On 24th March 2021, the UK government published the Cyber Security Breaches Survey 2021, featuring an analysis of 1,419 UK businesses and a review of 2020's cyber threat landscape. The report highlights how the Covid-19 pandemic has made it much more difficult for organisations to protect themselves against modern cyber-attacks while staff are working from home.
While employees have tried to get used to working away from the office, the number of cyber-attacks has remained high. 27% of organisations that identified breaches or attacks experienced them once a week, with phishing attempts making up the most common type of threat at 83%.
In response to the challenges of maintaining cyber security post-Covid, organisations have displayed a variety of responses, from those that have attempted to bury their heads in the sand to cyber-mature organisations that have maintained their commitment and experimented with new ways to increase security.
In this article, we're going to break down some of the key findings of the UK Cyber Security Breaches Survey 2021, including the most common cyber threats, how organisations have responded to these threats, and more.
2020 saw a wide range of threats that organisations needed to be aware of, and one of the biggest trends was the growth in phishing attempts that rely on manipulation rather than brute force hacks or exploits to breach an organisation's defences.
Since 2017, there has been a sharp rise in phishing attacks (72% to 83%) compared to a significant decrease in viruses and malware (33% to 9%), and a drop in ransomware (17% to 7%).
While phishing attempts were the most common type of threat encountered (83%), the type of threats identified were incredibly diverse. Out of 654 businesses that identified a breach or attack in the last 12 months:
It's important to note that the most common types of cyber-attacks reported by large organisations were slightly different, with phishing attacks (91%), impersonation (63%), and unauthorised use of computers or networks by staff (15%) making up the top three most common threats.
Even though 66% of businesses reported having a formalised incident response process, those approaches weren’t comprehensive, even in large organisations. For instance, only 45% of large businesses had communications and public engagement plans for responding to incidents.
Despite the limitations of many organisations’ incident response strategies, a substantial proportion of enterprises remained committed to responding to incidents with a variety of measures. Out of the businesses surveyed:
The results show that most companies have attempted to take some form of action to follow up on security incidents, even if there is a minority (32%) that haven't taken any of the actions above. Overall, this suggests that modern companies are making a genuine effort to do their due diligence and respond to data breaches effectively, but there is definite room for improvement.
The qualitative research also indicates that many enterprises have increased IT and cyber security investment to adapt to the post-Covid threat landscape. It also revealed that many organisations adopted new security solutions like cloud security and multi-factor authentication to further decrease the chance of falling victim to an attack.
Among organisations that said cyber security had become a lower priority, there wasn't any consistent reason discovered, but one respondent suggested cyber security had taken a back seat due to business continuity. The respondent explained, "the priority for us as a business was survival...it was more about survival than anything else from March 2020 to June 2020."
For most organisations though, it appears that Covid-19 hasn't weakened their commitment toward cyber security. This is good news given the high volume of cyber threats on the horizon as we emerge out the other side of the pandemic.
In response to the variety of threats faced over the past 12 months, organisations have taken a diverse approach towards identifying cyber risks, with businesses taking the following actions (and 52% taking at least one of the actions below):
The survey showed that among all organisations, security monitoring and risk assessments are the go-to tools for preparing to manage future threats. In contrast, more specialist solutions, like penetration testing or phishing simulation exercises, only tend to be implemented by large organisations.
Large organisations are the most likely to carry out the security controls listed above and carry out a more diverse range of controls. For instance, 52% conduct penetration testing, 49% have tested their staff response with phishing simulation or similar exercises, and 48% have undertaken cyber security vulnerability audits.
Similarly, with more staff working from home, organisations have struggled to update hardware and software because there are more endpoints to maintain. As a result, 5% fewer businesses reported having up-to-date malware detection, and 5% fewer reported having set up network firewalls.
Lack of hardware and software updates has led to an increase in vulnerabilities, with 32% of businesses reporting having unsupported versions of Windows, presenting a security risk that cyber criminals can exploit.
On the flipside, there are organisations that have taken a more proactive approach to cyber security and implemented the following controls:
The number of organisations turning to cyber insurance has increased by 11% from 2019, as more companies attempt to protect themselves from the financial impact of data breaches and other attacks. The majority of these policies are broader insurance policies with a cyber component (37%), rather than cyber-specific insurance policies (6%).
The survey revealed that cyber security insurance was most common in the following sectors:
On a similar note, it appears that large firms are the most likely to purchase specific cyber security policies, with 21% of large firms having a cyber-specific security insurance policy, followed by 17% of medium firms, 13% of small firms, and just 4% of micro firms. This suggests that larger firms have more specialised insurance coverage and benefit from more complete protection during security events.
Despite the increase in insurance coverage and the range of companies purchasing policies, few firms actually need to make use of their insurance, with the study showing that less than 1% of each category report having made an insurance claim.
Of the organisations that identified data breaches, the majority (62%) have taken action to prevent further breaches. The most common actions taken to prevent future data breaches have included:
The substantial proportion of organisations that focused on providing additional staff training or communications is a positive sign, as these measures will increase awareness, which is critical for dealing with the most common types of threats modern companies face, such as phishing and impersonation attempts.
However, there remains a significant minority that aren’t taking any action to prevent future data breaches, with 36% having taken no action since their most disruptive breach. These companies are likely to remain at high risk of falling victim to future data breaches.
By and large, the UK Cyber Security Breaches Survey 2021 shows that modern organisations remain committed to cyber security in spite of the challenges of the Covid-19 pandemic and the onslaught of new threats. While not every organisation has a comprehensive threat prevention or incident response plan, most are making at least some form of effort to protect their systems. However, clearly there is more to do.
As we move further into 2021, the next step for cyber-mature organisations is to eliminate security gaps, and to diversify their threat prevention/response measures to ensure they’re equipped to effectively confront future security incidents.
In particular, every organisation should prioritise ensuring they have a robust Incident Response plan in place, with access to the right skills and resources at short notice in order to diagnose and respond to incidents that will inevitably occur. It goes without saying, the faster an incident is diagnosed and contained, the lower the financial and reputational damage that will ensue.
Contact us now for more information on how to enhance your breach prevention and response strategy.