Experts react to worrying findings in Government’s Cybersecurity Breaches Survey

Government figures show UK businesses are doing little to prevent, detect or respond to data breaches.

Cybersecurity experts have reacted with dismay to figures published by the Government that show UK businesses are doing little to prevent, detect or respond to data breaches.

The UK Government has published data from its Cybersecurity Breaches Survey for 2024, which is aligned with the National Cyber Strategy. It suggests that few businesses report a breach, and more than a third (39 percent) said that no action was taken in response to their most disruptive breach in the last 12 months.

Andy Kays, CEO of threat detection and response business, Socura, whose clients include NHS trusts, said:-

• “It is incredibly disappointing to see such disregard for cybersecurity among the UK’s small business community. Despite years of warnings from experts, countless data breach headlines, and increased regulatory action, this issue still isn’t on their radar,”
• “Only a fraction of UK businesses have any kind of formalised incident response plan, which I find astounding.
• Businesses will always have a plan in case of a fire, but will not apply the same due care for a data breach – which is statistically much more likely. It flies in the face of common sense.”
• A lot of firms’ responses “seem stuck in the past.”
• “Most businesses’ experience with cyber incidents seems limited to phishing attempts, and their default response is to conduct security awareness training if they do anything at all. In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident.
• They are failing to do the bare minimum. It’s also important to note that businesses are doing very little to prevent or detect breaches in the first place,”

An accident waiting to happen

Elsewhere, Richard Staynings, chief security strategist for Cylera said

• Organisations’ failure to protect their supply chains “is an accident waiting to happen.”
• Just over one in ten businesses say they review the risks posed by their immediate suppliers (11 percent, vs. nine percent of charities). More medium businesses (28 percent) and large businesses (48 percent) review immediate supplier risks.
• “Organisations in the public and private sector need to do a much better job of managing third parties and in assessing third party risk.
• They must understand what exactly is connected to their networks and what risk each of these systems presents. This is especially a concern given the significant growth in IoT devices, which often lack cyber security and are rarely patched,”
• “Most industries tend to do a terrible job of managing the security of their supply chain. Any third party vendors, whether those supplying goods in your café or your external accountant, they all need to be held to the same security standards and policies as your own organisation.
• “The trouble is few businesses enforce this within their contracts with third parties, making it a prerequisite to ensure that they have policies and procedures that meet our own standards, that they have quality assurance in place, staff training and access controls set up, and that they provide ISO/IEC 27001 certification – the world’s best-known standard for information security management systems (ISMS).
• “We can’t have third party vendors winning contracts for critical industry sectors such as healthcare and hospitals based simply on the lowest bid.”

Leadership buy-in on cybersecurity

The report shows that board engagement and corporate governance approaches towards cybersecurity tend to be more sophisticated in larger organisations.

Three-quarters of businesses (75 percent) report that cybersecurity is a high priority for their senior management. This proportion is higher among larger businesses (93 percent of medium businesses and 98 percent of large businesses, vs. 75 percent overall).

Shankar Haridas, UK head of business development at ManageEngine, the enterprise IT division of Zoho Corp., said

• It is imperative leadership teams – particularly in medium and large businesses who are at higher risk – understand the threat landscape today
• “Navigating a rapidly changing realm of cyberthreats requires organisations to have a defence in depth approach to cybersecurity,”
• “Vigilant measures include constantly monitoring networks for unusual activity, implementing access control mechanisms, vulnerability scanning and patching of endpoints, and training users on good security hygiene. It is essential for organisations to bring the People, Process, Policy and Partners together and keep cyber security an integral part of their goal.
• Well prepared organisations will go even further and plan for the worst – introducing services that allow them to recover their data and systems in the event of a successfully cyberattack.”

https://www.thinkdigitalpartners.com/news/2024/04/10/experts-react-to-worrying-findings-in-governments-cybersecurity-breaches-survey/?utm_campaign=shareaholic&utm_medium=linkedin&utm_source=socialnetwork