Over 60% Of UK Businesses Lack Any Real Cyber Security

Uploaded on 2017-04-28 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, NEWS-Cybersecurity News

The UK government could be forgiven rising levels of frustration when it comes to the approach taken by many businesses on cyber security. 

Although three in ten (31%) now say it is a "very high" priority for their senior management, almost 60%, a "sizable proportion" of businesses, still do not have basic protections or have not formalised their approaches to this critical issue, according to a government report just out.

The Cyber Security Breaches Survey 2017, commissioned by the UK government as part of its National Cyber Security Program, consists of a telephone survey of 1,523 UK businesses. 

It highlights that virtually all UK businesses covered by it are exposed to cyber security risks. Since 2016, the proportion with websites (85%) or social media pages (59%) has risen (by 8 and 9 percentage points respectively), as has the use of cloud services (from 49% to 59%).

It also establishes that 61% of firms hold personal data on their customers electronically, which should serve to shine a strong light on the need for corporate responsibility on this matter.

Yet the survey finds that just 37% of businesses have segregated wireless networks, or any rules around the encryption of personal data. A third (33%) have a formal policy that covers cyber security risks and just 32% document such risks in business continuity plans, internal audits or risk registers. 

Only 29% have made specific board members responsible for cyber security, when arguably cyber security is a very important corporate governance issue, and has been heading in that direction for years now. Only a quarter of businesses have undertaken technical testing to evaluate their cyber security spending.

This survey demonstrates the soft underbelly of UK business in terms of its vulnerability to cyber-attacks, according to systems integrator World Wide Technology (WWT).

Moving forward, a headlong leap into poorly-defined Internet of Things (IoT) projects and Bring Your Own Device (BYOD) working practices may be putting more firms in danger of an attack, it suggests. Today’s report shows that 46% of UK businesses are exposed to the security risks of BYOD, rising to 57% in web-orientated firms.

“The range of devices being exposed to the Internet are usually not known for having mature security software, and are often in a vulnerable state. Even their manufacturers may not be in a position to regularly patch software in order to protect against online threats, let alone the enterprises that adopt these devices" says Mike McGlynn, Vice President, Security Solutions at World Wide Technology.

“It is encouraging that businesses are increasingly getting to grips with basic things like resetting default passwords or downloading software updates, often as part of a BYOD policy" he says. 

"But the device management task involved in some IoT projects is on a scale unlike anything most enterprise networks have tackled so far. Currently, most device management applications are designed for tablets and smartphones which have much more predictable behavior. They suddenly have to deal with the number and variety of devices being connected: a smart building initiative, which uses sensors in one fixed location, creates a very different security challenge than a global supply chain project" he adds.

The report highlights the importance of cyber security risks related to BYOD for the information, communications or utilities sectors, as they have a higher-than-average reliance on online services and a higher prevalence on BYOD.

But while BYOD has certainly proved a challenge for many organizations, it is the predicted explosion of connected devices, to reach 20.8 billion globally by 2020, that means that "companies must take a holistic approach to cyber security which prepares them to resist attacks at the endpoint, network, cloud, and application layers" says Mr McGlynn.

A "holistic approach to cyber security" would also be an enlightened route to better corporate governance. Too often senior management in charge at the time of data breaches and consumer cost that is not immediately quantifiable , then walk away from a disaster with big pay packages, and no accountability.

This report by the UK government says that three in five (58%) of businesses have sought information, advice or guidance on the cyber security threats facing their organizations over the past year, mainly from external security or IT consultants (32%). But, despite the government's best efforts, only 4% mention using government or public sector resources that are available.

Could it be that the great and the good in Britain's boardrooms just don't like to ask when they don't understand something?

On training, only 20% of businesses had staff attend any form of cyber security training in the last 12 months, "with non-specialist staff being particularly unlikely to have attended" says the report. As for the supply chain, 19% are "worried" about their suppliers' cyber security. But only 13% require suppliers to adhere to specific cyber security standards or good practice.

Given the UK regulator's new emphasis on the senior manager's regime and individual accountability, there is even more cause for concern. In line with the findings in 2016, the report says over a fifth (22%) of organisations never update senior managers on security issues. 

This senior manager involvement is particularly lacking, it says, among construction firms, 41% of whom never update senior managers, and transport or storage firms, where the figure is 35%.

Forbes

You Migh Also Read:

BYOD Security Is Critical For Business:

Implementing EU Privacy Laws Requires 28,000 New Data Professionals:

Directors Report January 2017. Cyber Security Checklist For Management (£)

Cybersecurity Breaches Cost UK Businesses Close To £30bn Last Year:

Cyber Insurance: 7 Questions To Ask:

« US Intelligence Agencies Fear Insiders As Much As Spies
Get Ready: Robots Will Destroy Jobs »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ID Quantique (IDQ)

ID Quantique (IDQ)

ID Quantique is a world leader in quantum-safe crypto solutions, designed to protect data for the long-term future.

OneSpan

OneSpan

OneSpan (formerly Vasco Data Security) is a global leader in digital identity security, transaction security and business productivity.

Hornetsecurity

Hornetsecurity

Meet Hornetsecurity – Leading Cloud Email Security Provider. We protect global organizations so you can focus on what you do best.

Statice

Statice

Statice develops state-of-the-art data privacy technology that helps companies double-down on data-driven innovation while safeguarding the privacy of individuals.

Inavate Consulting

Inavate Consulting

Inavate Consulting are experts in defining and implementing information assurance solutions and governance frameworks. Our ISO27001 consultants are the most experienced in the industry.

Absolute IT Asset Disposals

Absolute IT Asset Disposals

Absolute IT Asset Disposals is an IT asset disposal (ITAD) company providing safe and secure recycling of IT assets.

Intraprise Health

Intraprise Health

Intraprise Health is a Certified HITRUST Assessor and award-winning provider of health information security products and services.

Ridge Canada Cyber Solutions

Ridge Canada Cyber Solutions

Ridge Canada helps insurance brokers and insurance buyers understand, evaluate, and secure cyber coverage that is tailored to their business.

Drawbridge

Drawbridge

Drawbridge is a premier provider of cybersecurity software and solutions to the alternative investment industry.

PCI Security Standards Council (PCI SSC)

PCI Security Standards Council (PCI SSC)

The PCI Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments.

Cyberlocke

Cyberlocke

Cyberlocke is dedicated to finding inventive solutions to meet the distinct IT obstacles of each organization we support.

Pixee

Pixee

Pixee fixes vulnerabilities, hardens code, squashes bugs, and gives engineers more time to focus on the work that counts.

Q-Bird

Q-Bird

Q*Bird's mission is to provide equipment for the current, and future European quantum internet.

Velaspan

Velaspan

Velaspan design, deploy, and manage enterprise wireless networks and cybersecurity solutions for leading businesses and brands.

Upwind Security

Upwind Security

Upwind delivers comprehensive cloud security, precisely when and where it’s most critical.

Arctera

Arctera

Arctera simplifies data management to keep you secure. Our company operates as three units - Data Compliance, Data Resilience, and Data Protection.