Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations.
It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts.
The long-running longitudinal study of some 4000 UK organisations provides concerning information about how, while still recognised as a significant problem, cyber security must now compete with other priorities for investment and resources. It highlights the economic trade-offs that are going on and how they are affecting organisations’ visibility and potentially awareness of cyber security risks.
Seven cyber security focus areas are featured in the survey. Each draws together observations about the cyber policies, processes and approaches across businesses, registered charities and educational institutions:
An interesting point here is how the large proportion of small business respondents has impacted some of the survey results. Overall organisations are identifying fewer threats; and yet the number of breaches and attacks for medium and large businesses and charities is relatively unchanged from last year.
It could be that attackers are getting more sophisticated or that certain types of attacks are decreasing in prevalence. But it may also be that the reduced economic resources of smaller firms have shifted their management priorities.
Whatever the reason, the drop off in attacks detected by small businesses is inconsistent with the recently released IBM’s X-Force Threat Intelligence Index, which shows that the UK accounted for 43% of all attacks in Europe over the past 12 months; with unpatched vulnerabilities being the major attack vector.
This trend is supported in that the breach numbers detected by medium and large businesses were much higher at 59% and 69% respectively than the overall average of 32% for all businesses. Qualitative evidence also confirmed that the priority of cyber security for small businesses had fallen more than 10% for the period.
Almost universally, it is accepted that the most common reason for a cyber security incident is the failure in a basic or foundational control – so called cyber hygiene. See our blogs on this here and here.
Most respondents, but not all, had a range of basic hygiene controls in place. Examples include malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls, to name a few. Of concern, however, is that a number of key hygiene controls recommended by the UK National Cyber Security Centre were absent.
A critical consideration for security controls is not whether they are deployed but, how effectively? Monitoring the effectiveness of controls ensures that an organisation doesn’t unwittingly become reliant on the dictum: no news is good news. Because sometimes it isn’t.
This applies particularly to something like patching where unpatched vulnerabilities in operating systems and applications are frequently exploited by hackers. Simply put, the majority of vulnerabilities are known and widely publicised, but all too frequently organisations are too slow to patch their IT environment – leaving a potential point of attack!
The survey found a decline in performance in this area, from 43% in 2021 to only 31% today. So, concerningly two thirds of businesses (predominantly small and medium ones) are increasingly vulnerable to already widely publicised vulnerabilities. This is troubling as OS and application patching is fundamental to any cyber risk mitigation strategy.
Understanding cyber security exposure is an important first step in improving the cyber security posture of an organisation. This applies to organisations themselves as well as their suppliers who might store/process information on their behalf and unwittingly expose them to downstream cyber-attack risk or ransomware outbreak.
Apparently, 30% of businesses overall have undertaken a cyber security risk assessment to determine their control performance, coverage and maturity. Although, this figure is closer to 50% for medium and 60% for larger businesses (with the biggest supply chain exposure).
Only 40% of businesses (30% for charities) use cyber insurance as part of their risk mitigation strategy; with almost 40% of mid-sized businesses choosing not to insure despite many having not undertaken cyber risk assessments either.
The majority of larger businesses have increased their 3rd party risk visibility but across the other organisations, preventative supply chain risk management activities remain limited.
Again there is a disparity between the sophistication and cyber awareness of larger organisations compared to smaller ones. Overall, 30% of all organisations have board members or trustees that have a specific focus on cyber security. The figure is 41% for medium businesses and 53% for larger ones.
Looking back through the telescope then, 70% of businesses and charities have no board members with a specific cyber security mandate. This lack of cyber accountability can only hamper the advance of their knowledge and training and undermine the importance of the IT governance task. Still, too many boards appear willing to roll the cyber security dice, despite the scale of business risks they face.
Almost two thirds of high-income charities and 50% of medium businesses, appear to not have a strategy for cyber security risk management and governance. The survey notes the impetus to develop strategies can come from management board pressure, audits and business acquisition. If true, the implication is that if there is no ownership, or cyber security awareness at board level, it is unlikely that a coherent cyber strategy can result!
This limited level of cyber security accountability by board members or trustees, even in mid and larger organisations, compounded by any deficit in cyber skills and awareness, is a very risky combination.
A picture is emerging that has implications for achieving national cyber resilience ambitions. Despite highly publicised NCSC cyber security guidance like “10 Steps to Cyber Security” and the “Cyber Essentials” frameworks to guide cyber security efforts, the survey observes that “a sizeable proportion of organisations” are unaware of them. Although, mid and larger organisations appear more familiar with these advisories. Full adherence to them, however, is again limited.
The adoption of more sophisticated standards like the “all encompassing” ISO27001 is even less common at 9% of businesses overall, although for larger firms the adoption rate is 27%.
It would seem that more than 50% of organisations failed to seek external cyber security guidance, advice or standards certifications. And for those that did, it was initiated largely by customers or partners asking for it, rather than as part of a board driven strategy.
A minority of organisations have an agreed or formalised incident response procedure in place. 20% of businesses and a slightly smaller proportion of charities have formalised response plans. It is a slightly better story for larger businesses, with 64% claiming to have a structured approach.
The gaps between security teams, the wider IT function and management teams are identified as a continuing impediment to incident response; with better cyber security readiness planning required.
This is, apparently, a new area of investigation for the survey. It makes the point that not all cyber breaches or attacks are cyber crimes. The biggest organisations suffer the most cyber crime which is perhaps not unsurprising given the scale of their IT systems and resulting enlarged attack surfaces.
The survey rightly cautions the interpreting of some of the cyber crime statistics. It does, however, estimate the number of victim organisations to be:
“…across all UK businesses, there were approximately 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months.”
There are warning signs throughout this survey about cyber security prevention, containment and recovery. Equally, there are security control frameworks, recommended by the NCSC and others, that can provide visibility of each potential stage of a cyber attack. A number of those controls can be relatively inexpensive, particularly when compared to some of the costs mentioned in this report. And once in place, controls can be regularly monitored for effectiveness to improve cyber resilience and help lower your risk of cyber attack.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.