They are down, but this isn’t a reason to celebrate: cyber security breaches are getting more complicated. According to new statistics from the Department for Digital, Culture, Media and Sport, 32% of businesses identified a cyber security breach or attack in the last 12 months – down from 43% the previous year.
That may seem like a reason to celebrate, but then the data also reveals that among organisations that were attacked, the median number of cyber security breaches has risen from four to six.
It seems cyber security breaches and attacks are getting more concentrated.
The cost has gone up too, the average cost of a cyber attack on a business has gone up by more than £1,000 since 2018 to £4,180.
Data breaches Its not just digital, physical data breaches matter too
So it seems the headline figures about fewer organisations falling victim to attacks hides behind a thin veneer.
The government says that GDPR is one of the reasons for the fall.
“The reduction is partly due to the introduction of tough new data laws under the Data Protection Act and the General Data Protection Regulations (GDPR). 30% of businesses and 36% of charities have made changes to their cyber security policies and processes as a result of GDPR coming into force in May 2018.”
Maybe that is right, but the stats also show that 48% of businesses and 39% of charities who were breached or attacked, identified at least one breach or attack every month.
Information Age would like to suggest the problem is that cybercriminals are getting more sophisticated and that maybe they are only attacking organisations after carrying out extensive research into their victims first — so from their point of view, attacking fewer organisations, meaning few organisations falling victim to cybersecurity breaches makes sense.
Average fine for data breaches doubles to £146,000 in just a year
Mark Deem, who heads the cyber team at legal practice Cooley said that “businesses are still failing to detect both threat actors and how their networks have been compromised in a first attack; whereas a victim will generally be able to identify subsequent attacks with greater ease.”
He also suggested that GDPR could partly explain why cybersecurity breaches are getting more expensive. “The introduction of mandated notification and increased penalties under GDPR are likely to further drive up the potential financial costs of all data incidents in the future too – whether as a result of an incident becoming notifiable as a breach or the additional investigative work that might be required in order to satisfy the business that notification is not required,” he said.
Too soon to say
Mark Deem also argued that it may be “too soon to determine whether recent legal and regulatory changes have driven the much-needed behavioural and cultural shift of businesses towards robust information security, or whether this trend is likely to be short-lived.
“Genuine cyber-resilience comes from corporate muscle-memory, which is developed from incident response planning with legal, communications and IT security stakeholders, and which is sustained by testing and updating processes on a regular basis.”
AI and data security: a help or a hindrance?
Digital Minister Margot James said: “With less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.
“We know that tackling cyber threats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.