Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations.
It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts.
The long-running longitudinal study of some 4000 UK organisations provides concerning information about how, while still recognised as a significant problem, cyber security must now compete with other priorities for investment and resources. It highlights the economic trade-offs that are going on and how they are affecting organisations’ visibility and potentially awareness of cyber security risks.
Seven cyber security focus areas are featured in the survey. Each draws together observations about the cyber policies, processes and approaches across businesses, registered charities and educational institutions:
An interesting point here is how the large proportion of small business respondents has impacted some of the survey results. Overall organisations are identifying fewer threats; and yet the number of breaches and attacks for medium and large businesses and charities is relatively unchanged from last year.
It could be that attackers are getting more sophisticated or that certain types of attacks are decreasing in prevalence. But it may also be that the reduced economic resources of smaller firms have shifted their management priorities.
Whatever the reason, the drop off in attacks detected by small businesses is inconsistent with the recently released IBM’s X-Force Threat Intelligence Index, which shows that the UK accounted for 43% of all attacks in Europe over the past 12 months; with unpatched vulnerabilities being the major attack vector.
This trend is supported in that the breach numbers detected by medium and large businesses were much higher at 59% and 69% respectively than the overall average of 32% for all businesses. Qualitative evidence also confirmed that the priority of cyber security for small businesses had fallen more than 10% for the period.
Almost universally, it is accepted that the most common reason for a cyber security incident is the failure in a basic or foundational control – so called cyber hygiene. See our blogs on this here and here.
Most respondents, but not all, had a range of basic hygiene controls in place. Examples include malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls, to name a few. Of concern, however, is that a number of key hygiene controls recommended by the UK National Cyber Security Centre were absent.
A critical consideration for security controls is not whether they are deployed but, how effectively? Monitoring the effectiveness of controls ensures that an organisation doesn’t unwittingly become reliant on the dictum: no news is good news. Because sometimes it isn’t.
This applies particularly to something like patching where unpatched vulnerabilities in operating systems and applications are frequently exploited by hackers. Simply put, the majority of vulnerabilities are known and widely publicised, but all too frequently organisations are too slow to patch their IT environment – leaving a potential point of attack!
The survey found a decline in performance in this area, from 43% in 2021 to only 31% today. So, concerningly two thirds of businesses (predominantly small and medium ones) are increasingly vulnerable to already widely publicised vulnerabilities. This is troubling as OS and application patching is fundamental to any cyber risk mitigation strategy.
Understanding cyber security exposure is an important first step in improving the cyber security posture of an organisation. This applies to organisations themselves as well as their suppliers who might store/process information on their behalf and unwittingly expose them to downstream cyber-attack risk or ransomware outbreak.
Apparently, 30% of businesses overall have undertaken a cyber security risk assessment to determine their control performance, coverage and maturity. Although, this figure is closer to 50% for medium and 60% for larger businesses (with the biggest supply chain exposure).
Only 40% of businesses (30% for charities) use cyber insurance as part of their risk mitigation strategy; with almost 40% of mid-sized businesses choosing not to insure despite many having not undertaken cyber risk assessments either.
The majority of larger businesses have increased their 3rd party risk visibility but across the other organisations, preventative supply chain risk management activities remain limited.
Again there is a disparity between the sophistication and cyber awareness of larger organisations compared to smaller ones. Overall, 30% of all organisations have board members or trustees that have a specific focus on cyber security. The figure is 41% for medium businesses and 53% for larger ones.
Looking back through the telescope then, 70% of businesses and charities have no board members with a specific cyber security mandate. This lack of cyber accountability can only hamper the advance of their knowledge and training and undermine the importance of the IT governance task. Still, too many boards appear willing to roll the cyber security dice, despite the scale of business risks they face.
Almost two thirds of high-income charities and 50% of medium businesses, appear to not have a strategy for cyber security risk management and governance. The survey notes the impetus to develop strategies can come from management board pressure, audits and business acquisition. If true, the implication is that if there is no ownership, or cyber security awareness at board level, it is unlikely that a coherent cyber strategy can result!
This limited level of cyber security accountability by board members or trustees, even in mid and larger organisations, compounded by any deficit in cyber skills and awareness, is a very risky combination.
A picture is emerging that has implications for achieving national cyber resilience ambitions. Despite highly publicised NCSC cyber security guidance like “10 Steps to Cyber Security” and the “Cyber Essentials” frameworks to guide cyber security efforts, the survey observes that “a sizeable proportion of organisations” are unaware of them. Although, mid and larger organisations appear more familiar with these advisories. Full adherence to them, however, is again limited.
The adoption of more sophisticated standards like the “all encompassing” ISO27001 is even less common at 9% of businesses overall, although for larger firms the adoption rate is 27%.
It would seem that more than 50% of organisations failed to seek external cyber security guidance, advice or standards certifications. And for those that did, it was initiated largely by customers or partners asking for it, rather than as part of a board driven strategy.
A minority of organisations have an agreed or formalised incident response procedure in place. 20% of businesses and a slightly smaller proportion of charities have formalised response plans. It is a slightly better story for larger businesses, with 64% claiming to have a structured approach.
The gaps between security teams, the wider IT function and management teams are identified as a continuing impediment to incident response; with better cyber security readiness planning required.
This is, apparently, a new area of investigation for the survey. It makes the point that not all cyber breaches or attacks are cyber crimes. The biggest organisations suffer the most cyber crime which is perhaps not unsurprising given the scale of their IT systems and resulting enlarged attack surfaces.
The survey rightly cautions the interpreting of some of the cyber crime statistics. It does, however, estimate the number of victim organisations to be:
“…across all UK businesses, there were approximately 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months.”
There are warning signs throughout this survey about cyber security prevention, containment and recovery. Equally, there are security control frameworks, recommended by the NCSC and others, that can provide visibility of each potential stage of a cyber attack. A number of those controls can be relatively inexpensive, particularly when compared to some of the costs mentioned in this report. And once in place, controls can be regularly monitored for effectiveness to improve cyber resilience and help lower your risk of cyber attack.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
There are bottlenecks throughout the cyber security risk management process. UK Government surveys suggest that directors are invariably unclear about the business implications of the cyber security reports they receive. Conversely, despite the challenges associated with the massive volumes of ever-changing security data, security teams believe their communications to the business are clear. In many […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.