Businesses and charities urged to train more people to help manage cyber risks

Through the CyberFirst programme, the Government is working with industry and education to improve cyber security and get more young people interested in taking up a career in cyber.

The Cyber Discovery initiative has already encouraged 46,000 14 to 18 year olds to get on a path towards the cyber security profession, over 1,800 students have attended free CyberFirst courses and nearly 12,000 girls have taken part in the CyberFirst Girls competition.

The Government’s initial Cyber Skills Strategy, published in December, will be followed by a full strategy later this year.

New statistics from the Department for Digital, Culture, Media and Sport (DCMS) have shown a reduction in the percentage of businesses suffering a cyber breach or attack in the last year.

The 2019 Cyber Security Breaches Survey shows that 32% of businesses identified a cyber security attack in the last 12 months – down from 43% the previous year.

The reduction is partly due to the introduction of tough new data laws under the Data Protection Act and the General Data Protection Regulations (GDPR). 30% of businesses and 36% of charities have made changes to their cyber security policies and processes as a result of GDPR coming into force in May 2018.

However, of those businesses that did suffer attacks, the typical median number of breaches has risen from 4 in 2018 to 6 in 2019. Therefore, businesses and charities suffering cyber attacks and breaches appear to be experiencing more attacks than in previous years.

Where a breach has resulted in a loss of data or assets, the average cost of a cyber attack on a business has gone up by more than £1,000 since 2018 to £4,180. Business leaders are now being urged to do more to protect themselves against cybercrime.

The most common breaches or attacks were phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware.

Digital Minister Margot James said:

Following the introduction of new data protection laws in the UK it’s encouraging to see that business and charity leaders are taking cyber security more seriously than ever before. However, with less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.

We know that tackling cyber threats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.

Business and charity leaders are being encouraged to download the free small business guide and free small charity guide to help make sure that they don’t fall victim to cyber attacks. This is available through the National Cyber Security Centre (NCSC).

Clare Gardiner, Director of Engagement at the NCSC, said:

We are committed to making the UK the safest place to live and do business online, and welcome the significant reduction in the number of businesses experiencing cyber breaches.

However, the cyber security landscape remains complex and continues to evolve, and organisations need to continue to be vigilant.

The NCSC has a range of products and services to assist businesses, charities and other organisations to protect themselves from cyber attacks, and to deal with attacks when they occur. These include the Board Toolkit providing advice to Board level leaders, and guides aimed at small businesses and small charities.

The threat of cyber attacks remains very real and widespread in the UK. The figures published today also show that 48% of businesses and 39% of charities who were breached or attacked, identified at least one breach or attack every month.

Cyber security is becoming more of a priority issue, especially for charities. Those charities who treated cyber security as a high priority has gone up to 75% in 2019, compared with just 53% the year before, and is now at the same level as businesses.

Small businesses and charities are being urged to take up tailored advice from the National Cyber Security Centre. All businesses should consider adopting the Ten Steps to Cyber Security, which provides a comprehensive approach to managing cyber risks. Implementation of the 10 Steps will help organisations reduce the likelihood and cost of a cyber attack or cyber related data breach.

Organisations can also raise their basic defences by enrolling on the Cyber Essentials initiative and following the regularly updated technical guidance on Cyber Security Information Sharing Partnership available on the NCSC website.

The annual Cyber Security Breaches survey is part of the Government’s National Cyber Security Strategy, which is investing £1.9 billion over five years to make the UK the safest place to live and work online.

Stephen Jones, MD UK & Nordics, SANS Institute, said:

“The Government’s most recent Cyber Security Breaches Report highlights the continued high number of UK organisations to suffer one or more cyber-attacks last year. Although the good news is that the number of businesses affected is decreasing, it’s not good news that the average number of breaches has gone up among those companies that are experiencing attacks, as has the average cost of a breach. This ongoing inability of companies and other organisations to stem the tide of personal data leaving their networks should not be a surprise to anyone in the cyber security industry. The fact is that businesses of all sizes, charities and public sector organisations will continue to struggle with widespread cyber-attacks and breaches while the cyber security skills gap remains so wide. 

“In order to protect our business and public institutions it is critical that we a) ensure existing security professionals remain up to speed with current threats, and b) find ways of identifying, retraining and attracting new talent into the security industry. However, while important, these approaches can only do so much. To ensure that we are creating a pipeline of cyber security experts for the future, a new approach is needed: one that targets talent much earlier. 

“The only way to ensure widespread understanding of cyber security, both as a threat and as a critical career path, is to educate students, as well as their parents and teachers, from an early age, while they are still at school. CyberFirst and the DCMS-backed Cyber Discovery programme are making encouraging inroads in this regard, by giving interested teenagers a chance to explore the skills needed to be a cyber defender. However, we need to build on and strengthen programmes like these in order to cultivate undiscovered talent and promote cybersecurity as a credible career path to the younger generations. The ultimate outcome will be better security for our nation’s businesses and charities, and a step in the right direction towards reducing the skills gap.” 

The survey builds on the ongoing programme of Government action on cyber security, which has recently included the publication of the NCSC “Board Toolkit”, the publication of the Cyber Health Check for FTSE350 companies, a series of Ministerial roundtables with leading UK companies, and the Cyber Aware campaign for small businesses and the public.

Businesses and charities can protect themselves online using the practical guidance offered by the National Cyber Security Centre, such as the Cyber Security Guide for Small Businesses and the Cyber Security Guide for Small Charities.

The Cyber Security Breaches Survey 2019 was carried out for DCMS by Ipsos MORI, in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth.

The survey methodology consists of a random probability telephone survey of 1,566 UK businesses (excluding agriculture, forestry and fishing businesses) and 514 UK registered charities undertaken from 10 October 2018 to 20 December 2018. The data have been weighted to be statistically representative of these two populations. In addition, a total of 52 in-depth interviews with survey participants, were undertaken during January and February 2019, to gain further qualitative insights.

The Cyber Security Breaches Survey is an Official Statistic and has been produced to the standards set out in the Code of Practice for Statistics.