On Wednesday 30 March, the Government published its 2022 Cyber Security Breaches Survey. The survey, which is now in its seventh year, informs government policy on cyber security and can help organisations learn more about what their competitors, and the smaller organisations in their supply chain, are doing to stay secure. It provides useful statistics on cyber preparedness, looking at the percentage of respondents who have cyber and incident management policies in place, carry out training, follow government guidance etc. However, in this blog I will focus on what the research shows around the role of boards, supply chain risk and ransomware, all areas clients regularly ask us about, as well as looking at the statistics around cyber attacks.
A continuing threat
The 2022 Survey highlights that cyber security breaches continue to be a threat to organisations of all sizes, with 72% or larger firms, and 39% percent of businesses more generally, identifying a cyber attack in the last 12 months. Of these, nearly a third were attacked at least once a week with the most common threat being phishing attempts (83%). Interestingly, the research suggests that the real breach figures may be higher. Changes in attacker behaviour together with poor cyber hygiene (including the lower proportion of businesses deploying technical controls* and the challenges in monitoring employees post Covid) may mean businesses are less capable of identifying breaches now than they were two years ago.
Despite many organisations suffering attacks, external reporting of breaches remains uncommon, with only 40% of businesses reporting their most disruptive breach outside of their organisation. The breach reporting findings are broadly consistent with previous years, although reports are now made more frequently to the Action Fraud website/helpline than to police forces directly. Also, amongst larger organisations, there was a sense that the reputational risk of being caught not reporting outweighed the risk of publicising a breach.
* The report notes that the ‘decline’ in security monitoring seen in 2020 (down from 40% to 35%) put down at the time to changes in focus required by covid, has not yet recovered. This could be because businesses continue to struggle to monitor multiple endpoints as remote working continues.
The role of the board
Cyber security is a board level issue and 82% of boards or senior management (95% of large businesses) rated cyber security as a ‘very high’ or ‘fairly high’ priority. This is higher than last year, when the figure dipped to 77% as organisations deprioritised cyber and focused on business continuity as a result of the pandemic. However, despite it now being seen as a higher priority, the research did not show a corresponding increase in activity to implement enhanced cyber security. The research also found that:
- 80% of large businesses update senior managers at least quarterly on any actions taken around cybersecurity, although this drops to just under half (49%) for micro and SMEs and also differs by sector. The proportion of businesses that say senior managers are never updated has remained stable for the past four years, suggesting that while cyber is discussed in boardrooms more now than it was in 2016/2017, it is not moving any further up the agenda despite heightened risks and attacks hitting the deadlines.
- 62% of large enterprises have a board member responsible for cyber security. Interestingly, the Survey found that a lack of board level expertise presented a significant barrier to securing the appropriate level of funding and driving action in an organisation’s cyber security approach.
- It is more effective for organisations to implement cyber security changes as part of a wider programme to increase business resilience or efficiency than as a stand-alone project as the former allowed the board or senior leaders to drive the change (rather than just relying on IT staff to lead it).
- More cyber guidance aimed at senior managers could be on the cards. It would be in plain English and focus on how to mitigate against the existential risk cyber security poses to an organisation. The research suggests it may be needed, as organisations failed last year to view cyber security as facilitating better business resilience, or to fully utilise current guidance or schemes such as Cyber Essentials which focus on the technicalities of implementing cyber controls.
Supply chain risk
While supply chain risk has been flagged as a key issue for a number of years now, only 13% of business assessed the risks posed by their immediate suppliers; with even fewer (7%) looking at the wider supply chain. This figure is slightly higher than last year, but is still lower than in 2020 which is particularly worrying given the high number of organisations who outsource key IT solutions to third parties such as managed service providers (or MSPs). A MSP is a supplier that delivers a portfolio of IT services to business customers via ongoing support and active administration, typically underpinned by an SLA and 72% of large firms (40% of all businesses) use one. However, respondents did not generally cite cyber security as being an important factor when selecting an MSP unless it was an email or data storage provider, and even then it was not considered during the procurement process. Instead, there was an assumption that the MSP would offer better security than the organisation itself. Also, while contracts often required suppliers to have robust cyber security, this was not tested (for example through extensive due diligence, measurement of KPIs or as part of the relationship reviews).
Some respondents admitted that there tended to be complacency at board-level when considering supplier risks and those that did review supplier risk saw barriers to addressing and managing those risks. These included a perceived lack of time or money (36%), not knowing which suppliers to check (18%), a lack of relevant skills (18%) or a lack of information from suppliers (28%).
Interestingly, the survey results suggested that ransomware attacks dropped last year, although other market statistics/statements and our own anecdotal evidence suggest this was not the case.
In terms of ransomware payments, 56% of businesses said they have a policy not to pay ransoms, while 19% of respondents did not know if they had a rule in place or not. Reputational damage was cited as a key reason not to pay the ransom.
Many saw ransomware as a high risk, although smaller organisations tended to believe ransomware did not pose a threat to them (thinking they were unlikely to be targeted or having anything of value for attackers). Those who had actually suffered a ransomware attack acknowledged that a policy not to pay may not actually be followed when the organisation is facing system downtime or a loss of sensitive data. They also saw a notable shift in how the organisation approached cyber security in the aftermath of a ransomware attack.
In terms of cyber insurance, previous surveys had listed protection against ransomware and assistance with ransom payments as a key reason for getting insurance. However, this year’s respondents mentioned that this had become more difficult with insurance companies raising premiums or not being able to cover ransoms at all.