On 24th March 2021, the UK government published the Cyber Security Breaches Survey 2021, featuring an analysis of 1,419 UK businesses and a review of 2020's cyber threat landscape. The report highlights how the Covid-19 pandemic has made it much more difficult for organisations to protect themselves against modern cyber-attacks while staff are working from home.
While employees have tried to get used to working away from the office, the number of cyber-attacks has remained high. 27% of organisations that identified breaches or attacks experienced them once a week, with phishing attempts making up the most common type of threat at 83%.
In response to the challenges of maintaining cyber security post-Covid, organisations have displayed a variety of responses, from those that have attempted to bury their heads in the sand to cyber-mature organisations that have maintained their commitment and experimented with new ways to increase security.
In this article, we're going to break down some of the key findings of the UK Cyber Security Breaches Survey 2021, including the most common cyber threats, how organisations have responded to these threats, and more.
Most Common Threats of 2020: Phishing, Impersonation, and Malware
2020 saw a wide range of threats that organisations needed to be aware of, and one of the biggest trends was the growth in phishing attempts that rely on manipulation rather than brute force hacks or exploits to breach an organisation's defences.
Since 2017, there has been a sharp rise in phishing attacks (72% to 83%) compared to a significant decrease in viruses and malware (33% to 9%), and a drop in ransomware (17% to 7%).
While phishing attempts were the most common type of threat encountered (83%), the type of threats identified were incredibly diverse. Out of 654 businesses that identified a breach or attack in the last 12 months:
- 83% experienced phishing attempts
- 27% experienced individuals impersonating an organisation in emails or online
- 9% experienced viruses, spyware, or malware
- 8% experienced denial of service attacks
- 8% experienced hacking or attempted hacking of online bank accounts
- 7% experienced takeovers of organisations’or users’ accounts
- 7% experienced ransomware
- 2% experienced unauthorised accessing of files or networks by outsiders
- 2% experienced unauthorised accessing of files or networks by staff
- 1% experienced unauthorised listening into video conferences or instant messages
- 5% experiencedother breaches or attacks
It's important to note that the most common types of cyber-attacks reported by large organisations were slightly different, with phishing attacks (91%), impersonation (63%), and unauthorised use of computers or networks by staff (15%) making up the top three most common threats.
Incident Response Remains a Challenge
Once the Covid-19 pandemic began in 2020, cyber criminals had an unprecedented opportunity to capitalise on all the chaos and targeted enterprises with sophisticated new threats. At the same time, many organisations struggled to produce a cohesive incident response strategy ready to combat the next generation of online threats.
Even though 66% of businesses reported having a formalised incident response process, those approaches weren’t comprehensive, even in large organisations. For instance, only 45% of large businesses had communications and public engagement plans for responding to incidents.
Despite the limitations of many organisations’ incident response strategies, a substantial proportion of enterprises remained committed to responding to incidents with a variety of measures. Out of the businesses surveyed:
- 44% attempted to identify the source of the incident
- 43% debriefed to log any lessons learnt
- 43% had roles and responsibilities assigned to specific individuals
- 42% conducted an assessment of the scale and impact of the incident
- 36% formally logged incidents
- 34% had written guidance on who to notify
- 17% had communications and public engagement plans
- 32% had none of the above
The results show that most companies have attempted to take some form of action to follow up on security incidents, even if there is a minority (32%) that haven't taken any of the actions above. Overall, this suggests that modern companies are making a genuine effort to do their due diligence and respond to data breaches effectively, but there is definite room for improvement.
Covid-19: Most Organisations Remain Commitment to Cyber Security
One of the most notable themes of the survey was that the Covid-19 pandemic hadn't weakened organisations' attitudes toward cyber security. In fact, the research showed that:
- 84% stated Covid-19 had made no change to cyber security in their organisation
- 14% said it had become a higher priority
- 2% said it was a lower priority
The qualitative research also indicates that many enterprises have increased IT and cyber security investment to adapt to the post-Covid threat landscape. It also revealed that many organisations adopted new security solutions like cloud security and multi-factor authentication to further decrease the chance of falling victim to an attack.
Among organisations that said cyber security had become a lower priority, there wasn't any consistent reason discovered, but one respondent suggested cyber security had taken a back seat due to business continuity. The respondent explained, "the priority for us as a business was survival...it was more about survival than anything else from March 2020 to June 2020."
For most organisations though, it appears that Covid-19 hasn't weakened their commitment toward cyber security. This is good news given the high volume of cyber threats on the horizon as we emerge out the other side of the pandemic.
Most Common Ways to Identify and Manage Cyber Risks
In response to the variety of threats faced over the past 12 months, organisations have taken a diverse approach towards identifying cyber risks, with businesses taking the following actions (and 52% taking at least one of the actions below):
- 35% used specific tools designed for security monitoring
- 34% conducted a risk assessment covering cyber security risks
- 20% tested staff (e.g. phishing simulation exercises)
- 15% carried out a cyber security vulnerability audit
- 13% carried out penetration testing
- 9% invested in threat intelligence
The survey showed that among all organisations, security monitoring and risk assessments are the go-to tools for preparing to manage future threats. In contrast, more specialist solutions, like penetration testing or phishing simulation exercises, only tend to be implemented by large organisations.
Large organisations are the most likely to carry out the security controls listed above and carry out a more diverse range of controls. For instance, 52% conduct penetration testing, 49% have tested their staff response with phishing simulation or similar exercises, and 48% have undertaken cyber security vulnerability audits.
Companies Struggle to Adapt to the Cyber Security Challenges of Remote Working
The rapid move toward remote working during the pandemic has caused issues around implementing effective cyber security controls. In 2020, 5% fewer businesses were deploying security monitoring tools, and 6% less were undertaking any form of user monitoring, making it considerably more complicated to secure endpoints.
Similarly, with more staff working from home, organisations have struggled to update hardware and software because there are more endpoints to maintain. As a result, 5% fewer businesses reported having up-to-date malware detection, and 5% fewer reported having set up network firewalls.
Lack of hardware and software updates has led to an increase in vulnerabilities, with 32% of businesses reporting having unsupported versions of Windows, presenting a security risk that cyber criminals can exploit.
On the flipside, there are organisations that have taken a more proactive approach to cyber security and implemented the following controls:
- 43% have taken out some form of cyber insurance
- 35% have undertaken cybersecurity risk assessments
- 20% testing staff through means such asphishing simulation exercises
- 15% carrying out cybersecurity vulnerability audits
- 12% reviewing cybersecurity risk posed by suppliers
Organisations Turn to Cyber Security Insurance to Reduce the Impact of Attacks
The number of organisations turning to cyber insurance has increased by 11% from 2019, as more companies attempt to protect themselves from the financial impact of data breaches and other attacks. The majority of these policies are broader insurance policies with a cyber component (37%), rather than cyber-specific insurance policies (6%).
The survey revealed that cyber security insurance was most common in the following sectors:
- Finance and insurance (60%)
- Information and communications (57%)
- Health/social care and social work (53%)
- Professional/scientific/technical firms (53%)
On a similar note, it appears that large firms are the most likely to purchase specific cyber security policies, with 21% of large firms having a cyber-specific security insurance policy, followed by 17% of medium firms, 13% of small firms, and just 4% of micro firms. This suggests that larger firms have more specialised insurance coverage and benefit from more complete protection during security events.
Despite the increase in insurance coverage and the range of companies purchasing policies, few firms actually need to make use of their insurance, with the study showing that less than 1% of each category report having made an insurance claim.
Most Common Actions Taken to Prevent Data Breaches
Of the organisations that identified data breaches, the majority (62%) have taken action to prevent further breaches. The most common actions taken to prevent future data breaches have included:
- Changes including providing additional staff training or communications (19%)
- Installing/changing/updating antivirus or anti-malware software (14%)
- Changing or updating firewall or system configurations (11%)
- Implementing other new software tools other than antivirus or anti-malware (5%)
The substantial proportion of organisations that focused on providing additional staff training or communications is a positive sign, as these measures will increase awareness, which is critical for dealing with the most common types of threats modern companies face, such as phishing and impersonation attempts.
However, there remains a significant minority that aren’t taking any action to prevent future data breaches, with 36% having taken no action since their most disruptive breach. These companies are likely to remain at high risk of falling victim to future data breaches.
Modern Organisations Remain Committed to Cyber Security, but clear areas for improvement remain.
By and large, the UK Cyber Security Breaches Survey 2021 shows that modern organisations remain committed to cyber security in spite of the challenges of the Covid-19 pandemic and the onslaught of new threats. While not every organisation has a comprehensive threat prevention or incident response plan, most are making at least some form of effort to protect their systems. However, clearly there is more to do.
As we move further into 2021, the next step for cyber-mature organisations is to eliminate security gaps, and to diversify their threat prevention/response measures to ensure they’re equipped to effectively confront future security incidents.
In particular, every organisation should prioritise ensuring they have a robust Incident Response plan in place, with access to the right skills and resources at short notice in order to diagnose and respond to incidents that will inevitably occur. It goes without saying, the faster an incident is diagnosed and contained, the lower the financial and reputational damage that will ensue.
Contact us now for more information on how to enhance your breach prevention and response strategy.