In its latest annual cybersecurity breach survey, carried out in the final three months of 2018, the government asked 1,566 UK businesses if they had experienced cybersecurity breaches or attacks within the previous 12 months. In response, 32% of businesses said they had, down from the 43% that said they had experienced such incidents in last year's survey.
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the drop was surprising.
"We have witnessed a proliferation of cyber events, including email hacks, ransomware and sophisticated malware such as Emotet and Trickbot over the last 12 months," Birdsey said.
In its newly published survey report, the government attributed the drop, at least in part, to measures businesses had undertaken to comply with the GDPR.
"The new data protection law has encouraged and compelled many organisations over the past 12 months to either engage formally with [cyber risk] for the first time, or in some cases to strengthen their existing policies and processes," the report said. "This has helped to raise the floor in cybersecurity, with more micro businesses and more charities in particular taking action against the risks in 2019 than in 2018. It may help, among other factors, to explain the fall in the number of businesses, especially micro businesses, experiencing breaches or attacks since 2018."
Birdsey said: "While some SME businesses have taken certain limited steps to prepare for the GDPR, in our experience of managing a large volume of breaches for SMEs, a high proportion of those organisations are not prepared for a data breach and have not taken essential security steps either to prevent an incident, for example by implementing multi-factor authentication for systems access, or be in a position to respond to an incident, such as by activating logging."
According to the report, however, businesses that do experience cybersecurity breaches or attacks are typically seeing these incidents occur more frequently and result in increased costs. Each incident has an average financial cost of £22,700 for large companies, the report said.
"The average financial cost for large companies must be scrutinised given the modest amount referenced," Birdsey said. "The response process from large companies which are subject to data breaches will often require input from external IT forensics, lawyers dealing with regulatory investigations and other vendors to effect notification to impacted individuals. The incidents considered by this report cannot be representative of the typical data breach affecting large companies."
While the government welcomed the fact that some businesses have taken steps to improve their cybersecurity as a result of the introduction of the GDPR, it said "there is still room for a more holistic approach to cybersecurity".
Birdsey said: "In our experience of managing breaches for clients post-GDPR, GDPR preparations have tended to focus on pure GDPR compliance, such as privacy policies and data retention policies, rather than IT security hardening or preparing for a breach. UK businesses and organisations have a long way to go."
"In our experience, organisations typically do not have written cyber security policies or formal incident management processes such as an incident response plan. Even fewer have rehearsed for a cyber event," he said.
The government admitted that compliance with the GDPR "may only take organisations up to a certain point".
"While there has been considerable progress since 2018 across organisations of all sizes, only a minority of micro and small businesses, and of charities, have written cybersecurity policies or a formal incident management process, have arranged any form of cybersecurity training, or have senior staff with a specific responsibility for cyber security as part of their job role," it said.
"The qualitative findings [from the survey] show that while GDPR has played an important role in raising the floor, it may have, unintentionally, made some organisations think about cybersecurity almost exclusively in terms of data protection. And advances in the number of staff attending training on cyber security may be more to do with uptake of GDPR training, where the actual cyber security content could be relatively small," it said.
"After implementing GDPR, it may be important for organisations to consider cybersecurity more holistically. The organisations that had more sophisticated approaches to the issue in the qualitative interviews tended to be those that also considered the potential wider impacts of cyber attacks on business continuity, on reputations and on client-supplier relationships," the government said.