Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
The recent Cyber Security Breach Survey 2018 Report (sponsored by the Ministry of Digital, Culture, Media and Sports) highlights threats facing U.K. businesses and charities and how they must contend with a growing threat landscape. Similar to cyberattacks on a U.K. Finance group where scammers defrauded bank consumers of more than £1.2 billion in 2018 and on the Police Federation of England and Wales that deleted and encrypted its files, this report reveals that breaches across industries are becoming the norm, not the exception.
The Cyber Security Breach report, which surveyed more than 2,000 U.K. businesses and charities, found that nearly half (43 percent) of firms incurred some form of data breach including personally identifiable Information (PII) and payment details. Interestingly, while three-quarters those surveyed (74 percent) consider cyber security important a critical issue for senior management and boards, only a quarter (27 percent) have a formal security policy.
Considering that almost all (98 percent) of surveyed firms rely on digital information and storage and public websites to collect information and payment details, formal cyber programs and reporting is critical to protecting consumer data and meeting the requirements of GDPR privacy laws.
This U.K. report echoes findings in our FutureWatch survey of 1,250 senior security executives, which highlighted the paradox that cybersecurity is important to senior management and the board, yet less than one-third (30 percent) of respondents have a board member tasked to risk associated with security, and a shocking one-fifth (20 percent) never updated senior management on security events and breaches.
This data also parallels a report that than one-sixth (16 percent) of FTSE 350 boards do not have a comprehensive understanding of the impact of losses or disruptions associated with cyber threats.
Given the mixed messages from leadership, it is no surprise that this recent U.K. report claims only one-quarter (27 percent) of firms have a formal cyber policy (down from last year!) and only 20 percent mandate staff attend security awareness training. And just 50 percent of companies have implemented any of the based rules recommended by the National Cyber Security Centre (NCSC):
As would be expected, security postures are strongest in heavily regulated industries like financial services and information and telecommunications, with healthcare lagging in the midfield, and hospitality (think Marriott breach).
Only 38 percent of U.K. businesses and charities are aware of the GDPR rules and implications to their businesses. Remember 98 percent collect personal information on customers and employees, which means 100 percent are governed by GDPR! What’s worse, of those aware of GDPR, only 13 percent have amended their policies to meet GDPR requirements that came into effect May 2018. I’m going to go out on a limb here to say that’s about 87 percent shy of how many companies needed to change practices to meet GDPR compliance!
Closing the Gap and Improving Cyber Leadership
As it happens, the NCSC just released its Board Toolkit created to "encourage essential discussions about cyber security to take place between the Board and their technical experts.” Like the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight,the NCSC Board Toolkit outlines key obligations and priorities for board members and senior executives.
The first is for boards to familiarize themselves with the information required to make informed decisions about the risks their business faces. This includes establishing a baseline of risks and understanding the implications of cyber security threats. Armed with this information, boards are charged to evaluate and prioritize risks and the complementary risk management programs they require management to put in place, including:
Given the growing threat and necessity to meet legislative obligations, it’s time for U.K. firms to improve their security posture, establish proper security policies and implement core cyber controls. To find out how your company fairs, take a few minutes to complete our Risk Index.
Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.