Half of businesses hit by cyber attack in 2019

Written by Hannah McGrath

Almost half of UK businesses (46 per cent) have fallen victim to cyber security attacks or breaches in the last year, according to the UK government’s annual cyber security survey.

Now in its fifth edition, the survey of thousands of UK businesses and charities, published by the Department for Culture, Media and Sport, showed that nearly a third of businesses (32 per cent) were experiencing breaches or attacks a least once a week, up from 22 per cent in 2017.

The survey also revealed that the nature of cyber attacks has changed in the last three years, with a marked increase in phishing attacks - up to 86 per cent of all attacks from 72 per cent in 2017.

There has been a corresponding fall in attempts made through computer viruses or malware, with the proportion almost halving from 33 per cent in 2017 to 16 per cent in 2019-2020.

Businesses have also become become more resilient to breaches and attacks over time, with fewer reports of negative outcomes or impacts from breaches. However, among the 46 per cent of businesses reporting incidents, 19 per cent have experienced a material outcome; losing money or data.

Of these, 39 per cent were negatively impacted, for example requiring new measures, having staff time diverted or causing wider business disruption.

It is also more common for businesses to immediately recover from breaches or attacks in 2020 than in 2017 (72 per cent vs 57 per cent), the survey found.

Where businesses have faced breaches with material outcomes, the average (mean) cost of all the cyber security breaches these businesses have experienced over the 12 months period was estimated at £3,230. For medium and large firms, this average cost was higher, at £5,220.

The report also showed increasing board engagement in cyber security defences, with 80 per cent of businesses saying that cyber security was a ‘high priority’ for senior management boards, up from 69 per cent in 2016’s survey.

Just over half the businesses surveyed (51 per cent) said they had updated senior management on cyber security on at least a quarterly basis. Accordingly, the proportion that said they never update them steadily declined, from 26 per cent in 2016 to 17 per cent in 2020.

In addition, two-fifths of businesses now have board members with a cyber security brief, at 37 per cent, up from 28 per cent in 2016.

When it comes to taking out insurance against cyber risk, the proportion of businesses who had invested in had risen to 32 per cent last year, while a total of 15 per cent of all businesses and 43 per cent of large businesses had made an assessment of the cyber security risks presented by suppliers.

More than a quarter (27 per cent) of businesses had reported cyber security breaches to anyone beyond their IT or cyber security providers.

The report’s conclusions stated: “Over this period, the threat has evolved, with fewer businesses identifying viruses or ransomware and more phishing attacks, in fact, the businesses identifying breaches or attacks are experiencing them more frequently than in 2017 (the start of the trend).

“It is encouraging that the number of businesses experiencing negative impacts from these breaches or attacks has declined," it continued. "This potentially indicates a growing resilience to cyber attacks, based on the changes that businesses have made over the last five years; however, continuous improvement is not guaranteed.”

The document added: “It is clear from the trend findings that the General Data Protection Regulation (GDPR) has played a major role in getting organisations to review and update cyber security policies and processes - the 2020 survey shows that many of these improvements have been maintained but not enhanced.”

It concluded: “There is still considerable room for improvement, in areas such as supplier risk, audit processes and the reporting of breaches."

Ali Neil, director of international security solutions at Verizon, commented: “This year’s DCMS cyber security survey shows almost half of UK companies have been breached or attacked in the past year, and phishing attacks continue to rise – impacting 86 per cent of organisations in the last 12 months.

"While the targets and sophistication of these attacks evolve slightly over time, ultimately the tactics used by the criminals remain the same, and there is an urgent need for businesses to put the security of their business and protection of customer data first."