This article is more than 1 year old
Reports of cyber attacks fall, says UK.gov survey: GDPR? Fewer nasties? More targeted attacks? We just don't know
'Cyber stuff is still happening and some businesses are taking it more seriously'
UK businesses have reported a significant fall in cyber attacks over the last 12 months.
The proportion identifying breaches or attacks in the least year was 32 per cent, compared with 43 per cent in 2018 and 46 per cent in 2017, according to a survey of 1,566 businesses by the Department for Digital, Culture, Media and Sport (DCMS) (PDF).
Those figures echo the Crime Survey for England and Wales, which found that between September 2017 and September 2018, the number of computer misuse incidents among individuals fell from 1.5 million to 1 million.
This was driven, according to Office for National Statistics data, by a significant reduction in computer viruses (down by 45 per cent over the same period).
However, the DCMS report said other factors could be at play such as more investment in cybersecurity, better compliance due to GDPR, or a change in attack behaviour.
For example, those carrying out cyber attacks could be focusing on a narrower (though still numerous) set of businesses.
This fits with another broad trend in the survey showing that, among the 32 per cent of businesses that did identify breaches or attacks, the median number they recall facing has gone up, from two attacks in 2017 to six in 2019.
Of those targeted, phishing attacks were the most common, with 80 per cent having been subject to email scams, while 27 per cent said they had been hit by viruses, spyware or malware.
However, Ken Munro of Pen Test Partners said there are too many variables to make the findings conclusive.
"Are the number of antivirus reports down because organisations (rightly) don't consider them to be attacks/breaches or incidents? Or is it because the antivirus products aren't detecting the types of malware that are being used now?"
He added: "Without analysing the quality of phishing attacks, the data is also meaningless. Are untargeted phishing attempts being filtered out upstream?
"I don't think anything can be concluded from the report other than that 'cyber stuff is still happening and some businesses are taking it more seriously'." ®