may approach cyber risk differently. The Government uses the research to shape future policy, including its upcoming new Cyber strategy.
There were some positives to take from this year’s report:
- Despite COVID-19, cyber security remains a priority for boards, with 77% of businesses (and 93% of large businesses) saying that cyber security is a high priority for their directors or senior managers. Overwhelmingly businesses say the pandemic has made no difference to the importance they place on cyber security, while the qualitative research suggests that some organisations have accelerated their plans regarding (or increased their investment in) IT and cyber security in response. Many have adopted new security solutions including cloud security and multi-factor authentication. For some (14%), cyber has become a higher priority as they have faced an increase in the frequency of attacks (especially phishing attacks) since March 2020 and/or felt their organisations were exposed to new risks as staff worked from home.
- More businesses are taking out cyber security insurance – up 11% to 43% this year. This is more likely to be through a broader insurance policy rather than a cyber specific one.
- Fewer businesses are identifying breaches or attacks than in 2020 (from 46% to 39%). This may, however, be misleading as the frequency of attacks has not reduced for those reporting them. It could be the result of reduced trading activity from businesses during the pandemic, or because businesses are less aware of the attacks they are suffering (fewer are using monitoring tools than last year – see below).
However, the report also highlights many areas that are still in need of improvement, as well as some new risks. The pandemic has made cyber security harder. With resources stretched and remote working creating new challenges, fewer businesses than last year report deploying security monitoring tools or having up-to-date malware. Many more businesses now have staff working from home and/or using personal devices for work and yet the vast majority still do not have a cyber policy which caters for this. Only a third have a VPN for remote working and, in large businesses in particular, having laptops with unsupported versions of Windows is a significant risk (affecting 32% of large businesses). Businesses therefore still need to implement new (or adapt existing) policies and procedures to reflect these new risks and working patterns, and to cater for future working environments which many anticipate will involve a blend of working remotely and in offices.
In addition, many long-standing issues remain and businesses could still do more to prepare:
- Just under a third have continuity plans that mention cyber security and only 15% have audited their cyber security vulnerabilities.
- Despite cyber being a board level issue, only 38% have board members with a cyber security brief. The figure rises to 57% for larger businesses, but this still marks a fall from last year's peak of 68%.
- Only 14% of businesses train their staff on cyber security and only 20% have tested their staff response (for example with mock phishing exercises). This is despite the fact that phishing attacks were the most common threat vector (83% of reported attacks), and staff are a key vulnerability in relation to such attacks. The figures are, however, higher in larger organisations, where nearly half have carried out training or tested their staff response.
- The vast majority of businesses (88%) do not review cyber security risks posed by suppliers. The figures are even worse when looking beyond immediate suppliers – only 5% of businesses (down from 9% last year) have reviewed their wider supply chain. Barriers to addressing supplier risk ranged from a lack of time/money to suppliers not providing the information to carry out checks or not knowing what checks to carry out. Compliance with standards, like Cyber Essentials, was cited in responses as one way to ensure that suppliers took cyber security seriously without having to collect lots of specific information from them.
Finally, the responses provided some interesting insights. Some reported that service continuity and flexibility have been viewed as competing with cyber security since the first UK lockdown. However, it will be interesting to see if this view will change. When discussing cyber security priorities going forward, businesses talked about a greater emphasis on continuous improvement and integrating new technologies. As staff increasingly expect access to new technologies to stay productive, some discussed gradually moving from an approach of locking down user activity towards one that prioritises functionality and flexibility. Presumably cyber risk management processes, procedures and (some suggested) the personal responsibility of staff, will need to adapt to reflect these changes post pandemic.
"The pandemic has taken an unavoidable toll on British businesses but we cannot let it disrupt our high cyber security standards." (Digital Infrastructure Minister Matt Warman)