Government cybersecurity initiatives and campaigns not reaching UK firms
Awareness of Government run cybersecurity initiatives and campaigns are not filtering down to businesses across the size spectrum, as the threat from cybersecurity breaches increases, while new legislation approaches are coming into force.
A new survey from the Department of Culture, Media & Sport, titled ‘Cyber Security Breach Survey 2017’, has highlighted how businesses might improve their efforts to prevent cyber breaches. The survey, which involved 1,523 UK businesses, aimed to be ‘statistically representative of the UK business population. Public organisations and solo traders were not included in the survey. In addition, 30 ‘in-depth’ interviews were taken of businesses taking part in the survey, aimed at additional qualitative insight.
Among the respondents, considerable reliance was noted on a variety of online services. Key among them are email addresses for organisation or employees, noted by 91% of respondents, followed by website or blog, with the number increasing by 8% from last year to 85%.
A key target for hackers, an online bank account, was used by 73% of respondents, while 61% of respondents say that they hold personal information on customers electronically – a key area in terms of compliance. 59% of respondents say that they have an online presence through social media pages or accounts, up 9% on last year, while 26% say that they have made available the ability for customers to order, book or pay online.
One of the efforts of the Government is to inform businesses about the risks that come with the use of online services and business models. To that end the UK Government has set up various schemes and programmes, as well as a dedicated standard, which companies across the spectrum can use to better inform and protect themselves against a possible cybersecurity related eventuality.
Awareness of the Government’s programmes, schemes and standard is relatively poor, finds the report. The number of businesses aware of the standard, which was released in 2013, stood at 21% across the country as a whole. Small firms are considerably less likely than large firms, to know about the standard, at 17% and 57% of firms respectively.
The Government’s 10 Steps guidance programme is even more obscure, with almost no firms (13%) stating knowledge of the programme. Small firms, again, are at the bottom of the awareness group, at 11%, compared to 32% of large firms. The programme, which was launched last year by the National Cyber Security Centre, is focused on supporting the executive/board with 10 technical advice steps for more robust security.
According to the report, the Cyber Essentials scheme, “provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security,” few are aware of the scheme however, at 8% of the companies surveyed – with medium and larger businesses more likely to have heard of the scheme (18% and 28% respectively).
Businesses are slightly more aware of the Government’s Cyber Aware campaign, which offers various tools to induce people and businesses to keep their devices and systems up-to-date, as well as other tools and tips to support small and big firms with training their staff and protecting their customers’ date. Across all firms surveyed, 21% said that they are aware of the tools, ranging from 19% for micro firms to 37% for large firms.
The survey also asked businesses about their preparations for the enforcement of the General Data Protection Regulation (GDPR) from 25 May 2018. Small businesses tended to be in the dark about the new rules, while larger businesses – with considerably more processing of personal information – increasingly gearing up to meet the requirements, and avoid stiff penalties.
While awareness from various Government campaigns appears to not be disseminated to small and big businesses, companies across the spectrum are seeking information, advice and guidance (in the past 12 months) pertaining to cyber security threats faced by their organisation. Across the UK 58% sought information, with medium and large firms the most likely to seek out information, at 79% and 70% respectively.
Official Government channels remained, across the board, relatively unsolicited. Google was used by 10% of organisations, while external security consultants or providers were leveraged in 32% of all businesses, and by 46% of medium businesses surveyed.