78% of UK companies have experienced an increase in cyber attacks over the last 12 months, according to an exclusive investigation carried out by Business Reporter in association with Circleresearch.
The survey of senior cyber-security professionals, including IT directors, CIOs, CTOs, heads of security and IT analysts, revealed that the threat of cyber-security breaches has risen substantially in the past 12 months.
“Our study highlighted the increased availability of attack software and an increasingly sophisticated approach by the attackers,” said Business Reporter director Georges Banna. “More and more companies fear cyber-attacks and I would not be surprised if those companies who say they have not yet been attacked simply do not realise that they have been.”
The threat landscape:
64% of companies across the UK experienced some sort of incident in 2015. 42% experienced more than one incident while 13% experienced more than 10.
The four key external threats faced were Phishing (57%) Trojans (32%) Patching (26%) and DDoS (21%). In these attacks, 23 per cent of businesses said they “may have lost customer data”.
One of the main messages from the survey was that the biggest threat to security came from within, whether intentional or not. People are, indeed, the weakest link. This is particularly the case when dealing with culture-based attacks, such as phishing and socially engineered Trojans, where up to 44% of companies feel particularly vulnerable. To counter this, 50% urged an increase in training while 20% recommended a policy of increased awareness.
Looking forward, 86% feel there is at least a fair chance another incident will occur during the year, with 27% feeling it “definitely will”. Overall, those surveyed thought that, although the volume of attacks was expected to go up, the nature of those attacks were not expected to change.
Resilience and recovery:
To deal with these attacks, 60% of businesses have an action plan in place while 36% say they will have one in place soon. Of those enterprises with a plan, 82% have used it and found it effective. In best practice news, 36% review their plan annually and 52% review it even more regularly. Interestingly, 27% felt that their department was “significantly under resourced” to deal with any cyber-security threats while 22% felt there were “significant skills gaps” in their department.
The survey investigated how companies reacted after a cyber-attack and whether they had Cyber Liability Insurance Cover (CLIC) in place. Surprisingly, 49% had no liability cover at all, preferring to invest in prevention and risk mitigation. One said: “The board has still to wake up to the importance of cyber-security before it can even begin to consider insurance for it.” There was also a feeling that reputational damage, for example, can’t be compensated – something the insurance providers need to address as 74% said reputational cover was the most important element of CLIC.
As for coordinating against the threat, while 99% think that sharing cyber-security experiences would be beneficial, currently only 53% do so. There is a pervading concern about the commercial sensitivity of sharing sensitive information with competitors, as well as a general lack of support for such a project from the board. Even if a sharing culture were to be developed, there is currently no suitable forum to enable it.