A new survey from PwC has found that 28% of UK organisations do not know how many cyber attacks they suffered in the past year and 33% don’t know how incidents occurred.
The Global State of Information Security Survey 2018 interviewed 9,500 senior business and technology executives from 122 countries, including 560 UK respondents across large and small businesses as well as public sector organisations.
The survey results paint a relatively bleak picture of cyber security awareness within the UK, with respondents trailing their global counterparts in many areas.
UK Cyber Security
UK organisations reported facing an average of 19 hours down-time due to security incidents. More than 20% reported that they had employee, customer or internal records compromised or damaged.
Despite this, only 44% of UK organisations have a cyber insurance policy in place to cover the impact of a security breach, compared to 58% of organisations globally.
UK organisations also remain more reluctant than international organisations to work with others in the face of increasing cyber threat. Only 44% of UK organisations officially collaborate with others in their industry to improve security and reduce potential risks. This contrasts with 54% of European organisations and 58% globally.
Internally only 53% of UK organisations have a team which includes leaders from other departments (finance, legal, risk, HR, IT etc.) to coordinate security issues.
This is a serious issue since 27% of cyber attacks on UK organisations – up from 20% the previous year – are via employees being targeted. In comparison 29% of attacks globally are via mobile devices being breached.
While 64% of UK organisations surveyed have a security strategy in place, with an average security budget of £3.6 million, only 34% have boards actively participating in the strategy, compared to an average of 44% worldwide.
A Wake-Up Call For the UK
Professor Bill Buchanan OBE from Edinburgh Napier University’s Cyber Academy, told DIGIT: “I believe we do lag behind other countries, and need to push forward with innovation which creates systems and services which have security integrate into every single element. GDPR and NIS will be a shock to the system, but hopefully it will be a wake-up call to businesses, especially to properly protect citizen information.
“Our public services, especially in health care and with the legal system, lag many countries in the world, and without a new vision, we will be pushing the same old legacy systems. Personally I think we need leadership from our politicians in creating a digitally-focused world, and to move away from insecure methods which still use paper-based authorisation and wet signatures. Unfortunately some of the messages coming from our government is around seeing encryption as a negative thing, where it could actually address many of the current problems we have within our on-line environment, and thus protect our citizens better.
“Estonia and Finland give excellent examples of how we can better protect and support our citizens in an Information Age. Our data needs to flow, but needs to exist in a trustworthy environment, and we need to rebuild our country based on software and virtualised systems, and use cryptography as a core building block. I see so many great SMEs in Scotland, so the talent is here to build these systems, and scale across the world.”
Gerry Grant, Chief Ethical Hacker with the Scottish Business Resilience Centre, argued that Scotland is already making advances in collaboration to address cyber crime: “The response and attitude towards cyber crime from businesses across the UK is still behind where it needs to be. While the nature of cybercrime is a constantly evolving threat, great steps forward have been taken in Scotland specifically.
“We are a small enough nation that collaboration is possible and there is great work happening between our public sector, law enforcement, academia and the world of business with forums such as the SciNet forum on the Cyber Information Sharing Platform.
“One of the biggest battles facing Scotland is the retention of talent and ensuring the many emerging cyber security professionals remain north of the border.”
Insider Threat Increasing
Dr Jamie Graves, the founder and CEO of security specialists ZoneFox, highlighted the increase in insider threat as a key consideration: “The survey paints a stark picture for UK security, especially considering that many UK organisations might not be aware of their value to a nefarious hacker. As such, whether a business is large or small, if it holds something of value, it could be a target.
“What’s more, these survey results illuminate the power of insider threats; with 27% of cyber attacks on UK organisations targeting employees — up from 20% last year — this is clearly an escalating problem that looks set only to get worse.
“Ultimately, as cyber crime has become an industry, UK organisations need to have the right tools and services available in a cost-effective manner to close the door on cyber crooks.”
Collaboration Is Key
Richard Horne, cyber security partner at PwC, summarised the report: “Cyber attacks could happen to any organisation at any time, so it’s important that all businesses and public sector organisations are getting the basics right and continually testing their approach to prepare themselves in the right way. In that critical moment when an attack hits, the ability to act quickly and effectively is key to minimising business disruption and reputational harm.”
“Cyber security needs to be viewed as a ‘team sport’ rather than just an issue for the IT team. To be most effective, everyone in an organisation should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top.
“Working with others across the public and private sector is key too. Forging close working collaborations and sharing intelligence is often the best way to tackle the latest threats. New forms of attack require new ways of working to defend our society.”