SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
UK: Two Thirds of big business has been breached this year
Tue, 10th May 2016
FYI, this story is more than a year old

The UK Government has sponsored a, survey, that reveals a significant fraction of businesses have been breached this year. The survey is released with a foreword by Ed Vaizey, the Digital Economy minister who says, “The UK is a world-leading digital economy and this government has made cybersecurity a top priority. Too many firms are losing money, data and consumer confidence with the vast number of cyberattacks. It's absolutely crucial businesses are secure and can protect data.

The UK has some great technology companies, and it's one of my favourite parts of my job as an analyst to get to speak with them. We need to pay more than just lip service to this industry, and look at how the economy is geared to support the growth of the “real knowledge” sector, as opposed to those who just hang on by their fingernails.

What do we learn?

  • 69% of businesses say cyber-security is a “top priority” for senior managers. Let's look at that. Ask yourself (if you are a top manager) what your performance targets are based on. Does “cyber security” figure in there explicitly? How about “Profit”, “turnover”, “business development”, “delivery of new online services in time”? The whole point of measurable performance targets is to encourage behaviours and capabilities that drive the organisation forward. Most senior managers are targeted on productivity, because without that the business folds. Cyber-security should come a close second to that, and must be in the targets that the board sets for the CEO. Otherwise, “top priority” is just lip service.  
  • 51% have taken half of actions recommended in the UK Cyber Essentials scheme. It's easy to knock government (especially when you've had experience of what UK.Gov considers IT innovation). However, the Cyber Essentials scheme is not bad. It recommends good practise for firewalls, access control, secure configuration, malware protection, and patch management. If you're one of those senior managers making cyber-security a “top priority” then you must read this, and not pass it to a minion on your way out to something more important. If you are in the 48% minority who have not only read the scheme guide, but implemented it, then well done! Monitor everything you've got, look for fraudulent behaviour from insiders, and be like the 13% of businesses who set security standards for their suppliers.   
  • 29% have formal written cybersecurity policies. Top priority, right? Riiiight.  
  • 10% have a formal incident management plan. Here's the dirty little secret about information security (or cyber-security if you've recently got into this as an escape from something less interesting).

You will be breached.

That's important. Go back and read it again. You will be breached. At some point in time, an attacker who is resourced and determined enough, will overcome the protective controls, evade the detection mechanisms (you don't have any? uh-oh) and will be thumbing through your data repositories, working out what looks juicy and interesting enough to carry off. If you are reading this, and asking yourself “So, what constitutes resourced and determined enough”, or worse “but we don't have anything worthwhile”, then you are not entitled to claim that cyber-security is any sort of priority.

So, in the sure and certain knowledge that you will be breached, what do you do? Again, if your response to this is secretly to think that it's all too difficult, you don't get to claim any kind of priority for cyber-security. If you hold information on third parties, you have a duty to think about the hard stuff, and plan for eventualities.

What else do we learn?

  • 65% of large companies detected a cyber security attack in the last year. What about all those (small, medium, and large) who didn't detect an attack? Were they lucky? Or were they unaware? When I talk about payment security, I describe the two types of payment organisations – those who have been breached, and those who don't know it yet. Which are you?  
  • 25% of those experience a breach once a month. Again, these are the organisations who are tooled up and ready to detect and respond to a breach. If you congratulated yourself that you were one of the lucky ones, I want to play poker with you.  
  • Breaches cost money, jobs, and threaten organisational survival
    • The average cost of a big business breach was £36,500. 
    • The most expensive breach cost was £3m.  
  • Only 5% of firms have ongoing breach monitoring. Like I said, either you've been breached, or you just don't know it yet. For most firms, the way that they will find out they've been breached is:
    • Angry customer/supplier calls
    • Unfavourable press coverage
    • Notification of fraud investigations by banks, law enforcement, or both
    • Catastrophic IT failures

Again, I'm hoping that you aren't reading this and smugly thinking “This won't happen to me”. If you are, then your career is likely to be exciting. But short.