82% of senior management in the UK class cybersecurity as either a high or very high priority, but only 19% have an active incident response plan in place.
Cyber security stats often make for some pretty eyebrow-raising reading. Promisingly there are usually a few positives hidden within the scarier numbers, but as always stats on such a wide-ranging and prevalent issue should be taken with a good pinch of salt. Obviously, the numbers can only be based on the attacks and breaches that are reported, and as there still seems to be an ingrained immaturity when it comes to cyber security, the quantity and regularity of incidences are definitely underreported.
The lack of official reports from businesses is less surprising when you learn that 20% of the costs attributed to breaches is down to reputation damage, the fear of bad publicity means that only 42% of companies say that they would report an attack to both the authorities and cyber security incident specialists.
According to the snappily named Department for Digital, Culture, Media, & Sport 39% of UK businesses identified and reported a cyber-attack. However, another study reports that this number is far higher at just short of three quarters (73%). Despite the fact that the UK is near the bottom of the list for the percentage of IT budget allocated to cybersecurity at 11%, we are one of the quickest countries to respond to data breaches, on average we needed 181 days to discover a breach and then another 75 days to contain it. Whilst this seems alarmingly long, it is still around 3 weeks less than the average, according to the latest figures I could find.
Phishing attempts remain the most common threat vector chosen by attackers, responsible for 83%, whilst a more sophisticated attack such as ransomware, DDOS or malware only accounting for 1 in 5 (21%). So why is it that ransomware is the most cited and feared threat? In the states it is reported that 60% of organisations believe that the media overexaggerate the danger that ransomware poses. Is it this fixation on ransomware that is the catalyst behind the apparent disjointed nature of cyber defences?
82% of senior management in the UK class cybersecurity as either a high or very high priority, but only a third conducted a risk assessment in 2022, and just short of a fifth (19%) have an active incident response plan in place.
There seems to be a potentially catastrophic gap within the UK infrastructure, between the knowledge that cybersecurity is a quantifiable and very real threat, and the proactive actions needed to mitigate the damage and losses felt if and when an attack gets through. Having recently become a father again I can tell you categorically that if I felt there was a danger of us running out of nappies or formula, I would be heading straight out to buy some!
To end on a positive note, this is something that a lot of c: suite members are starting to realise as the percentage of businesses now outsourcing their cybersecurity rose in 2022 to 57%.
If I thought there was a problem with my boiler, I’d phone a plumber. If I noticed my car making a strange noise and wanted it fixed before it became a real issue, I’d phone a mechanic.
Be proactive, not reactive. Trust the professionals.