Most UK businesses don’t follow the government’s top 5 security tips

Despite the rising menace of ransomware, a new survey has found less than half of businesses are doing the basics of security outlined by the UK Government in 2014.

The UK’s first Cyber Security Breaches Survey has found that most businesses consider information security to be important, but only large businesses commonly attempt to identify cyber security risks and almost no businesses are aware of Cyber Essentials, a government backed certification scheme that is designed to help businesses attain a basic level of security.

The five main technical controls outlined in the 2014 Cyber Essentials documents include regular patching, using antivirus, installing firewalls, access management controls, and security controls on company-owned devices.

The survey found that just 48 percent of over 1,000 small, medium and large UK business had implemented all five controls.

The research, commissioned by the Department for Culture, Media and Sport, as part of the UK’s National Cyber Security Programme, was conducted by UK market research firm Ipsos MORI and the Institute for Criminal Justice Studies at the University of Portsmouth.

The UK has encouraged all organisations that operate online or handle personal data to adopt Cyber Essentials as a minimum standard and even mandates the scheme for its own suppliers.

However, the survey found overall just 6 percent of businesses know about Cyber Essentials. Awareness was lowest among micro firms at 5 percent, rising to 20 percent among large firms.

Through in-depth interviews with 30 businesses, the research also found that small businesses would have welcomed security checklists like the ones the government provides under Cyber Essentials and its 10 Steps to cybersecurity guidance document.

A quarter of UK businesses surveyed detected at least one security breach in the past year, however the numbers are skewed heavily towards large firms which invest more in security.

Two-thirds of large firms reported detecting a breach in the past year, compared to 33 percent of small firms and 17 percent of micro firms.

The most common type of breach was malware, which made up 68 percent of breaches, followed by phishing via email or the web at 32 percent, and denial-of-service attacks at 15 percent.

Businesses in the financial services and insurance sectors however reported that 60 percent of the breaches were from phishing attacks.

BYOD devices only accounted for 8 percent of all breaches, though the survey found that they were the cause of 19 percent of breaches among information, communications or utility firms.

While a security breach can have a heavy toll on a business, 78 percent of businesses reported it taking less than one day to recover from their most disruptive breach in the last year.

During interviews, businesses said cyber security breaches were considered to be “minor irritants” and not a serious a threat to business.

The report also attempts to estimate the cost of a breach. Large businesses on average spent £36,500 (AU$71,887) cleaning up after breaches over the past year. For medium-sized businesses the average was £1,860, while for small and micro businesses it was £3,100.

Some of the findings clash with results from the 206 Verizon Data Breach Incident Report, such as as that fewer than 25 percent of breaches were detected in “days or less”.

Fifty-one percent of respondents in the UK survey claim they identified a breach immediately, 35 percent said they identified it within 24 hours and 7 percent reported finding out within a week. Just four percent reported taking a more or longer to discover the breach.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritySecurity tipsCriminal JusticeUK governmentFinancial ServicesransomwareCSO Australia

More about Cyber EssentialsVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place