In the first post we looked at why good data is important for cyber security ROI.
If we're talking about how breaches happen, perhaps a good place to start would be the UK Cyber Security Breaches Survey 2020.
I wanted to look at this report for a few reasons:
a. With it being a report specifically looking at UK businesses and charities, it's highly relevant to most of my current and future customers
b. It has some extreme findings, at least when compared to similar reports in different countries c. There are some takeaways which strongly argue against the majority of cyber security solutions on the market
A lot of the data in the report is arguably predictable. I aim to pull out the findings that are perhaps unexpected, insightful and can teach us something.
Let's get started, shall we?
Want the hard facts? Here are 6:
Almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Try to imagine this. Almost half of businesses in the sample reported some kind of cyber breach or attack. I find this is one of the extreme findings in this report and almost find it hard to believe. Unless... I think the key word in this statistic is 'attack'. Does this mean the businesses were specifically targeted? Probably not. It seems more likely they received a phishing email that was probably sent to thousands of other business email accounts. Nonetheless, it tells us the attacks are happening, and we've probably all seen some kind of attack, whether it was a phishing email or automated website scan.
The nature of cyber attacks has also changed since 2017. Over this period, there has been, among those identifying any breaches or attacks, a rise in businesses experiencing phishing attacks (from 72% to 86%), and a fall in viruses or other malware (from 33% to 16%). This is a refreshing statistic that backs up many others and triggers some alarms for another finding that we'll discuss later on (cliff-hanger). Not forgetting that a huge percentage of breaches actually come from human errors rather than intentional cyber attacks (not covered in the report), let's talk for a moment about attackers. The goal of a cyber attacker is typically to make money. If they want to make money, they will probably want to make as much money as possible, expending as little effort, time and costs as possible. They, like more ethical people and businesses, want to increase their effectiveness and efficiency. They want the best possible ROI. A few years ago many cyber security breaches were the result of malicious attacks taking advantage of software holes (vulnerabilities) in websites and commonly used applications such as Internet Explorer, Microsoft Word etc. Back then, it made sense for attackers to find a hole and try to exploit it in many different company environments. These days, websites and applications are typically more secure and are harder to compromise. In order for an attacker to get a good ROI, they are focusing much less on finding security holes, developing attacks and trying to compromise infrastructure. As the stat shows, more and more attacks are via email. Think about that for a moment. Almost all business use email, its a legitimate business tool. All our customers are there, so too our suppliers, employees, friends, family and mistresses. If a cyber attacker can socially engineer us to click a link, wire some cash to them or give up our password in one email, why would they spend all the time researching security holes in applications and creating attacks? Their ROI is much higher this way. To drive home the point that email attacks are well and truly in their prime, consider that "others impersonating organisations in emails or online" is number two on the list of types of breaches or attacks experienced (albeit impacting medium and large organisations more than small ones). This is social engineering at its best. Both types of email attacks, by the way, were considered most disruptive to businesses compared to the other types of attacks. Which rather beautifully brings me to address that cliff-hanger:
30% of businesses and charities are carrying out security user education and awareness. So, after performing a complex math calculation, this tell us that 70% of business are not educating their employees on the latest security threats and making them aware of how security impacts their role. After seeing that 86% of attacks and breaches are related to phishing attacks, and only 16% relate to malware, does it make sense that only 30% of organisations are educating their workforce, yet 88% have anti-malware controls in place? Perhaps not, one could argue. But actually, I think it makes complete sense. Naturally, organisations are behind the curve. If malware based attacks were the most prominent over the last years, of course most companies will now have anti-malware protection in place. Companies are experts in their areas, at selling their products and services. Few are exceptional at cyber security, why would they be? So, if there's only one takeaway from this report - bring your organisation up to date with the statistics (according to UK Gov, at least), the facts - introduce some kind of security awareness and training activity to your workforce. How do you do that? Well, thankfully, options are plentiful. There are many security companies who offer security training and awareness solutions. For example, solutions which can enroll your workforce to cyber security training content and test them with quizzes and/or simulated tests. There is a list of due diligence checked and reviewed options here on The Allowlist. Alternatively, Ian Murphy at CyberOff has an alternative take on security awareness content. He injects sarcasm and a slightly offensive vocabulary to increase engagement through entertainment. Here's one of my favourite examples.
Only 15% of organisations have considered the cyber security risks posed by their suppliers. I don't want to spend too much time on this one as it is a historical, current and futureproof fact: if a cyber attack or breach can happen to you, it can probably happen to your suppliers. Let's imagine you have 5 suppliers who each have copies of your data or access to it. That roughly translates to the fact there is 5x more chance of a supplier breach than one directly faced by your organisation. What can you do about it? You can start by carrying out security supplier due diligence to see whether your suppliers have reasonable security controls in place to protect your data. We can also help out there.
Average cost of all breaches or attacks identified in the last 12 months = £3,110 (Micro/small businesses) and £5,220 (Medium/large businesses) The report also identifies two further forms of costs associated with attacks and breaches: Average recovery cost of the most disruptive breach or attack from the last 12 months = £831 (Micro/small businesses) and £1,310 (Medium/large businesses). Average estimated long-term cost of the most disruptive breach or attack from the last 12 months = £1,260 (Micro/small businesses) and £678 (Medium/large businesses). That brings us to a total of £5,201 (Micro/small businesses) and £6,530 (Medium/large businesses). Now, this is where it gets interesting. To me, these costs seem very low. Consider that any professional services such as forensics analysis and incident response experts typically cost a minimum of £1,000 per day. It seems this average includes organisations who were surveyed but didn't suffer financial losses (think about the example from earlier about receiving a phishing email), so their losses would be represented by £0 and this therefore dilutes the average. If, as in statistic #1, cyber attacks and breaches are being reported by almost half of organisations in any one year, and the total average cost is circa £6k, that's an expected loss of £3k per year. Hardly worth writing a security policy, let alone hiring a cyber security employee. As we will see in parts three and four, when we look at the other reports, these costs are vastly low in comparison. I do have some thoughts on why that may be, and will address them in the final part of this series. Hold onto your horses. Before all of that exciting stuff happens, let's look at one more statistic from the UK Cyber Security Breaches Survey:
63% of attacks and breaches were identified by staff So, it's clear we rely on our staff not only to prevent breaches, but we also rely on staff to detect them too. We earlier discussed how 86% of attacks and breaches were email based (always targeting staff), and only 30% of organisations educate and train their staff about cyber security. A lot of cyber security vendors and people in the industry label staff as 'the weakest link' when it comes to an organisation's security posture. Whilst I don't agree with the argument, one could counter-argue that the reason they are the weakest link is because we aren't sufficiently educating and training them. People can become the strongest link in the chain if they are aware of the techniques cyber criminals are using, and if they know how to report something suspicious or unusual. People can help organisations prevent, detect and respond to cyber security attacks. Sure, technology can help too, but even when organisations spend millions on cyber security controls, and some do, it's usually staff who click on phishing email attachments. We can never train people to be 100% immune to such techniques, but we can ensure we invest the right amount of time and resources to help them learn and ultimately, help them make the organisation more resilient against attacks. The right balance of people, process and technology is the key.
Part 3 has arrived, where we look at IRIS 20/20 - A Clearer Vision for Assessing the Risk of Cyber Incidents. Stay cyber-safe.