Cyber security has never been as important as it is today. The Cyber Security Breaches Survey 2017, published this week by the Department for Culture, Media and Sport and undertaken by Ipsos Mori highlights some statistics that should make even the most jaded CIOs sit up and take notice.
Of the 1500+ businesses surveyed, 74% say cyber security is a very high priority for their senior management, and 67% have spent money on cyber security in some shape or form in the past year. For medium sized businesses, the number of organisations which have spent money rises to 87% and for large businesses it is at 91%. The biggest reason cited for this spend is to protect customer data, so say 51% of respondents. But in contrast, only 33% have a formal policy that covers cybersecurity risks, or documents these in a business continuity plan, audit or risk register. Only 11% have a cyber security incident management plan in place. It seems like the fear of attack has induced spend, but hasn’t extended to policies and procedures that could reduce the threat of attack, or ensure attacks are dealt with more effectively.
When firms do invest in cybersecurity, many of those will formally evaluate the effectiveness of their spending, undertaking activities like monitoring levels of regulatory compliance, seeking senior management feedback and measuring staff awareness. Most cite the reasons for this being to justify future spend and to explain the impact to the board and wider staff.
There are some interesting results, for example, 19% say that they are worried about their suppliers’ cyber security, but only 13% require suppliers to adhere to specific cyber security standards or best practice. Again, the fears don’t seem to be translating into appropriate policies and procedures.
The report also shows that cyber security breaches or attacks are fairly common, with 46% overall identifying at least one breach or attack in the past year. This rose to 66% and 68% for medium and large firms respectively.
The most common type of attack or breach came from staff receiving a fraudulent email, followed by viruses, spyware and malware, the identity fraud and ransomware.
It’s clear that technology alone can’t eradicate cybercrime and that with most attacks coming via staff, and being facilitated by human behaviour, some robust policies and procedures are needed.
What’s really interesting to me is that without investing much more in technology, many organisations could prepare themselves better for cyber attack simply by making some changes to the way staff work, and by infiltrating the organisation’s culture with one of cyber security awareness. There are templates and guides available for organisations which want to implement a written Incident Response Plan, plus sample cybersecurity policies, which can easily be replicated. Then it’s just a case of embedding new behaviours into employee culture with regular training. In this survey, 20% of businesses had staff attending internal or external cyber security training in the last 12 months. Put another way, that’s 80% of businesses that didn’t, which is a bit of a worry…
Make sure to get in contact with a firm who can add some real value to your business, help you implement real risk management processes and even certify you as cyber safe, like RFA.