The recent Cyber Security Breach Survey 2018 Report (sponsored by the Ministry of Digital, Culture, Media and Sports) highlights threats facing U.K. businesses and charities and how they must contend with a growing threat landscape. Similar to cyberattacks on a U.K. Finance group where scammers defrauded bank consumers of more than £1.2 billion in 2018 and on the Police Federation of England and Wales that deleted and encrypted its files, this report reveals that breaches across industries are becoming the norm, not the exception.
The Cyber Security Breach report, which surveyed more than 2,000 U.K. businesses and charities, found that nearly half (43 percent) of firms incurred some form of data breach including personally identifiable Information (PII) and payment details. Interestingly, while three-quarters those surveyed (74 percent) consider cyber security important a critical issue for senior management and boards, only a quarter (27 percent) have a formal security policy.
Considering that almost all (98 percent) of surveyed firms rely on digital information and storage and public websites to collect information and payment details, formal cyber programs and reporting is critical to protecting consumer data and meeting the requirements of GDPR privacy laws.
This U.K. report echoes findings in our FutureWatch survey of 1,250 senior security executives, which highlighted the paradox that cybersecurity is important to senior management and the board, yet less than one-third (30 percent) of respondents have a board member tasked to risk associated with security, and a shocking one-fifth (20 percent) never updated senior management on security events and breaches.
This data also parallels a report that than one-sixth (16 percent) of FTSE 350 boards do not have a comprehensive understanding of the impact of losses or disruptions associated with cyber threats.
Given the mixed messages from leadership, it is no surprise that this recent U.K. report claims only one-quarter (27 percent) of firms have a formal cyber policy (down from last year!) and only 20 percent mandate staff attend security awareness training. And just 50 percent of companies have implemented any of the based rules recommended by the National Cyber Security Centre (NCSC):
- Frequent patching of IT systems
- Current updates running on anti-virus and firewalls
- Restricted access controls to limit accessibility to data
- Management of mobile devices (including non-corporate devices)
- Encryption of data
As would be expected, security postures are strongest in heavily regulated industries like financial services and information and telecommunications, with healthcare lagging in the midfield, and hospitality (think Marriott breach).
Only 38 percent of U.K. businesses and charities are aware of the GDPR rules and implications to their businesses. Remember 98 percent collect personal information on customers and employees, which means 100 percent are governed by GDPR! What’s worse, of those aware of GDPR, only 13 percent have amended their policies to meet GDPR requirements that came into effect May 2018. I’m going to go out on a limb here to say that’s about 87 percent shy of how many companies needed to change practices to meet GDPR compliance!
Closing the Gap and Improving Cyber Leadership
As it happens, the NCSC just released its Board Toolkit created to "encourage essential discussions about cyber security to take place between the Board and their technical experts.” Like the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight,the NCSC Board Toolkit outlines key obligations and priorities for board members and senior executives.
The first is for boards to familiarize themselves with the information required to make informed decisions about the risks their business faces. This includes establishing a baseline of risks and understanding the implications of cyber security threats. Armed with this information, boards are charged to evaluate and prioritize risks and the complementary risk management programs they require management to put in place, including:
- Implementing effective cyber security measures
- Collaborating with suppliers and partners
- Planning your response to cyber incidents
Given the growing threat and necessity to meet legislative obligations, it’s time for U.K. firms to improve their security posture, establish proper security policies and implement core cyber controls. To find out how your company fairs, take a few minutes to complete our Risk Index.