In the era of cyber vulnerability the report on the state of cyber attacks facing British businesses is unsurprising. With nearly half (46%) of firms experiencing at least one cyber breach or attack over the last year, the problem is endemic.
This proportion of vulnerability increases with medium and large organisations. Two-thirds of these suffered a breach or attack. The most common breach was a result of fraudulent emails containing viruses or malware being sent to corporation employees.
The results were based on a government survey of 1,500 UK businesses, including 30 in-depth interviews.
The government said a “sizeable proportion” of the businesses still did not have “basic protections” in place. And, the survey revealed that less than 29% had a board member in charge of cyber security. This will no doubt change with data regulation, like GDPR, on the horizon.
This was confirmed by the report, which said that fewer businesses in 2017 considered cyber security to be of “very low priority”. Indeed, 74% now agreed that security is a high priority for the top levels of an organisation.
Prof Andrew Martin at the University of Oxford told the BBC, “A lot of businesses have responded to the problem with a box-ticking exercise or by paying an expensive consultant to make them feel better – it’s far from clear that what people are doing is protecting them very well.”
“It’s all very well to say don’t open emails from an unknown source – but most of us couldn’t do business if [we] didn’t do that,” he added.
Brian Lord OBE, former GCHQ Deputy Director for Intelligence and Cyber Operations, and now Managing Director for PGI Cyber, commenting on the report, believes that a cyber mythology has been created by the industry to sell unnecessary solutions through fear. He suggests, in fact, that countering the cyber security threat is not as difficult as it appears, despite the rise in successful cyber attacks.
“The reason breaches are growing is because companies aren’t protecting themselves properly, because they are being made confused by the cyber security vendors. A ‘cyber mythology’ has been created by the industry, to sell unnecessarily expensive solutions through fear. All recent high profile cyber-attack incidents could and should have been prevented with relatively low cost solutions.”
“It is necessary to simplify everyone’s understanding of the threat. Whenever I give advice to clients on this subject to business or at a national level to formulate national security policies, the client emphasis is always around finding expensive technical solutions. The unfortunately more boring but more realistic (however considerably more effective and cheaper) solutions reflect a blend of technology, human education and procedural measures. And that blend depends entirely upon the type of threat a company faces.”
“I hope on the back of the breach Report, the new National Cyber Security Centre continues to make information easy for public and businesses to digest so they can become smart demandeurs of solutions, and works more robustly and innovatively with the Security Industry to remove some of the artificial expense for wider business to achieve certification and accreditations.”