Over 40 per cent of businesses experienced a cyber security breach or attack in the last 12 months, according to a new report from the Department for Digital, Culture, Media and Sport.

The Cyber Security Breaches Survey 2018 was carried out among 1,519 UK businesses, with 50 in-depth follow-up interviews, finding that three quarters of businesses have made cyber security a high priority for their senior management.

However, only 27 per cent actually have formal cyber security policies in place. Breaches were more often identified among the organisations that hold personal data, where staff use personal devices for work or that use cloud computing.

Of all the organisations that experienced breaches or attacks, the most common impacts were needing new measures against future attacks (36 per cent), requiring extra staff time required to deal with the breach (32 per cent) and staff being stopped from carrying out day-to-day work (27 per cent).

Typically, organisations incur no specific financial cost from cyber security breaches, although where breaches do result in a material outcome, the costs can be significant. For medium-sized businesses (50 to 249 employees) the average cost was £16,100 and for large businesses (250 employees or more) the average cost was £22,300.

Despite many organisations stating that cyber security is a high priority, just 30 per cent have board members or trustees with responsibility for cyber security. One in five businesses also admitted to never updating their senior managers on cyber security issues.

The research concluded that businesses need to consider their organisational cultures – even those which see themselves as offline, or too small to be at risk. “The qualitative survey suggests that organisations take more action on cyber security when they see it as complementing their organisational priorities, rather than competing with them,” read the report. “They take less action when they think it will be a burden to implement cyber security controls, or when they have a fatalistic attitude towards cyber security.”

As in 2017, the most disruptive breaches are most commonly spotted by individual staff members rather than picked up automatically by anti-malware programmes. However, staff training remains rare, with just 20 per cent of businesses requiring staff to undertake any form of cyber security training in the past year.

Earlier this week, a report from UK Finance and KPMG suggested the threat of cyber crime cannot be mitigated just by spending more money, but rather by increased collaboration to render cyber criminals’ markets, tools and systems ineffective.

Share Story: