The Cyber Security Breaches Survey 2019 shows that around one in three businesses (32 per cent) was a victim of an attack or breach in the past 12 months. While this is lower than in 2018 (when it was 43 per cent) and in 2017 (46 per cent), those who were victims typically reported facing six attacks, compared to two in 2017.
The figures from the department for digital, media, culture and sport also show that phishing attacks (identified by 80 per cent of victims) and others impersonating an organisation (28 per cent), both of which rely on human error, are now more common that viruses, spyware or malware attacks (28 per cent).
The report says businesses have increased their defences but suggests that attacks are becoming more focused. Jon Abbott, CEO of IT services provider Priority One and founder of cybersecurity platform ThreatAware, says the figures reflect the trends the industry is already seeing.
“Attacks are becoming more targeted and costly and cybercriminals are becoming more sophisticated. As IT teams shore up their defences, attackers are choosing softer targets and preying on people instead. They recognise that humans are now the weakest link and increasingly the targets are directors and senior decision makers.
“It demonstrates that cybersecurity is no longer just an IT issue but a company-wide challenge, one which involves people throughout the organisation and needs to be overseen at board level.”
The report shows that 30 per cent of attacks had a negative outcome, resulting in loss of data or assets with the average (mean) cost to the business being £4,180, higher than in 2018 (£3,160) and 2017 (£2,450).
Around three in four businesses (78 per cent) say cybersecurity is now a high priority for senior management – up from 74 per cent last year. One in three businesses (33 per cent) now has a written cybersecurity policy, 27 per cent have had staff attend training in the past 12 months; and 56 per cent have implemented the five types of controls recommended in the government’s Cyber Essentials scheme – all up on last year’s figures.
The report says GDPR has helped to change behaviour, with 30% having made some type of change as a result, but it has also led to organisations focusing on data breaches rather than wider risks. They now need to ‘think more holistically about the issue’ and could do more – only 35 per cent have a board member responsible for cybersecurity.
Abbott added, “Dealing with the changing threat landscape requires a more integrated approach than before. Patching, web browsing protection and anti-virus software are critical but businesses also need the right policies, procedures and culture.
“As cybercrime becomes more complex, boards need to lead the fightback and work closely with IT teams and managers throughout the organisation to ensure they are in the best possible position to defeat themselves against the threats.”