Looking at the headlines around cyber attacks and security breaches, anyone would be forgiven for thinking that organisations face an insurmountable cyber security task, asserts Rick McElroy. However, when we delve deeper into the UK cyber security landscape, a more nuanced picture emerges.
In fact, there’s a real sense of positivity on the horizon when it comes to UK organisations’ assessment of their ability to detect and defend against cyber attacks. Despite the knowledge that the volume and complexity of attacks they’re facing continue at a sustained high level, the latest UK Threat Report produced by VMWare Carbon Black found that more than three-quarters of UK organisations felt more confident in their ability to repel cyber attacks than they did 12 months previously.
Supporting this sense of confidence, we also found that investment in cyber defence is holding up well, with 93% of UK organisations surveyed saying they plan to increase cyber security spending. Nevertheless challenges remain, not least in terms of the fact that, despite this growing confidence, 84% of UK organisations surveyed said that they had suffered at least one data breach in the past 12 months caused by an external cyber attack.
What else did we learn when we asked 250 UK CIOs and CISOs about the threat landscape they face in the final quarter of 2019? Here are four key points to emerge:
*Despite growing confidence, the attack landscape remains severe
84% of organisations said the volume of attacks they face has increased, while nine-in-ten said that these attacks had become more sophisticated.
Globally, we found a sharp rise in the prevalence of phishing attacks as the attack type most likely to result in a data breach, and this was reflected in the UK where it was the cause of 33% of breaches. In fact, this figure had jumped from 20% in our January 2019 report.
This global trend is a clear sign that attackers are going after the weakest link – the end users. This is also a factor in the increase reported in breaches caused by ransomware, which jumped as a cause of successful breaches from 14% in January to 20%.
This focus on user-related breach vectors may also indicate that defenders are succeeding in making organisations a harder target for more direct malware-led attacks. The study found that the percentage of breaches caused by process failures and out-of-date security halved during the period from January 2019. This is another sign of a maturing approach towards cyber security wherein controllable factors are now a key focus.
*Reputational damage outweighs financial impact when breaches happen
Given the high profile of regulatory changes in the past 18 months, it’s not surprising that 72% of businesses reported suffering from reputational damage as a result of a data breach. The public is now much more aware of the risks and responsibilities that organisations bear around data protection and is pretty quick to lose trust in those who appear negligent.
Perhaps more surprising is that the percentage reporting financial impacts from breaches was only 35%, which is lower than the global average of 44%. In fact, more than half (54.5%) of UK organisations said there had been no financial impact from the breach at all.
At this stage it seems that organisations don’t see monetary loss on the same scale as reputational damage.
*Emerging technologies and cyber skills scarcity are cause for concern
Looking to the coming year, the research found a significant level of concern in the UK about how emerging technologies such as 5G and fast-paced digital transformation projects are going to create cyber risk. In line with global sentiment, nine-in-ten respondents said they had concerns, which ranged from the potential for new and more destructive attack types to the difficulty in gaining full visibility over new projects and technologies.
Almost a quarter (25%) said that they would need a bigger team to cope with these threats. However, recruiting staff with the necessary skills is a growing problem, with 55% of UK organisations saying the recruitment climate had grown more challenging in the past 12 months.
Looking overseas to plug the gap is unlikely to be a solution as the situation is even more difficult globally – an average of 61% of businesses worldwide said that recruiting the right skills has become more difficult.
*Threat hunting is firmly on the agenda
90% of UK companies surveyed said that threat hunting had strengthened company defences and 30% had found significant evidence of malicious activity. This is almost double the 16% who found significant evidence of malicious activity in January 2019.
While this may be at least in part due to increasing levels of cyber threat activity, the high percentage increase indicates that threat hunting is becoming more effective as defender skills and experience increases.
Stronger outlook for UK cyber security
Taken together, these research findings indicate a maturing approach to cyber security as UK businesses adjust to the ‘new normal’ wherein high volume, sophisticated cyber attacks are a factor of doing business.
Organisations are locking down the controllable factors such as process weakness and out-of-date security, while at the other end of the scale they’re proactively threat hunting. This is building defender confidence and power as businesses become smarter about identifying where the risks lie and what tools they can deploy to mitigate them.
While new challenges loom on the horizon, the cyber security community in the UK is now better positioned and more confident to meet and defend against them.
Rick McElroy is Cyber Security Strategist at VMWare Carbon Black