Out-Law / Your Daily Need-To-Know

Money or data stolen in a fifth of cyber cases

Out-Law News | 30 Mar 2020 | 1:10 pm | 3 min. read

Money or data is stolen in nearly a fifth of all cybersecurity breaches or attacks that businesses identify, a survey carried out on behalf of the UK government has found.

However, the government said the results from the cyber security breaches survey 2020 show that organisations are becoming "more resilient to breaches and attacks over time" and recovering faster from breaches when they do occur.

According to the survey results, 46% of businesses surveyed experienced a cybersecurity breach or attack in the last 12 months. Of those cases, 19% resulted in the business losing money or data. Other negative outcomes, such as businesses requiring new measures, having staff time diverted or experiencing wider business disruption, were reported in 39% of those cases.

The results of the survey, which has been conducted annually since 2016, have been gathered from 1,348 businesses of varying sizes. A further 337 charities were also surveyed.

Birdsey Ian

Ian Birdsey


It is important that employers are cognisant of the risk of phishing and other attacks on networks, systems and data, particularly at this time when they are managing the impact of the coronavirus crisis and many employees may be working remotely

The government said that the findings from the survey since 2017 reveal changes in the type of cyber threats most commonly seen by businesses. It said there has been a rise in so-called 'phishing' attacks and a fall in viruses or other malware identified, as well as in the number of businesses reporting ransomware attacks.

"Temporary loss of access to files or networks, damaged software or systems, and lost money are the most commonly reported outcomes [from businesses that report having experienced a cybersecurity breach or attack]," the government said. "A permanent loss of data is much less common, which might be expected given that 89% of businesses and 77% of charities back up their data in some way."

"Certain types of breaches or attacks are more likely to result in these kinds of negative outcomes. Broadly, businesses that face the less common types of breaches or attacks, including viruses or ransomware, hacking attempts or other unauthorised use of their computers or networks, are much more likely than average to experience a negative outcome as a result (54%, vs. 19% overall). This means that while these kinds of breaches are rarer, the damage they can inflict on organisations is more significant. They still, therefore, represent a significant threat for all organisations to consider, alongside more common threats like phishing emails," it said.

Phishing is commonly carried out via email where individuals are duped into clicking on links that take them to webpages run by hackers. The links and the webpages themselves can appear genuine and are often designed to trick people into divulging personal information. The act of clicking on the link itself may be enough to enable hackers to gain access to underlying systems and data.

"Phishing attacks are often the first stage of an attack where the perpetrators are looking to execute a payment diversion fraud or escalate the systems compromise to obtain key credentials to launch ransomware or exfiltrate data," said cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law. "It is important that employers are cognisant of the risk of phishing and other attacks on networks, systems and data, particularly at this time when they are managing the impact of the coronavirus crisis and many employees may be working remotely."

According to the survey results, businesses "immediately recover from breaches or attacks" in 72% of cases. The comparative figure from the 2017 survey was 57%.

Senior management within businesses are also increasingly treating cybersecurity as a "high priority", the survey found. In total, cybersecurity is a high priority for 80% of senior management boards, compared to 69% in 2016.

However, only 50% businesses said they have carried out an internal or external cybersecurity audit in the last 12 months, and just 15% of companies said they had reviewed cybersecurity risks presented by suppliers over the same period. In addition, just 32% of businesses reported being insured against cyber risks.

Birdsey said: "Cyber insurance is an increasingly common part of the cyber solution, which enables affected organisations to respond promptly and effectively to a cyber event. Amongst other benefits, cyber policies often provide the insured with access to a network of specialists, such as IT forensic, legal and PR experts, who can help them manage and respond effectively to cyber incidents when they occur."

"While businesses have legal obligations to provide for appropriate security of data and, in some cases where critical infrastructure is involved, to protect against infiltration of networks and systems, the sophistication of attacks makes some breaches inevitable. Regulators, such as the UK's data protection authority – the Information Commissioner's Office (ICO) – and sectoral authorities such as the Financial Conduct Authority (FCA) and Charity Commission, are paying ever-closer attention to cyber events. Organisations should be prepared for their cybersecurity measures, policies and practices to come under scrutiny in the event of a breach, including their cyber incident response plans," he said.