Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Cyber Security: Aware, but not ready
The Cyber Security Breaches Survey 2016 suggests businesses are aware of the risks and suffering losses, but are not doing enough to address them.
The survey, conducted by Ipsos MORI on behalf of the UK government, involved over a thousand UK businesses of all sizes.
The results indicate that awareness of cyber security risk is high and that many organisations had experienced breaches in the last 12 months, at considerable cost:
- 69% of businesses say that cyber security is either a high or very high priority for directors and senior management.
- 24% of businesses detected one or more security breach in the last 12 months. 65% of large firms had, with 25% experiencing a breach a least once a month.
- The average cost to each affected business of all breaches over the last 12 months was £3,480. For large businesses it was £36,500. The most valuable single breach cost the affected organisation £3,000,000.
The most common breaches suffered were:
- Viruses, spyware or malware (68%).
- Others impersonating organisation in emails or online (32%).
- Denial-of-service attacks (15%).
- Hacking (13%).
The increased awareness and actual experience of breaches has not resulted in the widespread adoption of formal policies and procedures to identify and minimise risks and to deal with incidents:
- 51% of businesses have attempted to identify the cyber risks faced by their organisations, although over 94% of large firms have.
- Only 29% of firms have written cyber security policies.
- Only 10% have formal incident management processes.
- Only 34% have rules regarding the encryption of personal data.
- Only 13% of firms (34% of large firms) set cyber security standards for suppliers.
There is also low awareness of cybersecurity initiatives and standards. 18% were aware of ISO 27001, with only a quarter of those having implemented it, whilst 11% were aware of the Government’s 10 Steps guidance.
The report underlines the low level of reporting of breaches to external bodies, with only 36% doing so in respect of their most disruptive breach, mostly to an outsourced cyber security provider. Only 18% reported it to the police and 23% to banks, building societies and credit card providers. Reporting breaches can mitigate risks to customers (such as credit card fraud) arising from breaches and increase cyber crime intelligence, even if a prosecution does not result.
WAB comment
As might be expected, larger organisations with their greater resources, division of responsibility and (in certain sectors) regulatory requirements, showed better results for awareness and planning. However, cyber criminals know that SMEs are soft targets and will deliberately direct attacks at them accordingly.
The incentives for business to take steps to deal with cyber security risks are increasing not only with heightened activity but also tougher regulation. The consequences for businesses of not doing enough to prevent breaches of personal data will increase with the implementation of the General Data Protection Regulation in May 2018, which vastly increases fines and imposes obligations including in respect of contracts with data processors. The implementation of the Cyber Security (NIS) Directive will also impose additional obligations on certain organisations who provide essential services or specific digital services, including cloud computing.
White & Black are experts in cyber security matters and are the authors of a suite of practice notes on Practical Law about cyber security risks, regulation, preparedness and incident management. For further information on cyber security matters and the advice and training White & Black can offer, please contact Nick Mathys, Phil Thompson, Nick Mitchell or John Allen.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.