Management / No hiding place: Exclusive cyber security study reveals major fears
No hiding place: Exclusive cyber security study reveals major fears
2 March 2016
78 per cent of UK companies have experienced an increase in cyber attacks over the last 12 months, according to an exclusive investigation carried out by Business Reporter in association with Circleresearch.
The survey of senior cyber security professionals, including IT directors, CIOs, CTOs, heads of security and IT analysts, revealed that the threat of cyber security breaches has risen substantially in the past 12 months.
“Our study highlighted the increased availability of attack software and an increasingly sophisticated approach by the attackers,” said Business Reporter director Georges Banna.
“More and more companies fear cyber attacks and I would not be surprised if those companies who say they have not yet been attacked simply do not realise that they have been.”
The threat landscape
64 per cent of companies across the UK experienced some sort of incident in 2015. 42 per cent experienced more than one incident while 13 per cent experienced more than 10.
The four key external threats faced were phishing (57 per cent), Trojans (32 per cent), patching (26 per cent), and distributed denial of service (DDoS) attacks (21 per cent). In these attacks, 23 per cent of businesses said they “may have lost customer data”.
One of the main messages from the survey was that the biggest threat to security came from within, whether intentional or not. People are, indeed, the weakest link.
This is particularly the case when dealing with culture-based attacks, such as phishing and socially engineered Trojans, where up to 44 per cent of companies feel particularly vulnerable.
To counter this, 50 per cent urged an increase in training while 20 per cent recommended a policy of increased awareness. Looking forward, 86 per cent feel there is at least a fair chance another incident will occur during the year, with 27 per cent feeling it “definitely will”.
Overall, those surveyed thought that, although the volume of attacks was expected to go up, the nature of those attacks were not expected to change.
Resilience and recovery
To deal with these attacks, 60 per cent of businesses have an action plan in place while 36 per cent say they will have one in place soon.
Of those enterprises with a plan, 82 per cent have used it and found it effective.
In best practice news, 36 per cent review their plan annually and 52 per cent review it even more regularly. Interestingly, 27 per cent felt that their department was “significantly under resourced” to deal with any cyber security threats while 22 per cent felt there were “significant skills gaps” in their department.
The survey investigated how companies reacted after a cyber attack and whether they had cyber liability insurance cover (CLIC) in place. Surprisingly, 49 per cent had no liability cover at all, preferring to invest in prevention and risk mitigation.
One said: “The board has still to wake up to the importance of cyber security before it can even begin to consider insurance for it.”
There was also a feeling that reputational damage, for example, can’t be compensated – something the insurance providers need to address as 74 per cent said reputational cover was the most important element of CLIC.
As for coordinating against the threat, while 99 per cent think that sharing cyber security experiences would be beneficial, currently only 53 per cent do so.
There is a pervading concern about the commercial sensitivity of sharing sensitive information with competitors, as well as a general lack of support for such a project from the board.
Even if a sharing culture were to be developed, there is currently no suitable forum to enable it.