By Alan Zeichick and Mark Fox
Did you know that majority of businesses (56%) in the United Kingdom hold personal data on customers, beneficiaries or donors electronically? That’s a lot of information – and a lot of potential for data breaches.
Not just potential. In study published by the U.K. Department for Digital, Culture, Media, and Sport, 43% of businesses report data breaches or other cyberattacks.
The Cyber Security Braches Survey 2018 says that:
- More than four in ten businesses (43%) experienced a cyber security breach or attack in the last 12 months.
- Three-quarters of businesses (74%) say that cyber security is a high priority for their organization’s senior management.
- Fewer than three in ten businesses (27%, versus 33% in the previous 2017 survey), have a formal cyber security policy or policies.
Yes, the ability of U.K. businesses to protect themselves, or to respond to attacks, have apparently decreased in the past year.
Blame Bring Your Own Device?
According to the DCMS study, breaches were more often identified among the organizations that hold personal data, where staff use personal devices for work (known as bringing your own device, or BYOD) or that use cloud computing.
Indeed, the majority of businesses (56%) hold personal data on customers, beneficiaries or donors electronically. And just under half (45%) of businesses allow BYOD. The businesses where this occurs are more likely to have had breaches or attacks (49%), says the study.
Organizations acknowledged that BYOD made security more difficult to manage, because there was less technical control that could be imposed on personal devices. Some organizations had covered telecommuting with written policies – but overall, only two in ten businesses (19%) where BYOD was present have a policy covering the use of personally-owned devices for business activities.
Rules around BYOD are challenging for organizations to enforce, says the study, which says that two-thirds (66%) of businesses have a rule restricting access to company-owned devices. Even so, four in ten (40%) of these businesses still say they have staff who use personal devices for regular business activities.
Businesses that are exposed to more risk factors around personal data and use of personal devices are more likely than average to have experienced breaches:
- Businesses that hold customers’ personal data are more likely to have experienced being breached (47%).
- Businesses that have staff using personal devices for work (BYOD) are more likely than average to report breaches (49%).
What About the Cloud?
Cloud computing might be correlated with breaches, says the DCMS study. Businesses that use cloud computing are more likely to have faced breaches than those that do not (52%, versus 43% overall). But don’t take this too seriously, says the report: “Use of cloud computing should not (necessarily) be seen as a risk factor, and the survey does not determine whether the breaches that users of cloud computing do incur are related to their use of cloud computing.”
Breaches Are Driven by Fraud
The most commonly reported breaches are examples of cyber-related fraud – fraudulent emails or websites directed at staff were the most frequent, followed by people impersonating the organization in emails or online.
Breaches that rely on technical factors beyond the reach of non-specialist staff, such as denial-of-service attacks (attacks that attempt to take down an organization’s website) are relatively less common, says the study.
This is what organizations reported as the single most disruptive breach among the organizations that have identified breaches:
- 48% Fraudulent emails or being directed to fraudulent websites
- 13% Viruses, spyware or malware
- 10% Others impersonating organization in emails or online
- 7% Ransomware
- 6% Denial-of-service attacks
- 4% Unauthorized use of computers, networks or servers by outsiders
- 3% Hacking or attempted hacking of online bank accounts
- 1% Unauthorized use of computers, networks or servers by staff
- 4% Any other breaches or attacks
Breaches are Driven By Email
According to the study, the most commonly suspected source of the most disruptive breach is email attachments (mentioned by 21% of the businesses), not linked back to a specific actor.
Businesses were more likely to face intentional breaches than in the 2017 survey (74% of businesses say their most disruptive breach was intentional rather than accidental, compared to 66% in the 2017 survey). Smaller organizations were just as likely as large organisations to face intentional breaches in this regard, said the study.
Responding to Breaches
Were there response plans in place, asked the study. Around half of the businesses (52%) identifying breaches had contingency plans in place to deal with their most disruptive breach. In the overwhelming majority of cases, these contingency plans were considered effective (94% of the businesses say they were effective), highlighting the value of forward planning.
Despite this, very few businesses (13%) overall have a formal cyber security incident management process in place. This is far more common among large businesses, said the study.
Seven in ten of the businesses (70%) experiencing breaches have taken or are currently taking preventative action in response to their most disruptive breach. However, warns the study, a sizeable minority (28% of businesses) have not taken any further preventative action.
The top actions taken include installing or updating antivirus or anti-malware software, extra staff awareness-raising or training, updating firewalls or system configurations. However, businesses are less likely to have implemented extra staff awareness or training measures than in the 2017 survey (18% versus 28%), despite human error or staff awareness continuing to be among the most common factors contributing to the most disruptive breach.
It’s clear that U.K. businesses need to do better.