Government Says UK Organisations Need to Protect Against Cyber Crime
The results of two major new research studies published by the UK Government show why industry needs to take action on cyber security. The results of the latest Cyber Security Breaches Survey, and the Cyber Governance Health Check 2015 / 16 show that although organisations are aware of cyber threats much more needs to be done to improve cyber security.
Experienced Breaches But Action Not Taken
The Cyber Security Breaches Survey for example shows that 65% of large firms have detected a cyber breach in last year, and 25% of these experienced a cyber breach at least once a month! Despite these large firms experiencing monthly security breaches the survey also shows that only half of them have taken any recommended actions to identify and reduce their vulnerability.
Lacking in Policies, Plans and Training
The Cyber Security Breaches Survey shows some of the main areas where organisations, particularly smaller ones, are falling short in terms of reducing their vulnerability to cyber crime. Only 29% for example have formal written cyber policies, and only 10% have formal incident management plan.
One of the enablers of cyber crime is a lack of awareness and knowledge among staff members that can lead to human error. Cyber criminals for example often use multi-vector attacks that can involve phishing style emails and even phone calls, and criminals often rely on staff clicking on a link that downloads malware / ransomware. Cyber Security Training can therefore be an important way in which organisations can minimise human error and enable staff to spot potential threats. Unfortunately the survey shows that only 22% small firms and only 38% medium firms have had cyber training in the last 12 months.
Boards of Large Organisations Understand the Risks
The government’s Cyber Governance Health Check 2015 / 16 looked at how to understand and improve how FTSE 350 companies (the UK’s 350 largest firms) are managing cyber security risks. The results showed that cyber risks are broadly understood but there are some areas where holes in defences still need to be effectively plugged. For example even though 49% of the Boards in these organisations say that they understand the risks they face and potential impact of loss / disruption of key information and data assets, only 16% say they have a clear understanding of where the company’s key information / data assets are shared with 3rd parties.
What Does This Mean For Your Organisation?
Organisations of all sizes and types are now targets for cyber criminals. Even though the UK the most targeted nation in the world for spear phishing attacks and social media scams, ranks second only to Germany for ransomware attacks (Symantec’s Internet Security Threat Report), and DDoS attacks have reached record levels in the first quarter of this year (Akamai), organisations in all industries, particularly smaller organisations, need to develop more effective and up-to-date cyber security defences. More organisations should be taking at least the basic measures such as those outlined the government-backed Cyber Essentials Scheme https://www.cyberstreetwise.com/cyberessentials/.
Cyber security should now be a top priority and areas to focus on include staff training, making and improving cyber security policies and plans, risk assessment and management, penetration testing, tightening of data protection, and a greater focus from the top down on IT governance and increasing cyber resilience.
Other simple steps that can be taken include:
- Making sure that default passwords aren’t used, passwords are made strong and /or are changed frequently and / or making 2 factor authentication compulsory.
- Keeping up with patching and updates for all computers, even the old ones that don’t get used often.
- Making sure that third-party CMS plug-ins are patched too.
- Helping to defend against phishing by making sure that email filtering works well, the network is segmented, and using layered authentication rather than static passwords when moving around networks.