Cyber-attacks are a continuous threat to both businesses and charities. From the Cyber Security Breaches Survey 2019 (available here as a PDF), we can see that fewer businesses are identifying breaches than in previous years, but the ones that are identifying breaches are typically experiencing more of them. Approximately 32% of businesses and 22% of charities report having cyber security breaches/attacks in the last 12 months. The most common type of cyber security breaches reported are:
- phishing attacks;
- malign persons impersonating an organisation in emails or online; and
- viruses, spyware or malware.
The proportion of businesses identifying breaches or attacks is lower than in 2018 and 2017 (43% and 46%, respectively). The result for charities is similar to 2018. At the same time, among the 32% of businesses who did identify breaches and attacks, the average number of breaches that they recall having to deal with tripled. Even though this is far from ideal, it is worth looking more closely at the reason there has been a fall in the number of businesses identifying breaches and attacks in the last year.
One of the most plausible explanation for fewer businesses identifying breaches is that they are generally becoming more cyber-security aware. For example, employees are sent mock phishing emails and participate in other forms of cyber awareness training. Increasing public awareness of cyber attacks and data breaches may also be a factor. The entry into force of the General Data Protection Regulation (GDPR) also appears to have had an effect on businesses, with 30% of respondents claiming that they have made changes to cyber security because of GDPR.
It could also point to a change in attacker behaviour – more attacks are being focused on a narrower range of businesses. Although the survey is not concerned directly with attacker behaviour, it does suggest that this could be driving increased attacks on some businesses. It sends a cautionary note to businesses that hold sensitive data or form part of extended supply chains that attackers may be becoming more discerning in which businesses make for easier or more profitable targets.
In the survey, 78% of businesses responded that cyber security was a high or very high priority for senior management, with finance, insurance, education and communications sectors all reporting significantly higher percentages.