According to the UK cybersecurity breaches survey (66-page / 1.50MB PDF), carried out on behalf of the Department for Culture, Media and Sport (DCMS), 68% of large UK companies, and 46% of all UK businesses in total, "identified at least one cybersecurity breach or attack in the last 12 months".
Approximately two-thirds of businesses (66%) said they believe their most disruptive breach to have been intentional, according to the survey report. However, 98% of businesses who said they had contingency plans in place for cybersecurity breaches said those plans were "effective for dealing with their most disruptive breach".
Specialist in cyber risk and regulation Philip Kemp of Pinsent Masons, the law firm behind Out-Law.com, said that, beyond financial costs, such as costs caused by systems being forced offline, cybersecurity breaches can also detract senior executives and other staff from everyday business activities due to the time it can take to investigate and fix security faults, deal with external communications, and mitigate against risks to customers or staff stemming from a breach.
The average cost of a breach suffered by a large UK company is £19,600, according to the report. Most breaches experienced by businesses do not have "significant financial consequences", but "the minority of firms that do experience … serious breaches" can face "extremely high" costs, it said. Kemp said that this average takes into account a vast number of small and less costly breaches, and that where a serious breach occurs the entity affected can expect the associated costs to be substantially higher, including reputational damage, potential loss in share price, and fines from regulators.
While the survey revealed that cybersecurity is generally receiving the attention it deserves among UK businesses, it also highlighted some common shortcomings in the way some companies approach the issue of cyber risk, Kemp said.
According to the survey, 74% of businesses consider cybersecurity is a very high or fairly high priority for their senior management. Kemp said recognition of the importance of cybersecurity is improving across all sizes of business, regardless of their turnover. He said, though, that the report indicated that there is still a gulf between the perception of risk in relation to a security breach and the reality of that risk.
"The survey results show that many businesses continue to underestimate the value of data, and some fail to understand that data beyond bank details also requires protection," Kemp said. "Training and development of wider perceptions regarding the value of data continues to be an area that needs focus."
"UK businesses that fail to take appropriate steps to protect personal data not only face potential fines under the Data Protection Act, they also face potential claims for compensation from customers under the Act," he said.
The survey report identified some of the common methods hackers use to try to infiltrate corporate systems and/or steal data. It showed that phishing attacks continue to be a prevalent form of cyber attack, Kemp said. Nearly three-quarters of all businesses (72%) said their organisation had received fraudulent emails in the past year, according to the report.
The survey also charted the approach UK businesses take to reporting cybersecurity incidents outside of their own organisation. Fewer than half of UK businesses (43%) reported their most disruptive breach outside their organisation, and most commonly this only involved informing cybersecurity providers they contracted with, according to the report.
Kemp said that the new General Data Protection Regulation (GDPR) will require businesses to be more open about the major data breaches they experience, while the Network and Information Security (NIS) Directive could also spur more cybersecurity incidents to come to light. He said he expects the statistics detailing the external reporting habits of UK companies to "rise dramatically" after the two pieces of legislation take effect in the UK in May 2018.
Most businesses are not obliged to report data breaches to the UK's Information Commissioner's Office (ICO) at the moment, although it is considered good practice to do so. The GDPR will place a new mandatory data breach notification obligation on businesses for the first time, and the NIS Directive will similarly place operators of essential services and digital service providers under a duty to disclose certain cybersecurity incidents to authorities.
The report said that 23% of businesses had experienced a temporary loss of files as a result of a cybersecurity incident last year, while 20% had software or systems corrupted. The report also revealed that 11% of businesses that experienced a cybersecurity breach either suffered permanent loss of non-personal data files or had personal data altered, destroyed or taken. Kemp said that these survey results highlighted the benefits that "regular and separately secured backups can provide".
Pinsent Masons recently looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask. Pinsent Masons experts looked at which people are typically behind cybersecurity breaches and the methods they use, what the common vulnerabilities are and what good IT security looks like, and how the legal landscape and regulatory fines are changing.
They also assessed the rising threat of ransomware and looked at how businesses may be able to seek protection afforded by legal professional privilege, and what they need to consider when working with criminal authorities, as well as the advantages of engaging credit monitoring after a breach, and the potential benefits of taking out cyber insurance.