According to the 6th annual edition of the Cyber Security Breaches Survey 2021 highlighting the risks, frequency, and business attitudes towards cybersecurity in the UK, the majority of businesses say COVID-19 has made no change to the importance they place on cyber security.
We have summarised the key takeaways from this report for your interest and convenience. You can read the entire Cyber Security Breaches Survey 2021 here.
- Breaches have increased in the last year for large and medium businesses – Four in ten businesses (39%) and a quarter of charities (26%) report having cybersecurity breaches or attacks in the last 12 months. This is higher among medium businesses (65%) and large businesses (64%).
- Businesses are experiencing attacks at least weekly – Among those that have identified breaches or attacks, around a quarter (27% of these businesses and 23% of these charities) experience them at least once a week. The most common by far are phishing attacks (for 83% and 79% respectively), followed by impersonation (for 27% and 23%). Broadly, these patterns around frequency and threat vectors are in line with the 2020 and 2019 results.
- Directors and senior managers are tasked with cybersecurity as a high priority – Three-quarters (77%) of businesses say cybersecurity is a high priority for their directors or senior managers, with half updating their senior management teams about the actions taken on cybersecurity at least quarterly, in line with the 2020 results.
- COVID-19 has not raised the importance of cybersecurity with businesses, even though staff are working remotely – Overwhelmingly, businesses (84%) and charities (80%) say COVID-19 has made no change to the importance they place on cybersecurity
- Small businesses are failing to adequately protect themselves from cyber threats compared to medium and large businesses – Small businesses fail to take out some form of cyber insurance (43% of businesses and 29% of charities), up from 32 percent for businesses in 2020. Many small businesses also fail to undertake cybersecurity risk assessments (34% and 32%), test their staff through mock phishing exercises (20% and 14%), and fail to carry out cybersecurity vulnerability audits (15% and 12%).
- Few businesses have cybersecurity policies covering personal devices – A quarter of companies and charities (23% of each) have cybersecurity policies that cover home working. A fifth of businesses (18%) and a quarter of charities (23%) have policies that cover the use of personal devices for work. The extent to which these areas feature in cybersecurity policies has not changed significantly since last year.
- More businesses are using network-connected devices than ever before – Over four in ten businesses (46%) and three in ten charities (30%) are using smart (i.e., network-connected) devices in workplaces. This was also a new question for 2021 and highlighted a potential new cyber risk area for organisations to address.
As the UK adapts business models and working practices in response to the COVID-19 pandemic, organisations may need to consider what they can do to mitigate cybersecurity risks in at-work/in-home blended working environments.
When looking at future cybersecurity ambitions and expected challenges, many wish to make continuous improvements. The best way that companies can ensure they are protected against cyber attacks is to have their applications and websites tested for vulnerabilities with penetration testing.
Contact the Omnicyber Security operations centre to arrange pen testing for your business or organisation. Omnicyber is a Darktrace, IASME, and Crest accredited company using the latest techniques to tackle cyber threats.