Some may reckon GDPR needs an overhaul but British businesses have found the cyber security measures it enforces have saved them from huge payouts by shoring up their defences against the constant barrage of online attacks.
That is a key finding from the UK Government’s Cyber Security Breaches Survey 2021, the sixth survey in the annual series, which also shows the frequency of cyber security breaches is undiminished, with phishing remaining the most common threat.
It reveals that nearly four in ten businesses (39%) and a quarter of charities (26%) have reported cyber security breaches or attacks in the last 12 months and like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).
This year, fewer businesses are identifying breaches or attacks than in 2020 (when it was 46%), while the charity results are unchanged. The report says could be the result of a reduction in trading activity from businesses during the pandemic, which may have inadvertently made some businesses temporarily less detectable to attackers this year.
However, other quantitative and qualitative evidence from the study suggests that the risk level is potentially higher than ever under Covid-19, and that businesses are finding it harder to administer cyber security measures during the pandemic.
For example, fewer businesses are now deploying security monitoring tools (35% compared to 40% last year) or undertaking any form of user monitoring (32% compared to 38%). Therefore, this reduction among businesses possibly suggests that they are simply less aware than before of the breaches and attacks their staff are facing.
Among those that have identified breaches or attacks, around a quarter (27% of these businesses and 23% of these charities) experience them at least once a week.
The most common by far are phishing attacks (for 83% and 79% respectively), followed by impersonation (for 27% and 23%). Broadly, these patterns around frequency and threat vectors are in line with the 2020 and 2019 results.
A sizeable number of organisations that identify breaches report a specific negative outcome or impact. On average, for those that do, the costs are substantial.
Among the 39% of businesses and 26% of charities that identify breaches or attacks, one in five (21% and 18% respectively) end up losing money, data or other assets. One-third of businesses (35%) and four in ten charities (40%) report being negatively impacted regardless, for example because they require new post-breach measures, have staff time diverted or suffer wider business disruption.
However, these figures have improved over time – the study says the proportions experiencing negative outcomes or impacts in 2021 are “significantly lower” than in 2019 and preceding years, although it does not go into the finer detail.
The report states: “This is not due to breaches or attacks becoming less frequent, with no notable change in frequency this year. Instead, it may be due to more organisations implementing basic cyber security measures following the introduction of GDPR in 2018.”
And despite Covid stretching many organisation’s cyber security teams to their limits, cyber security remains a priority for management boards, the study reports, although it has not necessarily become a higher priority under the pandemic.
More than three-quarters (77%) of businesses say cyber security is a high priority for their directors or senior managers, while seven in ten charities (68%) say this of their trustees. While there have been minor fluctuations in these findings over the past three years, cyber security remains a higher priority compared to when each group was surveyed (69% in 2016 for businesses and 53% in 2018 for charities).
Half of businesses (50%) and four in ten charities (40%) update their senior management teams about the actions taken on cyber security at least quarterly, in line with the 2020 results. However, worryingly, the percentage of charities reporting that their senior managers are never updated on cyber security has increased since last year (to 23% compared to 12% in 2020).
Overwhelmingly, businesses (84%) and charities (80%) say the pandemic has made no change to the importance they place on cyber security.
Even so, the qualitative research suggests that some organisations have increased their investment in IT and cyber security in response to Covid. Many organisations adopted new security solutions, including cloud security and multi-factor authentication, or new rules requiring VPN connections to access files. These changes were often characterised as being about business and IT service continuity.
But Covid has led medium and large businesses to take out some form of cyber insurance (43% of businesses and 29% of charities) – this is up from 32% for businesses in 2020 – and undertake cyber security risk assessments (34% and 32%).
Digital Infrastructure Minister Matt Warman said: “The pandemic has taken an unavoidable toll on British businesses but we cannot let it disrupt our high cyber security standards.
“With more people working remotely it is vital firms have the right protections in place, and I urge all organisations to follow the National Cyber Security Centre’s expert guidance so we can build back better and drive a new era of digital growth.”
GDPR superfan demands overhaul of ‘outdated law’
New ICO to ‘boldly’ lead UK into global data economy
UK cyber firms cement place as ‘jewel in tech crown’
Hack attack fears push UK cyber security to over £8bn
Data breaches, not rogues, are ICO Public Enemy No. 1
GDPR two years on: EU chiefs finally admit funding issue
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise
GDPR one year on: Data is now a major boardroom issue
GDPR zero hour: Now the hard work begins say experts