Welcome to our April roundup of the latest in cybersecurity news!
This month, while the usual has been carrying on (Ransomware, Breaches, AI, Regulation), we’ve chosen to focus on some surveys and statistics. Yes, it’s that happy time of year when the UK government surveys start to drop, and we see whether there’s anything new in cyber.
We highlight two surveys in particular below – the DSIT Breaches survey and a longitudinal survey of . Some interesting findings are outlined below, but one thing leaping out at us is that: Small organisations are so far behind medium and large organisations in preparing for cyber. You may say that this is to be expected – they are usually simpler after all. However, when a large organisation buys from a smaller organisation, they still send those questionnaires, and still expect the same boxes to be ticked for cyber compliance as they would for larger organisations. This leads to a lot of work from the smaller organisation to get the box ticked. However, our question is whether this is really necessary? Does it improve their security in the least? Answers on a postcard, please.
DSIT Cyber Breaches survey
The Department for Science, Innovation and Technology (DSIT) commissioned the Cyber Security Breaches Survey of UK businesses, charities and education institutions as part of the National Cyber Security Programme. The findings provide a snapshot of cyber security at UK organisations. Not in the UK? Here’s a secret: threats usually don’t differentiate location in our experience. Here are some interesting observations:
- Half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. The definition of a cyber breach is fairly broad, though. To put this into context, when removing phishing-related cyber-crimes, the survey estimates that 3% of businesses have experienced at least one non-phishing cyber incident in the last 12 months
- Compared to the previous survey, organisations have improved the extent to which they use common cyber controls. For example:
- using up-to-date malware protection (up from 76% to 83%)
- restricting administration rights (up from 67% to 73%)
- network firewalls (up from 66% to 75%)
- agreed processes for phishing emails (up from 48% to 54%).
- There are big differences between smaller and medium/large organisations. For example:
- 72% of large businesses have completed cyber security risk assessments in the last year, but only 31% of all businesses.
- 71% of large businesses use security monitoring tools, against 33% of all businesses.
- 48% of large businesses review security in their supply chain, compared to 11% of all businesses.
The takeaways for us are (a) smaller businesses need to improve their game if they want to sell to larger organisations (who review security in their supply chain, remember) and (b) other threats exist, but it’s still about phishing.
Cyber longitudinal survey
The UK government released the results of a survey of the cyber security measures at about 1000 UK organisations last week. The aim was to show changes in organisation’s policies, procedures, measures and attitudes towards cyber security (this is the third survey). The highlights for us are:
- 22% or organisations had all five documents considered core (BCP, Asset register, asset risk assessment, risk register covering cyber security, risk tolerance document)
- 59% trained staff in cyber
- 55% have a nominated Board member for cyber security
- 59% or organisations had cyber incident response procedures
- 46% of organisations tested these incident response procedures
The focus is medium and larger organisations and shows that some of the basic measures expected in a cyber programme aren’t in place at many organisations. Now it may mean we’re asking for the wrong documentation and processes, or that people aren’t focusing on this, or something else entirely (who are we to judge). However, it is interesting that the numbers aren’t higher, as the requirements were pretty basic.
Summary of news
Rather than list individual stories, we settled for a word cloud this month. We knew there’d be a use for them somewhere, and a quick look at the highlights from alerts we have picked up tells a story. Still ransomware, still third party breaches, still chatter about AI. AI regulation is still developing (more on that over the summer, I’d say), and Ransomware is a constant (more on that next month). We’ve written previously on third party breaches, but if you have any questions, please get in touch.