In charts: Cyber security risks and companies’ readiness
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
Cybersecurity concerns could once be written off as the preserve of large companies. But, in today’s networked world — where many are still partly working remotely as a result of the pandemic, and Russia’s invasion of Ukraine is raising cyber warfare threats — that era is long gone.
According to Santha Subramoni, global head of Tata Consultancy Services’ cyber security business: “As enterprises grapple with threats from multiple dimensions, risk prioritisation and quantification methods are exponentially important when deciding how to distribute cyber protection funds.”
However, data from the UK’s Department for Digital, Culture, Media and Sport show that businesses’ approaches to cyber security still vary significantly, with sectors that traditionally allocated spending to the problem still leading in preparedness.
A little over half of the businesses surveyed by DCMS had sought external cyber security information or guidance over the past year. Small businesses and charities, which may not have invested heavily in cyber security at all in the past, were the least likely to have sought advice.
In the financial sector, almost 70 per cent of companies had sought outside assistance or information — suggesting an awareness of the growing risk of being targeted by state groups. In February, the UK’s Financial Conduct Authority told banks to strengthen their defences against the threat of Russian-sponsored cyber attacks, and Lloyds Banking Group chief executive Charlie Nunn said the group had been on “heightened alert” for the past couple of months.
But, even among large and medium sized firms, a quarter still chose not to seek external information or guidance. That was in spite of the increased opportunity for bad actors created by staff working from home during the pandemic.
Nevertheless, Subramoni at Tata sees some progress: “More organisations are now seeking external guidance to upgrade their cyber maturity and optimise their cyber protection budgets.”
Research from cyber security company SonicWall supports that more positive outlook. “From mid-2020 to 2021, the number of CEOs who said cyber security risks were the biggest threat to short-term growth nearly doubled,” said SonicWall chief executive Bill Conner in its recent cyber threat report.
These risks now arise across a business’s activities, points out Subramoni — for example, in “cloud, network, remote access, connected devices and extended supply chain ecosystems”. That makes putting strong cyber security practices in place, across the board, especially important.
Encouragingly, the majority of both businesses and charities surveyed by DCMS had implemented rules — such as ensuring that up-to-date malware protection had been installed. A particularly high number of businesses had also introduced strong password policies as well as firewalls for their entire networks.
Less welcome, though, is the fact that only 30 per cent of businesses and less than half of charities restrict systems access to company-owned devices — which potentially nullifies some of the protections they put in place.
“Although the conceptual aims of BYOD [bring your own device] are an attractive prospect to most organisations, it comes with a conflicting set of security risks and challenges,” warned the UK National Cyber Security Centre last year. These challenges include difficulty in protecting corporate data if external devices can access it, ensuring legal compliance, and having to support a wider range of device types and operating systems.
Just under two in five companies surveyed by DCMS said that they had identified breaches, although the exact number may be higher — the fact that the majority of breach identifications came from bigger companies may reflect either the greater likelihood that they were targeted or had detection systems in place.
Only a quarter of charities said they had identified breaches, significantly below the level for business in general. However, the government found that the charities and businesses that hold personal data were more likely than average to report breaches or attacks. This may be a reflection of the fact that only half of each category said they had rules for storing and moving personal information securely.
Data from cyber security firm SonicWall found that, while the number of malware attacks globally was down 4 per cent in 2021 at 5.4bn, new attacks, including ransomware and encrypted threats — in which hackers hide malware using a common security protocol — had increased by more than 100 per cent.
But phishing attacks — trying to trick users into disclosing information — remained the most common type of breach identified by companies and charities, reported by around 80 per cent of each.
Phishing attacks also vary greatly in scale. They may be as simple as an email from a fraudster posing as a member of a customer services team, or a concerted attempt to drive an entire organisation’s users to click on infected websites and install malware.
Nevertheless, at their core, they share one similarity, according to Dimitrie Dorgan, senior fraud risk manager at online identification company Onfido. “In social engineering, the weakest link is the human using it,” he told the FT last year. Among the trends he warned about were unexpected newsletters or emails sent to users who had not subscribed to them.