Phishing has supplanted malware as the most prolific cyber threat, study also finds

UK organizations becoming more resilient to data breaches and cyber-attacks

The pattern of cyber-attacks against UK businesses and charities is changing with more incidents of phishing set against a backdrop of a lower percentage of malware-based attacks.

Since 2017 there’s been a rise in businesses experiencing phishing attacks (up from 72% to 86%), and a fall in those targeted with viruses or other malware (from 33% to 16%).

The UK government’s Cyber Security Breaches Survey 2020, published on Wednesday, also reports a continuing rise in the overall volume of cyber-attacks.

Almost half of businesses (46%) and a quarter of charities (26%) report falling prey to cybersecurity breaches or attacks in the last 12 months. These figures are higher among medium-sized businesses (68%), large businesses (75%), and high-income charities (57%).

Among the 46% of businesses who have reported being targeted, more are experiencing these issues at least once a week in 2020 than in 2017 (32% versus 22%).

More resilient

The study – put together by the Department of Digital, Culture, Media and Sport (DCMS) – offers some positive news too. Attacks may be increasing in terms of sheer volume, but organizations have become more resilient to breaches and attacks over time.

“They are less likely to report negative outcomes or impacts from breaches, and more likely to make a faster recovery,” according to the DCMS.

One in five (19%) breaches or cyber-attacks against businesses had a “material outcome” that resulted in the loss of either money or data. Two in five (39%) were negatively impacted, for example suffering business disruption or having staff diverted to handle an attack.

Since 2017, the proportion of businesses being negatively impacted by a breach or cyber-attack has fallen by 18%.

Greater board engagement on cybersecurity issues means that resilience has gradually improved over the five-year period studied, according to the DCMS, which added that “organizations appear to have maintained, but not necessarily enhanced, the technical controls and governance processes they introduced for the General Data Protection Regulation (GDPR)” in 2016.

But although cybersecurity resilience has improved, more needs to be done, the DCMS cautions.

“There is still more that organizations might do on a range of diverse topics such as audits, cyber insurance, supplier risks and breach reporting,” the DCMS concludes. “Organizations may be confused about how they should be considering these topics and what best practice is.”

Half of businesses (50%) say they have carried out an internal or external audit in the last 12 months but the quality of these audits varies greatly with qualitative research showing that in some cases, “external audits were broader financial audits that covered aspects of cyber security but did not focus on the topic”.

Around a third (32%) of businesses have insured against cyber risks while 85% of all businesses – and 57% of large businesses – failed to review the cybersecurity risks presented by suppliers, the DCMS-sponsored study discovered.

There is likely to be a spike of opportunistic phishing and impersonation scams over the next few weeks as unscrupulous cybercriminals seek to exploit the coronavirus pandemic. Help in combating such threats, as well as adapting to remote working, comes in the form of a home working guide from the National Cyber Security Centre.

YOU MIGHT ALSO LIKE Coronavirus pandemic fuels phishing and malware surge