Phishing and ransomware remain the most pressing security threats for UK business, according to a government-backed survey out Wednesday.
The survey, commissioned by the Department for Culture, Media and Sport, found that the most common types of breaches are related to staff receiving fraudulent emails (in 72 per cent of cases where firms identified a breach or attack). The next most common related to viruses, spyware and malware (33 per cent), people impersonating the organisation in emails or online (27 per cent) and ransomware (17 per cent).
Among the 46 per cent of companies that detected breaches in the last 12 months, the average business faces costs of £1,570 as a result of these breaches, a lot lower than figures from comparable surveys. Losses for larger firms came out at just under £20,000.
Half of 1,500 firms surveyed (52 per cent) have enacted basic technical controls as recommended by the UK government-endorsed Cyber Essentials scheme. Nine in ten businesses regularly update their software and malware protections, configuring firewalls or securely backing up their data, but only around two-thirds (69 per cent) have guidance on acceptably strong passwords.
External reporting of breaches remains uncommon. Only a quarter (26 per cent) reported their most disruptive breach externally to anyone other than a cyber security provider.
Use of cloud services among businesses has increased since the same survey last year, rising from 49 per cent to 59 per cent. This year's survey also found that three-fifths of firms(61 per cent) hold personal customer data electronically.
The survey was carried out by Ipsos MORI, in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth. It involved a telephone survey of 1,523 businesses supplemented by 30 in-depth interviews. An infographic summarising the main findings can be found here [PDF].
Brian Lord OBE – former GCHQ Deputy Director for Intelligence and Cyber Operations, now managing director for PGI Cyber – commented: "All recent high profile cyber-attack incidents could and should have been prevented with relatively low cost solutions. It is necessary to simplify everyone's understanding of the threat."