Brian Sims
Editor

Cyber survey shows “critical lack of awareness” in business community

Posted to News on Tuesday, April 23, 2024 Share:

AS REPORTED by Security Matters on 9 April, the Government recently issued the results of the Cyber Security Breaches Survey 2024. Having appraised its contents, several sector specialists have offered their thoughts. Tom Kidwell, a former British Army and UK Government intelligence specialist and co-founder of Ecliptic Dynamics, feels the business community is demonstrating a “critical lack of awareness”.

“It’s promising to see a rise in the number of UK businesses now undertaking basic cyber hygiene practices,” noted Kidwell, “from malware protection and restricting admin rights through to implementing network firewalls and standard processes for dealing with phishing e-mails. These measures are particularly important when you consider the number of attacks companies are reporting have risen by 18% compared to last year.”

According to Kidwell, unsophisticated techniques such as phishing remain the most common form of attack. As such, basic cyber hygiene can be the difference between businesses being breached or not. “It’s good news that the adoption of these practices and products that facilitate then has increased for the first time in the last three years.

The spike in cyber hygiene coupled with the rise in the number of businesses buying cyber insurance (up from 37% to 43%) strongly indicates an increase in cyber awareness and investment. However, there are several finding of concern in the Cyber Security Breaches Survey suggesting that this may not actually be the case on the ground.

“Only 11% of businesses are reviewing the risks posed by their immediate suppliers, despite supply chain attacks accounting for a huge proportion of breaches across all sectors,” urged Kidwell. “Three-quarters of businesses stated that cyber security is a high priority for their senior management. Although this is a large proportion, it also means that 25% of Board-level leaders in the UK are not placing enough importance on security. This is reinforced by the fact that just three in every ten businesses have senior management directly responsible for cyber security. This figure has stagnated since last year.”

Kidwell continued: “There has been an increase in the number of businesses with have a formal cyber strategy in place. This number is up 58% for medium-sized companies and by 66% for larger businesses. Again, though, this means that almost 50% of all medium-sized businesses and one-third of large businesses are still operating without a plan in place for their cyber security. With attacks becoming increasingly prevalent and indiscriminate, every business with a digital footprint should have at least a basic cyber security strategy worked out and in operation.”

Further, Kidwell explained: “Within the channel, it seems that the Government-backed Cyber Essentials Scheme is being ignored by a vast number of IT and Managed Service Providers. The report outlines that, despite 41% of businesses seeking advice from the channel, only 12% are aware of Cyber Essentials, which represents a decline since 2021.”

Kidwell concluded: “The increase in basic cyber hygiene is a step in the right direction. However, there remain underlying figures within the Cyber Security Breaches Survey which suggest the mindset and action among businesses are still lagging behind today’s threats. In 2024, it’s critical that organisations are aware of their risk and have a proportionate response to that risk. Formalised plans, increased knowledge and Board-level buy in are essentials.”

Supply chain threat

Richard Staynings, chief security strategist for Cylera, is a globally renowned cyber security thought leader and author who has served on numerous Working Groups and Boards to advise Governments and private sector providers when it comes to improving cyber security across industry.

“The Cyber Breaches Survey 2024 shows that an alarming 18% more businesses have experienced some form of cyber security breach or attack in the last 12 months compared to last year’s findings,” stated Staynings. “This spike in attacks is likely behind the increase in the number of businesses implementing some form of insurance.”

Staynings added: “Yet, despite this upward trend in attacks, it’s particularly worrying to read that the percentage of organisations taking action to identify cyber risks within their organisation and the supply chain is largely unchanged when compared to the year before.”

Circa three-in-ten businesses have undertaken cyber security risk assessments in the last year with only around one-third of businesses deploying security monitoring tools. The number of companies reviewing the risks posed by their immediate suppliers hasn’t changed and remains at just over one-in-ten.

“It’s concerning how rare it remains for organisations to be reviewing supply chain risk. This is an accident waiting to happen. Organisations in the public and private sectors need to do a much better job of managing third parties and in assessing third party risk. They must understand what’s connected to their networks and what risk each of these systems presents. This is a significant concern given the growth in Internet of Things devices, which often lack cyber security and are rarely patched.”

Staynings went on to comment: “Most industries tend to do a terrible job of managing the security of their supply chain. Whether supplying goods for a café or an external accountant, all third party vendors need to be held to the same security standards and policies as the host organisation.”

According to Staynings, the trouble is that few businesses enforce this ‘rule’ for their contracts with third parties, making it a prerequisite for the latter to ensure that they have policies and procedures in place that meet the required standards, that they have quality assurance in place, staff training and access controls set up and also that they provide ISO/IEC 27001 certification for Information Security Management Systems.

In conclusion, Staynings observed: “We cannot have third party vendors winning contracts for critical industry sectors such as healthcare based simply on the fact that their submission was the lowest bid.”

Investment and understanding

Tom Henson, managing director at Emerge Digital (the technology and digital innovation business and Managed Services Provider based in the UK) has also issued comment on the results of the Cyber Security Breaches Survey.

Henson said: “The document raises some interesting questions about the investment in, and the understanding of cyber security from the point of view of UK businesses. There has been a marked increase in the number of businesses undertaking basic cyber hygiene processes in the last 12 months, including the use of up-to-date malware protection, restricting admin rights, implementing network firewalls and having agreed processes in place. However, on the flip side of these findings, it’s deeply concerning that nearly two-fifths of businesses don’t have up-to-date malware protection. There simply is no excuse for businesses not to have these types of protections. Although the figures highlight steps taken in the right direction, it isn’t enough.”

In addition, Henson informed Security Matters: “It’s worrying to see such a small percentage of businesses with oversight of their supply chain. Just 11% review the risks posed by their immediate suppliers, while only 6% look at their wider supply chain. A vast number of breaches which occur are caused by supply chain attacks. Gaining visibility of supplier risk should be a top priority for all businesses.”

For large businesses, which are investing more in cyber security, there has been a dip in both immediate and wider supply chain risk analysis. This is likely because, following a spike in 2023, businesses felt comfortable that they had taken action and could now relax slightly. However, when it comes to cyber security, this simply isn’t the case. Cyber criminals are working overtime to try and find new ways in which to breach businesses. According to Henson, it follows that senior leaders must do the same. By not constantly evolving and improving their defences, they afford attackers the chance to catch up.

“It’s also surprising that such a large number of businesses remain unaware of the Government-backed Cyber Essentials Scheme. This figure has decreased year-on-year from 16% in 2022. Cyber Essentials gives businesses a solid base-level of protection and. It’s the Government’s flagship cyber certification and staggering that so many are still unaware of its existence.”

Henson also noted: “The report finds that just 41% of businesses had sought out external cyber security advice this year. This number should be much higher. Seeking advice is the first step in improving cyber security. The fact that upwards of 50% of UK businesses are yet to take this step is really concerning.”

Company Info

WBM

64 High Street, RH19 3DE
East Grinstead
RH19 3DE
UNITED KINGDOM

04478 18 574309

Related Topics
Cyber Essentials Scheme
Cyber Security Breaches Survey 2024
Cylera
Ecliptic Dynamics
Emerge Digitl
Government
Related Articles
Latest Webinars
Biometric access control: are fingerprint cards the future?
Biometric access control: are fingerprint cards the future?
Bandweaver signposts webinar on optical fiber for perimeter security
Video Surveillance: Exploring New Horizons
Perimeter Intruder Detection Solutions
Related Resources
SentriGuard Key Safe Attack Test by BRE
SentriGuard, a new-generation key management solution
Security Matters Podcast – Episode 30 now live to view
Latest News
Jacobs appointed to deliver cyber security services for Ministry of Defence
JD Sports partners with SelectaDNA in fight against retail crime
Multi-agency law enforcement operation infiltrates ‘LabHost’ fraud platform

Login / Sign up