Two in five businesses reported a cyber attack or data breach in the past 12 months, according to the UK government’s Cyber Security Breaches Survey 2021
The study suggests that the threat has increased as a result of COVID-19, with security teams finding it harder to implement and manage defence mechanisms.
However, in some cases the risk is also of organisations’ own making. For example, compared to a year ago, fewer organisations are using security monitoring tools (35% vs 40%) or performing any form of user monitoring (32% vs 38%).
Among the 39% of organisations that identified data breaches, 27% said they experience security incidents at least once a week, with phishing being by far the most common form of attack.
The effects of data breaches
Among those that identified a security incident, 35% reported negative effects. In most cases, that meant the loss of money, data or other assets.
Small organisations reported an average loss of £8,460, whereas medium and large firms lost £13,400 on average.
But even when information or money wasn’t compromised, organisations said they suffered business disruption, including diverting manhours to deal with the incident.
Despite COVID-19, the proportion of organisations experiencing negative effects of data breaches is lower than previous years. The study suggests this isn’t because data breaches are less frequent but because organisations are better equipped to handle security incidents.
This is most likely a result of the GDPR (General Data Protection Regulation), which contains strict requirements on the ways organisations should protect their sensitive data and respond to security incidents.
Indeed, the study found that 77% of business now say that cyber security is a high priority for their directors and senior staff, compared to 69% in 2016.
One in two businesses update management teams about their cyber security actions each quarter, and many have increased their investment in cyber security during the pandemic.
This includes technological solutions, such as Cloud security and multi-factor authentication, as well as processes that bolster existing measures.
Where are organisations lacking?
Despite investing significantly in security technologies, organisations are neglecting staff awareness training.
Your staff’s ability to spot and respond to threats is one of the most important ways of protecting your organisation. This can be seen by proportion of phishing attacks, which rely on exploiting human weaknesses.
Yet only 14% of businesses provide regular training and 20% have performed activities to test staff, such as simulated phishing attacks.
Staff awareness training costs less than most technological defences, but it requires an organisation-wide commitment for it to work.
If you’re concerned about your employees’ security awareness, our Simulated Phishing Attack service is a great place to start.
We’ll send your employees a typical example of a phishing email without the malicious payload, giving you the opportunity to monitor how your employees respond.
Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?
You can use the answers to guide your information security measures and to act as a reference point when it comes to staff awareness training.