In March, the government published its sixth annual Cyber Security Breaches Survey, highlighting how businesses have dealt with cyber risk during the pandemic.
The survey reports that four in 10 businesses (39%) and a quarter of charities (26%) suffered cybersecurity breaches in the previous 12 months; with the proportions being even higher among medium-sized and large businesses, and high-income charities. This is down on 2020, when it was reported that 46% of businesses identified attacks. However, this is unlikely to be attributable to increased success in thwarting breaches, but rather the reduction in trading activity during the pandemic.
Other evidence from the study suggests that the risk level is in fact higher as a consequence of the pandemic, and that organisations are finding it harder to protect themselves. The reduction in breaches may suggest that businesses are simply less aware of the breaches taking place than previously.
Struggle to adapt
Covid-19 has undoubtedly led to significant changes in the way businesses operate. Many organisations have made substantial changes to their digital infrastructure, with laptops or tablets issued to staff, virtual private networks being established or expanded, cloud servers being used with more frequency, and new software being introduced. For many organisations, these changes have made cybersecurity and fraud detection much more challenging. For example, the evidence indicates:
- 5% fewer businesses are using security monitoring tools, and 6% fewer were employing any type of user monitoring;
- 5% fewer businesses report having up-to-date malware protection; and
- 5% fewer businesses have network firewalls.
This lack of up-to-date hardware and software creates a more inviting ecosystem in which cybercriminals can operate. For example, 32% of large businesses report operating unsupported versions of Windows, which is a significant security risk.
More generally, many businesses are operating on stretched resources, and taking steps to protect against cyber threats may take second place to other priorities.
Phishing remains by far the most common threat, accounting for 83% of cybersecurity incidents, with businesses reporting a much increased frequency of incidents since the start of the pandemic. The second most common threat remains fraudsters impersonating an organisation in emails or online. The range of threats remains wide, however; in addition to phishing and impersonation, spyware and malware remain common, as does ransomware. Denial of services attacks are frequent, as is the hacking and taking over of organisation’s or users’ email accounts.
What is being done?
Despite the challenges, cybersecurity remains a high priority: 84% of business respondents say they have not changed their already vigilant approach to cybersecurity; 14% of businesses considered cybersecurity to be a higher priority than it was previously.
Research suggests some organisations have increased investment in IT and cybersecurity in response to the pandemic. Many organisations adopted new security solutions, including cloud security and multi-factor authentication, or new rules requiring VPN connections to access files. Importantly, many organisations are putting in place clear breach response strategies.
The evidence suggests businesses are placing an increased reliance on cyber insurance to protect themselves from the impact of data breaches. Some 43% of respondents confirm they have taken out some form of cyber insurance (a substantial increase of 11% from 2020). A common reason for doing so, even for larger organisations, is a recognition that a significant breach could be an ‘existential threat’. The risk of fines that might be levied is also cited as a reason for obtaining cover. The increasing number of policies being written, together with the constantly evolving nature of cyber breaches, may bring with it an increase in coverage disputes.
Other than insurance, businesses also commonly undertake risk assessments (34%), staff testing and training (20%) and audits (15%). However, although businesses are increasingly putting in place response strategies, the evidence suggests that those policies are far from comprehensive. Whereas formal response processes are relatively common in large organisations, this is much less so for small to medium-sized businesses. There is evidently work to be done to ensure smaller businesses develop a clear and comprehensive plan of what to do should they suffer a breach.
Notably, communication and PR plans are often absent, even among larger organisations. This is surprising, given the potential for reputational damage and adverse public opinion in the light of a significant breach.
What more can be done?
The clear message from the government’s survey is that businesses remain aware of the significant risks posed by cybercriminals, but that those risks have increased as a result of the pandemic. Most businesses continue to take steps to mitigate those risks.
As ever, more can be done. Organisations should give greater consideration to managing cyber risks in a ‘blended’ working environment, where flexible working is more common. This might involve improving IT infrastructure and security policies, and increasing staff training. Appropriate insurance should be obtained and existing policies checked to ensure the right cover is in place. Breach response policies and business continuity policies should be put in place and regularly reviewed, with the advice of legal and technical experts. Research indicates that only three in 10 businesses have such policies, despite the fact that a robust policy, which is clear and known to all staff, will minimise financial and reputational damage.
Leigh Callaway is a senior associate at Fladgate and committee member of the London Solicitors Litigation Association