Half of UK businesses had no security policies in place in 2020

Businesses struggled to keep track of devices or employees during the pandemic, DCMS finds

Fewer UK organisations are deploying protective measures, such as security monitoring tools and up-to-date antivirus software, despite the heightened security risk during 2020.

The proportion of businesses and charities using security monitoring tools fell from 40% in 2019 to 35% in 2020, mirroring a fall in the use of employee monitoring from 38% to 32%, according to a report by the Department for Digital, Culture, Media and Sport (DCMS).

This is alongside a reduction in the number of organisations using up-to-date antivirus software, from 88% to 83%.

Overall, only 52% of businesses and 47% of charities enacted one or more cyber security measures in 2020, including using monitoring tools, conducting risk assessments, testing staff, conducting audits, penetration testing, or investing in threat intelligence.

This decline in overall cyber resilience coincides with an escalation in security risk due to the COVID-19 pandemic. Studies have shown that phishing and ransomware attacks rose significantly during 2020, for instance, while the business landscape was shaken by several high-profile incidents including a devastating attack on SolarWinds' supply chain.

The DCMS also found that 39% of businesses and 26% of charities reported breaches or attacks during 2020, with factors like remote working making securing IT environments more challenging.

In her first speech today as newly-appointed NCSC CEO, Lindy Cameron warned businesses not to be complacent about cyber security in light of emerging trends, including those highlighted by this report.

“Cyber security is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking,” Cameron said. “The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their Finance Director and General Counsel.

“Recent global cyber incidents involving SolarWinds and Microsoft Exchange have shown, in different ways, the range of cyber threats we currently face. As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online.”

The DCMS' report outlined how dealing with COVID-19 posed a major challenge to UK organisations during 2020, and contributed to a reduced focus on cyber security.

The rise of remote working, video conferencing, and a transition from paper to digital record-keeping required rapid changes in digital infrastructure, including issuing laptops or setting up virtual private networks (VPNs) for staff. This pace of change, however, led to glaring issues for a handful of businesses.

Direct user monitoring was generally much harder where employees were working remotely, which delayed organisations from catching and dealing with cyber attacks, the report said.

Large organisations, in particular, found dealing with hardware and software changes more difficult, given the sudden surge in the number of endpoints to manage. Retrieving and updating hardware, too, was difficult considering staff were distributed.

The pandemic also stretched resources and led to competing priorities, the report concluded. In some cases, there was a perceived conflict between prioritising IT service continuity, and aspects of security, such as patching. A reduction in personnel and time also meant it was much harder to carry out security awareness training.

Once resource bottlenecks eased, senior management typically prioritised business continuity over cyber security, with a lack of acknowledgement that security itself should be a key component of business continuity, the report found.

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

The DCMS' conclusions echo the views of experts in the field. Security professionals speaking on a panel discussion hosted by Orange Cyberdefense last month, blasted the “head in the sand” approach many organisations, particularly small and medium-sized businesses (SMBs), took to cyber security in 2020.

They agreed that some SMBs were undermining security efforts by failing to routinely patch newly-adopted technologies, as well as paying ransom demands against the advice of security experts.

“Prior to the pandemic, we saw that many small businesses and SMBs had very much a ‘head in the sand’ approach to cyber security, with a lot thinking they didn’t need to take it seriously,” said CEO and founder of the UK Cyber Security Association Lisa Ventura.

“But today, with the move to getting everybody working from home quickly last year, from a business continuity perspective, we’re seeing more small businesses and SMBs finally starting to take their cyber security posture much more seriously.”

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
Hackers sell $38 million in gift cards on Russian marketplace
hacking

Hackers sell $38 million in gift cards on Russian marketplace

7 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021