UK businesses failing basic security measures
Government survey finds that British firms and charities don't do the fundamentals
Britain's business are still ignoring basic security fundamentals, with almost half failing to implement foundational security protections.
This is according to the annual Cyber Security Breaches Survey, conducted by the Department for Digital, Culture, Media and Sport to assess the security awareness and preparedness of businesses in the UK, which found that many UK companies are not following the basic security steps laid out as part of the government's Cyber Essentials scheme.
The Cyber Essentials scheme allows organisations to obtain an independent accreditation for applying five key security practices, including maintaining properly-configured firewalls, running antivirus software, applying patches in a timely manner, limiting IT admin rights to specific users and applying security policies to corporate devices.
While these are basic steps, just 50% of the businesses surveyed as part of the report were implementing all five within their organisation. The number was even lower for charities, with less than a third reporting that they had applied all five measures.
"The number of businesses making cybersecurity a priority has increased year-on-year, but this survey shows that there is still a long way to go in addressing the very basics," said Tony Pepper, CEO of file-sharing firm Egress.
"The fact that almost 50% of businesses haven't implemented the government's five basic technical controls from Cyber Essentials is concerning, especially as we approach GDPR. From 25 May, a business that is breached will have to prove that it did everything it could to protect sensitive data, so ticking these five boxes is key."
Alarmingly, 68% of Britain's charities spent no money whatsoever on cyber security during the previous financial year, and neither did one-third of businesses. This includes outsourced security services, staff training and technology investment.
Of the organisations that did invest in security protections, the vast majority were motivated predominantly by a desire to protect the data of customers and donors, with 47% of businesses and 62% of charities citing this as the biggest factor.
Despite the comparatively low level of investment in security by many organisations, three-quarters of businesses believe that they have enough cyber security professionals within the company to deal with any risks, and 70% believe that these employees have the correct skills to do so.
This apparently signifies a certain level of over-confidence, judging by the fact that 43% of all businesses experienced an attack or breach over the last 12 months, with almost one in 10 businesses being hit multiple times per day.
"While it's troubling to hear that almost half of UK businesses have experienced a cyber attack in the past year, the actual volume of these incidents is likely considerably higher," said Gemalto's CTO and former ethical hacker, Jason Hart. "In fact, we've seen from our Breach Level Index that almost as many data incidents are caused by accidental loss, as malicious outsiders."
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now