As hardly a week goes by without news of a fresh cyber breach, we might be forgiven for thinking that the cyber criminals have the upper hand. However, the latest UK Threat Report from ItProPortal, suggests an increasing level of confidence among UK organisations when facing down cyber attacks.
As the Report explains, “supporting this sense of confidence, we also found that investment in cyber-defence is holding up well, with 93% of UK organisations surveyed saying they plan to increase cybersecurity spending. Nevertheless challenges remain, not least in the fact that despite this growing confidence 84% of UK organisations surveyed said that they had suffered at least one data breach in the past twelve months caused by an external cyberattack”.
The Report’s compilers spoke to 250 UK CIOs and CISOs about the threat landscape they face in the final quarter of 2019. They emerged with four key conclusions.
1. Despite growing confidence, the attack landscape remains severe
According to the survey, 84% of organisations said the volume of attacks they face has increased, while nine in ten said that these attacks had become more sophisticated. Globally, the survey found a sharp rise in the prevalence of phishing attacks as the attack type most likely to result in a data breach. In the UK it was the cause of 33% of breaches this year – up from 20% in 2018. This global trend is a clear sign that attackers are going after the weakest link – end users. This is also a factor in the increase reported in breaches caused by ransomware, which jumped as a cause of successful breaches from 14% in January to 20%.
This focus on user-related breach vectors may also indicate that defenders are succeeding in making organisations a harder target for more direct malware-led attacks.
2. When breaches happen, reputational damage outweighs financial impact
Given the high profile of regulatory changes – especially GDPR – in the past 18 months, it is not surprising that 72% of businesses reported suffering reputational damage as a result of a data breach. As the report explains “the public is now much more aware of the risks and responsibilities that organisations bear around data protection and quick to lose trust in those who appear negligent.”
However, it continued, “it is a little surprising that the percentage reporting financial impacts from breaches was only 35% (the global average was 44%). Over half (54.5%) of UK organisations said there had been no financial impact from the breach at all. At this stage it seems that organisations don’t see monetary loss on the same scale as reputational damage.”
3. Emerging technologies and cyber-skills scarcity – causes for concern
Looking ahead to 2020, the research found a significant level of concern in the UK about how emerging technologies such as 5G and fast-paced digital transformation projects are going to create cyber-risk.
According to the Report: “in line with global sentiment, nine in ten respondents said they had concerns, which ranged from the potential for new and more destructive attack types to the difficulty in gaining full visibility over new projects and technologies. Almost a quarter (25%) said that they would need a bigger team to cope with these threats.” However, recruiting staff with the necessary skills is a growing problem: 55% of UK organisations say that the recruitment climate had grown more challenging in the past 12 months.
4. Threat hunting is firmly on the agenda
Unfortunately, 90% of UK companies surveyed said that threat hunting had strengthened company defences and thirty per cent had found significant evidence of malicious activity. This is almost double the 16% who found significant evidence of malicious activity in January 2019. As the Report explained: “this may be in part due to increasing levels of cyber-threat activity, the high percentage increase indicates that threat hunting is becoming more effective, as defender skills and experience increases.”
A stronger outlook for UK cybersecurity
Summing up, the Report was optimistic. As it explained: “taken together, these research findings indicate a maturing approach to cybersecurity as UK businesses adjust to the ‘new normal’ where high volume, sophisticated cyberattacks are a factor of doing business. Organisations are locking down the controllable factors such as process weakness and out of date security, while, at the other end of the scale, they are proactively threat hunting. This is building defender confidence and power, as businesses get smarter about identifying where the risks lie and what tools they can deploy to mitigate them. While new challenges loom on the horizon, the cybersecurity community in the UK is now better-positioned and more confident to meet and defend against them.”
The full story is available via the link.