Cyber security breaches “continue to pose serious threat” to all businesses

Four-in-ten businesses (39%) and a quarter of charities (26%) report having suffered from cyber security breaches or attacks in the last 12 months. As was the case in previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).

This year, fewer businesses are identifying breaches or attacks than in 2020 (when the figure was 46%), while the charity results are unchanged. This could be the result of a reduction in trading activity from businesses during the pandemic, which may have inadvertently made some businesses temporarily less detectable to attackers this year.

However, other quantitative and qualitative evidence from the study suggests that the risk level is potentially higher than ever under COVID-19, and that businesses are finding it harder to administer cyber security measures during the pandemic. For example, fewer businesses are now deploying security monitoring tools (35% versus 40% last year) or undertaking any form of user monitoring (32% versus 38%). Therefore, this reduction among businesses possibly suggests that they are simply less aware than before of the breaches and attacks their members of staff are facing.

Among those that have identified breaches or attacks, around a quarter (27% of them businesses and 23% charities) experience them at least once a week. The most common by far are phishing attacks (for 83% and 79% of respondents respectively), followed by impersonation (27% and 23%). Broadly, these patterns around frequency and threat vectors are in line with the 2020 and 2019 survey results.

Negative outcome

A sizeable number of organisations that identify breaches report a specific negative outcome or impact. On average, for those that do, the costs are substantial. Among the 39% of businesses and 26% of charities that identify breaches or attacks, one-in-five (21% and 18% respectively) end up losing money, data or other assets. One-third of businesses (35%) and four-in-ten charities (40%) report being negatively impacted regardless, for example because they require new post-breach measures to be put in place, have staff time diverted or otherwise suffer wider business disruption.

These figures have shifted gradually over time. The proportions experiencing negative outcomes or impacts in 2021 are significantly lower than in 2019 and the preceding years. This is not due to breaches or attacks becoming less frequent, with no notable change in frequency this year. Instead, it may, at least in part, be due to more organisations implementing basic cyber security measures following the introduction of the General Data Protection Regulation in 2018. It could also reflect other trends such as the rising use of cloud storage and back-ups.

Nevertheless, where businesses have faced breaches with material outcomes, the average (ie mean) cost of all the cyber security breaches these businesses have experienced in the past 12 months is estimated to be £8,460. For medium and large firms combined, this average cost is higher at £13,400. There are too few charities in the sample to report average costs in this way, but the overall costs recorded for businesses and charities are seen to follow a similar pattern.

With COVID-19 stretching many organisations’ cyber security teams to their limits, cyber security remains a priority for Boards of Directors, but it hasn’t necessarily become a higher priority under the pandemic. Three-quarters (77%) of businesses say cyber security is a high priority for their directors or senior managers, while seven-in-ten charities (68%) say this of their trustees. While there have been minor fluctuations in these findings over the past three years, cyber security remains a higher priority compared to when the Government first surveyed each group (ie 69% in 2016 for businesses and 53% in 2018 for charities).

Updates for senior management

Half of businesses (exactly 50%) and four-in-ten charities (40%) update their senior management teams about the actions taken on cyber security at least quarterly. That’s in line with the 2020 survey results. However, the percentage of charities reporting that their senior managers are never updated on cyber security has increased since last year (to 23% versus 12% in 2020).

Overwhelmingly, businesses (84%) and charities (80%) report that COVID-19 has made no change to the importance they place on cyber security. The qualitative research suggests that some organisations have increased their investment in IT and cyber security in response to the pandemic. Many organisations adopted new security solutions, including cloud security and multi-factor authentication, or new rules requiring VPN connections to access files.

These changes were often characterised as being about business and IT service continuity. However, in some cases, interviewees felt that Boards of Directors and end users did not fully appreciate the role of cyber security in facilitating long-term business continuity. In the immediacy of the pandemic, cyber security measures were sometimes viewed in the near term as being in conflict with business continuity rather than complementing it.

The COVID-19 pandemic has led to significant changes in ways of working. This has made cyber security harder for many organisations. In qualitative interviews, many organisations explained that COVID-19 and the ensuing move to home working initiated substantial changes in their digital infrastructure. Many issued laptops or tablets to staff, set up Virtual Private Networks (VPNs) or expanded existing VPN capacity, started using cloud servers and had to quickly approve new software. In a new question this year, the survey finds that one third of businesses (34%) and a fifth of charities (20%) have a VPN.

These changes have led to new challenges for organisations to contend with as part of their cyber security management approaches. Direct security and user monitoring have become harder in organisations where staff are working remotely. As previously noted, fewer businesses are deploying security monitoring tools than in 2020 (down from 40% to 35%). Fewer businesses (32% versus 38% in 2020) and charities (29% versus 38%) are now undertaking any form of user monitoring.

Upgrading hardware, software and systems

Upgrading hardware, software and systems has also become more difficult. With staff working at home, there are more endpoints for organisations to keep track of on an ongoing basis. Fewer businesses (83% versus 88% in 2020) and charities (69% versus 78%) report having up-to-date malware protection. Fewer businesses (78% versus 83%) and charities (57% versus 72%) have set up network firewalls. In large-scale businesses in particular, having laptops with unsupported versions of Windows is a significant security risk (affecting 32% of large businesses, in fact).

More generally, the pandemic had stretched resources and led to competing priorities in IT and cyber security teams. In some cases, there was a perceived conflict between prioritising IT service continuity and maintenance work and aspects of cyber security such as patching software.

COVID-19 has been an unexpected and unprecedented challenge for organisations. In terms of cyber security, the findings of the latest Government survey highlight that there’s more that organisations can do to plan for – and ensure that they’re resilient to – future uncertainties.

The survey findings highlight that a minority of organisations overall have taken actions in specific areas, although those actions are far more common among medium and large businesses. Companies have:

*taken out some form of cyber insurance (43% of businesses and 29% of charities) – this is up from 32% for businesses in 2020

*undertaken cyber security risk assessments (34% and 32%)

*tested staff, such as by way of mock phishing exercises (20% and 14%)

*carried out cyber security vulnerability audits (15% and 12%)

*reviewed cyber security risks posed by suppliers (12% and 8%)

As the UK emerges from the COVID-19 pandemic, organisations might also consider what more they can do to manage cyber security risks in a “blended” working environment (ie wherein staff are regularly working both in offices and at home). Three-in-ten businesses (31%) and slightly fewer charities (27%) have a business continuity plan that covers cyber security. This was a new question for 2021.

A quarter of businesses and charities (23% of each) have cyber security policies that cover home working. A fifth of businesses (18%) and a quarter of charities (23%) have policies that cover the use of personal devices for work. The extent to which these areas feature in cyber security policies hasn’t changed significantly since last year.

Smart devices

Over four-in-ten businesses (46%) and three-in-ten charities (30%) are using smart (ie network-connected) devices in workplaces. This was also a new question for 2021 and highlights a potential new area of cyber risk for organisations to address.

The qualitative research also highlights organisations’ cyber security ambitions for the future and the broader challenges they expect to face. Many expect to make continuous improvements in their cyber security, which includes, for example, rolling out multi-factor authentication or tweaking policies and processes to cover Software-as-a-Service.

Some also expect to move further away from an approach of locking down user activity towards one that prioritises functionality and flexibility. Cyber security teams may therefore need to realign themselves to wider strategic business needs in some cases, duly emphasising how staff can use new technologies, software and platforms securely rather than banning them altogether.