Despite the rising menace of ransomware, a new survey has found less than half of businesses are doing the basics of security outlined by the UK Government in 2014.
The UK’s first Cyber Security Breaches Survey has found that most businesses consider information security to be important, but only large businesses commonly attempt to identify cyber security risks and almost no businesses are aware of Cyber Essentials, a government backed certification scheme that is designed to help businesses attain a basic level of security.
The five main technical controls outlined in the 2014 Cyber Essentials documents include regular patching, using antivirus, installing firewalls, access management controls, and security controls on company-owned devices.
The survey found that just 48 percent of over 1,000 small, medium and large UK business had implemented all five controls.
The research, commissioned by the Department for Culture, Media and Sport, as part of the UK’s National Cyber Security Programme, was conducted by UK market research firm Ipsos MORI and the Institute for Criminal Justice Studies at the University of Portsmouth.
The UK has encouraged all organisations that operate online or handle personal data to adopt Cyber Essentials as a minimum standard and even mandates the scheme for its own suppliers.
However, the survey found overall just 6 percent of businesses know about Cyber Essentials. Awareness was lowest among micro firms at 5 percent, rising to 20 percent among large firms.
Through in-depth interviews with 30 businesses, the research also found that small businesses would have welcomed security checklists like the ones the government provides under Cyber Essentials and its 10 Steps to cybersecurity guidance document.
A quarter of UK businesses surveyed detected at least one security breach in the past year, however the numbers are skewed heavily towards large firms which invest more in security.
Two-thirds of large firms reported detecting a breach in the past year, compared to 33 percent of small firms and 17 percent of micro firms.
The most common type of breach was malware, which made up 68 percent of breaches, followed by phishing via email or the web at 32 percent, and denial-of-service attacks at 15 percent.
Businesses in the financial services and insurance sectors however reported that 60 percent of the breaches were from phishing attacks.
BYOD devices only accounted for 8 percent of all breaches, though the survey found that they were the cause of 19 percent of breaches among information, communications or utility firms.
While a security breach can have a heavy toll on a business, 78 percent of businesses reported it taking less than one day to recover from their most disruptive breach in the last year.
During interviews, businesses said cyber security breaches were considered to be “minor irritants” and not a serious a threat to business.
The report also attempts to estimate the cost of a breach. Large businesses on average spent £36,500 (AU$71,887) cleaning up after breaches over the past year. For medium-sized businesses the average was £1,860, while for small and micro businesses it was £3,100.
Some of the findings clash with results from the 206 Verizon Data Breach Incident Report, such as as that fewer than 25 percent of breaches were detected in “days or less”.
Fifty-one percent of respondents in the UK survey claim they identified a breach immediately, 35 percent said they identified it within 24 hours and 7 percent reported finding out within a week. Just four percent reported taking a more or longer to discover the breach.