Charities are as susceptible to cyber attacks as businesses according to a ‘cyber health check’ survey of the UK’s biggest 350 companies. More than two thirds of boards had not received training to deal with a cyber incident (68 per cent) despite more than half saying cyber threats were a top risk to their business (54 per cent).
One in ten FTSE 350 companies said they operate without a response plan for a cyber incident (ten per cent) and less than a third of boards receive comprehensive cyber risk information (31 per cent).
At the Department for Digital, Culture, Media and Sport (DCMS) Minister for Digital Matt Hancock said: “We have world leading businesses and a thriving charity sector but recent cyber attacks have shown the devastating effects of not getting our approach to cyber security right. These new reports show we have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre and take up the Government’s advice and training. Charities must do better to protect the sensitive data they hold and I encourage them to access a tailored programme of support we are developing alongside the Charity Commission and the National Cyber Security Centre.”
There has been progress in some areas when compared with last year’s health check, with more than half of company boards now setting out their approach to cyber risks (53 per cent up from 33 per cent) and more than half of businesses having a clear understanding of the impact of a cyber attack (57 per cent up from 49 per cent).
Alex Dewdney, NCSC Director for Engagement, said: “The NCSC is committed to making the UK the safest place in the world to live and do business online. We know that we can’t do this alone – everyone has a part to play. That’s why we’re committed to providing organisations with expert advice through our website and direct engagement. We also urge organisations to follow the guidance in the Government’s Cyber Essentials Scheme.”
The FTSE 350 Cyber Governance Health Check was carried out with audit firms including Deloitte, EY, KPMG and PWC: https://www.gov.uk/government/publications/cyber-governance-health-check-2017.
Separate new research looking at the cyber security of charities found charities are just as susceptible to cyber attacks as businesses, with many staff not well informed about the topic and awareness and knowledge varying considerably across different charities. Other findings show those in charge of cyber security, especially in smaller charities, are often not proactively seeking information and relying on outsourced IT providers to deal with threats.
Where charities recognised the importance of cyber security, this was often due to holding personal data on donors or service users, or having trustees and staff with private sector experience of the issue. Charities also recognised those responsible for cyber security need new skills and general awareness among staff needs to raise. Visit: https://www.gov.uk/government/publications/cyber-security-in-charities.
Comments
Dr Malcolm Murphy, Technology Director for Western Europe at Infoblox said: “While this year’s Cyber Governance Health Check report certainly shows that considerable progress has been made, unfortunately it’s clear that cybersecurity is still not a top priority for all UK organisations.
“Ten percent of boards surveyed still don’t have a plan in place to respond to a cyber-incident – making themselves instantly more vulnerable. In light of the devastation caused by global cyberattacks already this year, all companies need to ensure they have a thorough plan of response as a matter of urgency.
“DDoS attacks in particular can significantly disrupt an organisation’s services and when this happens a plan of action forms a vital part of the defence. Such attacks are often used by criminals as a smokescreen for other nefarious activity such as data theft or extortion, and organisations need to have a clear process in place to assess the extent of the breach and prevent any further damage.”
Stuart Clarke, Chief Technology Officer, Cybersecurity, Nuix said: “The reality is that cyber security is now impossible to ignore. We’re seeing large-scale attacks increase in frequency, and the worst thing is- many are often preventable. In the case of attacks such as WannaCry and Petya, both attacks took advantage of the same vulnerabilities – a technical vulnerability that had already been patched and the human vulnerability that is of critical importance. If organisations had practiced good cyber-hygiene and developed a cyber aware organisation, both could have easily been prevented.
“CEOs must understand that a rigorous employee awareness training programme for every employee helps reduce overall cybersecurity risk. It helps people understand when they are being asked to bend the rules – or when other users are compromising critical information – as well as how and to whom they should report this behaviour. It also helps protect the organisation’s information ‘crown jewels’ – including credit card information, personal details and intellectual property – and control the number of users who can access this important data.”
Dave Palmer, Director of Technology at cyber firm Darktrace said: “While it is encouraging to see the cyber defense debate increasingly rise to the board agenda and organisations better understanding the ramifications of a cyber-attack on their business, we are lagging behind in terms of taking decisive action to make ourselves more resilient to sophisticated cyber-attacks. We need to see words translate into actions – attackers often strike indiscriminately, making everyone vulnerable. Charities bear the brunt due to their antiquated systems and lean security team, but we’ve seen some of the best-resourced global companies severely disrupted by cyber-attacks that are only slight variations of previous ones. The reality is that humans alone can no longer stay ahead of novel, fast-spreading attacks. Organisations big and small need an AI-powered immune system to spot and stop ‘unknown unknown’ threats before they have inflicted damage.”
And Andre Stewart, VP EMEA at Netskope said: “This report should be a wake-up call for UK businesses. While it’s positive to see that cyber risk is seen as a top priority for boards, one in ten operate without a plan in place for responding to a cyber incident and over two-thirds have not yet received any incident response training. This is madness when faced with an expanding threat landscape and an increasing appetite amongst cybercriminals for data of any kind. The breadth of attacks over the last 12 months, from the worldwide reach of WannaCry to the targeted blackmailing of hacked organisations like HBO, makes it more than clear that every organisation needs to be prepared for the worst. Investments in technology and shifting to more efficient cyber policies can limit risk and keep cybercriminals at bay but organisations have a real responsibility to their customers. This means being accountable for their data, keeping it private – and being prepared to act quickly if they are the victim of an attack.
“Businesses must undertake their due diligence. Beyond preparing for an incident, they should be monitoring access to data across both the cloud and on premise. As critical data continues to spread beyond the traditional perimeter network and employees increasingly look to cloud services to get work done more efficiently, this vigilance will become even more important.”
