UK businesses are reporting fewer data breaches, but is this as positive as it sounds?

A third of businesses and a fifth of charities were hit by a cyber attack or data breach in the past year, the UK government’s Cyber Security Breaches Survey 2019 has found.

This is a marked improvement on the previous two years, in which 43% (2018) and 46% (2017) of businesses were breached, but it doesn’t tell the full story of the UK’s threat landscape. Although the number of organisations being targeted seems to be decreasing, those that are vulnerable to attacks are experiencing them more often, with two in five organisations saying that they come under threat at least once a month.

The threat is much higher among medium-sized businesses (60% being breached in the past year), large businesses (61%) and high-income charities (52%).

So why is this bad?

The fact that fewer organisations are being targeted by attacks is a major plus. The report says this may be because businesses and charities are going to greater lengths to become cyber secure. For example, it found that:

  • More businesses (57% vs 51% in 2018) and charities (43% vs 27%) update senior management on their cyber security actions at least once a quarter;
  • Cyber security policies are becoming more common in businesses (33% vs 27%) and charities (36% vs 21%);
  • Businesses (56% vs 51%) and charities (41% vs 29%) are more likely to have implemented controls in all five technical areas of the government’s Cyber Essentials scheme;
  • Staff awareness training is becoming more common in businesses (27% vs 20%) and charities (29% vs 15%);
  • Charities are getting better (60% vs 46%) at implementing measures such as health checks, audits and risk assessments; and
  • More medium-sized (31% vs 19%) and large businesses (35% vs 24%) have invested in cyber insurance.

These improvements have coincided with the introduction of the GDPR (General Data Protection Regulation), indicating that its compliance requirements are working.

However, the report suggests that it’s not as clear-cut as that, and that the seemingly positive conclusions might be hiding serious failures.

The effects of the GDPR

The report found that 30% of businesses and 36% of charities surveyed have made changes to their cyber security practices as a result of the GDPR. This is an incredibly low figure, given that the Regulation is mandatory and has been in effect for a year.

Even among those that have addressed the GDPR, very few have done so comprehensively. For example:

  • 60% of businesses and charities have created new policies;
  • 15% of businesses and 17% of charities have had extra staff training and communications;
  • 11% of businesses and 4% of charities changed firewall or system configurations; and
  • 6% of businesses and 10% of charities have created new business continuity or disaster recovery plans.

This suggests that, although the GDPR has benefited the small proportion that have implemented its requirements (at least partially), the majority of organisations have done little if anything to improve their cyber security practices.

This is probably a major reason that cyber attacks are becoming focused on a select group of organisations. Those that have implemented the GDPR’s requirements have protected themselves from most attacks, forcing cyber criminals to seek out more vulnerable targets.

The trend might also be explained by a change in the way organisations interpreted the survey’s questions. The government suggests that some organisations fear the repercussions of GDPR violations and might not admit to suffering cyber security breaches.

If this is true, those organisations are only making life harder for themselves. The GDPR was designed to improve transparency and make organisations take responsibility for cyber security.

Organisations that own up to data breaches (provided they weren’t caused by major security failures) have little to fear. Regulators and the public are becoming a lot more forgiving, and incidents occur with such regulatory that they are practically inevitable.

However, that leniency is based on the assumption that organisations will be honest when it comes to their security measures. You can try to hide your security failures, but regulators will almost certainly discover them and levy severe fines.

Demonstrate your GDPR compliance with our documentation toolkit

One of the most important steps you can take to become transparent and accountable for your data protection practices is to document them.

The Regulation specifies that organisations must be able to demonstrate that they have adopted the necessary technical and organisational security measures, which means keeping a list of everything you’ve done, justifying why it’s been done and how often you’ve reviewed your measures.

This is a big task, but you can simplify it with our GDPR Documentation Toolkit. It contains more than 80 indispensable policies, procedures, forms, schedules and guidance documents written by our expert practitioners, which you can use to prove that you have met the GDPR’s requirements.