In April 2019, the National Cyber Security Centre published their first ‘UK Cyber Survey’.
Independently carried out on behalf of the NCSC, a part of GCHQ, and the Department for Digital, Media and Sport (DCMS), the results will be of interest to businesses of all sizes and sectors.
Key statistics and findings from the survey:
- 32% of businesses have identified cyber security breaches or attacks in the last 12 months; this is much higher specifically among medium businesses (60%)
- Of those businesses who recorded breaches or attaches, 30% of cases resulted in a negative outcome, e.g. loss of data or assets
- £4,180 is the average annual cost for businesses that lost data or assets after breaches
- Only 15% of those surveyed said they knew a great deal about how to protect themselves from harmful activity
Most common cyber threats
Among those businesses the NCSC reported as facing breaches or cyber attacks, the most common types are:
- Phishing attacks (identified by 80% of these businesses)
- Others impersonating an organisation in emails or online (28% of these businesses)
- Viruses, spyware or malware, including ransomware attacks (27% of these businesses)
It’s also important to remember that cyber threats don’t just come from external sources but can come from inside your business, or through businesses you work with.
So, how can businesses prevent cyber breaches and attacks?
The NSCS survey recommends greater board-level involvement in cyber-security, monitoring suppliers and planning incident response.
Prioritising cyber security was found to not always match increased engagement and action, with:
- 35% of businesses not having a board member or trustee with specific cyber security responsibility
- Only 18% of businesses requiring suppliers to adhere to any cyber security standards
- Only 16% of businesses having formal cyber security incident management processes in place, e.g. ISO 27001
- 10 steps to make your business more cyber-secure
- Always require employees to verify their identity when logging into services using multi-factor authentication. For examples, after someone logs into their mobile device (i.e. a laptop), have an automated pop up that requires re-verification by re-adding their system password. Once done this authentication system sends a verification code to that person’s mobile number that needs adding to the system before further access is granted.
- Conduct regular vulnerability scans, ensuring that critical results are actioned. Those scans check computers, networks or applications for any kind of known weaknesses.
- Only work with businesses that can demonstrate they use the same security precautions as you do (e.g. those that have an ISO 27001 certification).
- Keep software, drivers and operating systems up-to-date.
- Use password managers to discourage insecure passwords and password re-use.
- Make sure critical security patches are installed as soon as possible. A patch updates, fixes or improves a computer programme or its supporting data, including fixing security vulnerabilities and other bugs, whilst improving the performance or usability.
- Use an always-on antivirus program.
- Use a whitelist for your programs to prevent unrecognised programs from running.
- Set the lowest level of access by default for all devices and services.
- Use firewalls and make sure to separate your networks.