Half of UK businesses had no security policies in place in 2020
Businesses struggled to keep track of devices or employees during the pandemic, DCMS finds
Fewer UK organisations are deploying protective measures, such as security monitoring tools and up-to-date antivirus software, despite the heightened security risk during 2020.
The proportion of businesses and charities using security monitoring tools fell from 40% in 2019 to 35% in 2020, mirroring a fall in the use of employee monitoring from 38% to 32%, according to a report by the Department for Digital, Culture, Media and Sport (DCMS).
This is alongside a reduction in the number of organisations using up-to-date antivirus software, from 88% to 83%.
Overall, only 52% of businesses and 47% of charities enacted one or more cyber security measures in 2020, including using monitoring tools, conducting risk assessments, testing staff, conducting audits, penetration testing, or investing in threat intelligence.
This decline in overall cyber resilience coincides with an escalation in security risk due to the COVID-19 pandemic. Studies have shown that phishing and ransomware attacks rose significantly during 2020, for instance, while the business landscape was shaken by several high-profile incidents including a devastating attack on SolarWinds' supply chain.
The DCMS also found that 39% of businesses and 26% of charities reported breaches or attacks during 2020, with factors like remote working making securing IT environments more challenging.
In her first speech today as newly-appointed NCSC CEO, Lindy Cameron warned businesses not to be complacent about cyber security in light of emerging trends, including those highlighted by this report.
“Cyber security is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking,” Cameron said. “The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their Finance Director and General Counsel.
“Recent global cyber incidents involving SolarWinds and Microsoft Exchange have shown, in different ways, the range of cyber threats we currently face. As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online.”
The DCMS' report outlined how dealing with COVID-19 posed a major challenge to UK organisations during 2020, and contributed to a reduced focus on cyber security.
The rise of remote working, video conferencing, and a transition from paper to digital record-keeping required rapid changes in digital infrastructure, including issuing laptops or setting up virtual private networks (VPNs) for staff. This pace of change, however, led to glaring issues for a handful of businesses.
Direct user monitoring was generally much harder where employees were working remotely, which delayed organisations from catching and dealing with cyber attacks, the report said.
Large organisations, in particular, found dealing with hardware and software changes more difficult, given the sudden surge in the number of endpoints to manage. Retrieving and updating hardware, too, was difficult considering staff were distributed.
The pandemic also stretched resources and led to competing priorities, the report concluded. In some cases, there was a perceived conflict between prioritising IT service continuity, and aspects of security, such as patching. A reduction in personnel and time also meant it was much harder to carry out security awareness training.
Once resource bottlenecks eased, senior management typically prioritised business continuity over cyber security, with a lack of acknowledgement that security itself should be a key component of business continuity, the report found.
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now
The DCMS' conclusions echo the views of experts in the field. Security professionals speaking on a panel discussion hosted by Orange Cyberdefense last month, blasted the “head in the sand” approach many organisations, particularly small and medium-sized businesses (SMBs), took to cyber security in 2020.
They agreed that some SMBs were undermining security efforts by failing to routinely patch newly-adopted technologies, as well as paying ransom demands against the advice of security experts.
“Prior to the pandemic, we saw that many small businesses and SMBs had very much a ‘head in the sand’ approach to cyber security, with a lot thinking they didn’t need to take it seriously,” said CEO and founder of the UK Cyber Security Association Lisa Ventura.
“But today, with the move to getting everybody working from home quickly last year, from a business continuity perspective, we’re seeing more small businesses and SMBs finally starting to take their cyber security posture much more seriously.”