The UK Government’s Cyber Security Breaches Survey 2016 found that a sizeable majority of businesses now recognise the importance of cyber security, but few have taken appropriate actions to improve it.
69% of online-based businesses rated cyber security as either a very high or fairly high priority for their organisation’s senior management. This awareness has been driven by media stories about high-profile breaches and their consequences, as well as key individuals within organisations recognising that cyber security effects business performance and is not solely an IT problem.
This is a positive step towards securing the UK within the global marketplace, but awareness and action are two very different things. The report found that, in 2016, only 51% of all businesses attempted to identify the cyber security risks faced by their organisation through health checks, risk assessments and audits. Furthermore, only 48% of businesses have put in place basic technical controls across all five of the areas laid out under the government-backed Cyber Essentials scheme.
The effects of not having security controls in place
Breaches cause disruption, financial loss and reputation damage. In 2016, the average number of days that businesses took to deal with the most disruptive breaches was 2.3 days with large companies spending 4.3 days. This suggests that the most disruptive breaches faced by larger businesses are either more complex, or that they have more sophisticated systems that take longer to repair.
Financially, the effects of a breach can be quite devastating: one company admitted that a single breach cost them £3 million. The average cost of breaches experienced in 2016 was a lot lower, at £3,250 across all businesses (but £36,500 for large businesses). As online businesses grow, the financial effects of being breached or taken offline are far greater.
- Average annual cost of breaches to large businesses is £36,500.
- Only 5% of firms monitor breach costs on an ongoing basis.
- The most common cyber attacks were from viruses, spyware or malware.
- 51% of businesses have undertaken 5 or more of the government’s 10 Steps to Cyber Security.
- 48% have technical measures in the areas set out by the Cyber Essentials scheme.
- 13% of all businesses set cyber security standards for their suppliers.
- 22% of small businesses have provided staff security training in the past 12 months.