Jayesh Navin Shah, from Ipsos MORI Public Affairs, presented our findings on cyber resilience among UK businesses and charities at the SC Digital Congress 2021. The findings are taken from Ipsos MORI’s Cyber Security Breaches Survey 2021, carried out on behalf of the UK Department for Digital, Culture, Media and Sport.
https://www.sccongressuk.com/digital-congress/
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
The state of cyber resilience in the UK
1. The state of
cyber resilience
in the UK
June 2021
Jayesh Navin Shah, Ipsos MORI
2. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
2
The Cyber Security
Breaches Survey
Annual survey of organisations
for DCMS carried out since 2016
Originally covering businesses
with charities added in 2018
Comprehensive metrics – cyber
policies and processes, and
impact of breaches or attacks
Representative telephone
survey in winter 2020/21
1,419 UK businesses
and 487 registered charities
All businesses with employees
except agricultural sector
Data weighted to be
representative by size, sector
and income (for charities)
Qualitative interviews with
cyber leads in early 2021
17 businesses, 8 charities and 7
universities recruited from the
quantitative survey
Range of sizes and sectors
Exploring specific topics in depth,
including cyber security under
COVID-19 and future priorities
3. SC Annual Digital Congress: the state of UK cyber resilience
| June 2021 | Version 1 | PUBLIC
Long-term trends
4. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
4
Cyber security has risen up the priority list for
businesses and charities over the past five years
Bases (for 2021): 1,419 UK businesses; 487 charities
of businesses say
that cyber security is
a high priority for
their directors
(vs. 69% in 2016)
77%
never update their
directors on any
actions taken around
cyber security
(vs. 26% in 2017)
17%
have sought external
information or
guidance on cyber
security in the last
12 months
(vs. 44% in 2016)
53%
Have heard of the
government’s Cyber
Aware campaign
(vs. 21% in 2017)
34%
Up 15 points to 68%
for charities since 2018
Down 13 points to 23%
for charities since 2018
Up 8 points to 38%
for charities since 2018
5. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
5
Increasing numbers of businesses and charities
are implementing good practice
Bases (for 2021): 1,419 UK businesses; 487 charities
Businesses in 2021 In 2018
Back up their data on
cloud servers
Have written cyber
security policies
Have carried out cyber
risk assessments in
the last 12 months 27%
24%
58%
33%
34%
70% Up 13 points to 51%
for charities since 2018
Up 17 points to 36%
for charities since 2018
Up 12 points to 32%
for charities since 2018
6. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
6
The qualitative research reveals
multiple drivers of change
• GDPR implementation in May 2018
• Experiencing an incident
• Competitors or peers being breached
• Increasing cyber security demands from
clients or as part of procurement
An agency in the same industry was
breached recently, and this gained
attention at all levels, including the
board. We had to issue a report that
compared our cyber security against
theirs, to reassure people and to point
out where we’d need to change things
over the next 6 to 12 months.
Cyber lead in large business
7. SC Annual Digital Congress: the state of UK cyber resilience
| June 2021 | Version 1 | PUBLIC
Where do
businesses
and charities
stand today?
8. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
8
Large proportions of businesses and charities have
basic technical controls covering the Cyber Essentials
areas and Cyber Aware guidance
Bases: 1,419 UK businesses; 487 charities
Businesses Charities
have up-to-date
malware
protection
have a password
policy that
ensures users set
strong passwords
restrict IT admin
and access rights
to specific users
have firewalls
that cover their
entire IT network,
as well as
individual devices
have security
controls on their
own devices
have a policy to
apply security
updates within 14
days
83% 79% 78% 75%
62%
43%
69%
57% 57%
71%
48%
27%
9. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
9
There is evidence that businesses (and charities) are
now more resilient to cyber incidents than before
Bases: 600+ businesses per year that identified a breach or attack in the previous 12 months
*Weighting approach changed from 2020 (with expected minimal impact on trends)
38%
34%
25%
19% 18%
57%
53%
47%
39%
35%
57%
64% 66%
72% 71%
10%
20%
30%
40%
50%
60%
70%
80%
2017 2018 2019 2020* 2021
Among the businesses that identified breaches or attacks in the previous 12 months …
say it took no time at all to
recover
say they were impacted
(e.g. had to take on new
measures)
had a negative outcome
(e.g. loss of money or data)
10. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
10
But organisations cannot ignore the potentially
costly nature of cyber incidents
Bases: 143 businesses that identified a breach or attack with an outcome in the last 12 months; 69 medium and large businesses
39% of businesses
identified a cyber
breach or attack in
the last 12 months
18% experienced
a negative
outcome (e.g. loss
of money or data)
Of these 39%:
£8,460
average annual cost for
all businesses that lost
data/assets after breaches
£13,400
average annual cost for
medium/large businesses that
lost data/assets after breaches
11. SC Annual Digital Congress: the state of UK cyber resilience
| June 2021 | Version 1 | PUBLIC
The impact of
COVID-19 on
cyber security
12. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
12
COVID-19 has had a mixed impact on attitudes towards
cyber security, according to cyber leads
Bases: 1,419 UK businesses; 487 charities
84%
80%
of businesses
and charities say
COVID-19 has
made no change
to the importance
they place on
cyber security
• Some increased their investment in IT and cyber
security to cope with surging demand
• New security solutions adopted or sped up, e.g. cloud
security, MFA and VPN protocols
• But management boards and end users do not always
appreciate the role of cyber security in long-term
business continuity – sometimes viewed as in conflict
13. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
13
Cyber security was a lower priority
at the beginning because … from
the other directors’ perspective, it’s
their job to keep the business
running at whatever cost … We still
need to be confident that whatever
we do isn’t going to make us any
more vulnerable. But it wasn’t the
time to say, ‘I think we should start
making things more secure’.
Cyber lead in medium business
SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
13
14. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
14
It has made it cyber security harder in many cases
• Direct user monitoring much harder or
more costly due to remote working
• Dealing with hardware and software
changes and upgrades more difficult
• Stretched resources and competing
priorities, e.g. IT service continuity and
maintenance work vs. patching
We could miss an email that is dodgy … It’s harder
because people aren’t in the office. We’ve let it
slip. We don’t have the resource to remind them.
Cyber lead in small business
There has been a shortage of operational IT
people who can help … We don’t have a big team,
but we’ve had to increase it from two to three, and
we’re buying in consultancy support. We had
nothing like this before.
Cyber lead in charity
15. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
15
And these extra challenges are impacting how well
organisations are dealing with cyber security
Bases (for 2021): 1,419 UK businesses; 487 charities
Businesses in 2021 In 2020
Have up-to-date
malware protection
Have network firewalls
Monitor user activity
38%
40%
83%
88%
32%
35%
78%
83% Down 8 points to 69%
for charities since 2020
Down 15 points to 57%
for charities since 2020
Down 9 points to 29%
for charities since 2020
Use security
monitoring tools
16. SC Annual Digital Congress: the state of UK cyber resilience
| June 2021 | Version 1 | PUBLIC
Immediate and
future priorities
17. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
17
Many organisations can do more to prepare for the
challenges of blended working environments
Bases: 1,419 UK businesses; 487 charities
Businesses Charities
have a VPN for
remote working
use smart devices
in their workplace
have cyber security
policies that cover
home working
have a business
continuity plan
covering cyber
security
have cyber security
policies that cover
use of personal
devices for work
46%
34% 31% 23% 18%
30%
20% 27% 23% 23%
18. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
18
Organisations acknowledged that they needed to make
continuous improvements to cyber security
• Rolling out multi-factor authentication
• Tweaking policies and processes to cover
Software as a Service (SaaS)
• Improving monitoring in a blended working
environment
• A changing cyber security culture – moving
away from locking down user activity
My task list in my security programme is
pretty much the same. Just maturing as
you would expect. People want to use
technology more. The more systems, the
more tech we use – we need to make
sure it is being used securely.
Cyber lead in medium business
19. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
19
There are plenty of wider areas for organisations to
focus on for further improvements in cyber security
Bases: 1,419 UK businesses; 487 charities
Businesses Charities
Test their staff (e.g. via mock
phishing exercises)
Train staff on cyber security
Have reviewed the cyber
security risks posed by suppliers 8%
10%
18%
14%
12%
14%
14%
20%
Have heard of Cyber Essentials
20. SC Annual Digital Congress: the state of UK cyber resilience | June 2021 | Version 1 | PUBLIC
20
• An increasingly high priority for UK organisations of all sizes
• COVID-19 has not made cyber security any less important
• COVID-19 has made cyber security harder
• User expectations are also changing
• Organisations can still do more to prepare for disruptions under blended working
Summing up
21. SC Annual Digital Congress: the state of UK cyber resilience
| June 2021 | Version 1 | PUBLIC
Thank you
jayesh.shah@ipsos.com