Fewer UK organisations are deploying protective measures, such as security monitoring tools and up-to-date antivirus software, despite the heightened security risk during 2020.
The proportion of businesses and charities using security monitoring tools fell from 40% in 2019 to 35% in 2020, mirroring a fall in the use of employee monitoring from 38% to 32%, according to a report by the Department for Digital, Culture, Media and Sport (DCMS).
This is alongside a reduction in the number of organisations using up-to-date antivirus software, from 88% to 83%.
Overall, only 52% of businesses and 47% of charities enacted one or more cyber security measures in 2020, including using monitoring tools, conducting risk assessments, testing staff, conducting audits, penetration testing, or investing in threat intelligence.
This decline in overall cyber resilience coincides with an escalation in security risk due to the COVID-19 pandemic. Studies have shown that phishing and ransomware attacks rose significantly during 2020, for instance, while the business landscape was shaken by several high-profile incidents including a devastating attack on SolarWinds' supply chain.
The DCMS also found that 39% of businesses and 26% of charities reported breaches or attacks during 2020, with factors like remote working making securing IT environments more challenging.
In her first speech today as newly-appointed NCSC CEO, Lindy Cameron warned businesses not to be complacent about cyber security in light of emerging trends, including those highlighted by this report.
“Cyber security is still not taken as seriously as it should be, and simply is not embedded into the UK’s boardroom thinking,” Cameron said. “The pace of change is no excuse – in boardrooms, digital literacy is as non-negotiable as financial or legal literacy. Our CEOs should be as close to their CISO as their Finance Director and General Counsel.
“Recent global cyber incidents involving SolarWinds and Microsoft Exchange have shown, in different ways, the range of cyber threats we currently face. As our reliance on technology grows, it sadly also presents opportunities for those who want to do us harm online.”
The DCMS' report outlined how dealing with COVID-19 posed a major challenge to UK organisations during 2020, and contributed to a reduced focus on cyber security.
The rise of remote working, video conferencing, and a transition from paper to digital record-keeping required rapid changes in digital infrastructure, including issuing laptops or setting up virtual private networks (VPNs) for staff. This pace of change, however, led to glaring issues for a handful of businesses.
Direct user monitoring was generally much harder where employees were working remotely, which delayed organisations from catching and dealing with cyber attacks, the report said.
Large organisations, in particular, found dealing with hardware and software changes more difficult, given the sudden surge in the number of endpoints to manage. Retrieving and updating hardware, too, was difficult considering staff were distributed.
The pandemic also stretched resources and led to competing priorities, the report concluded. In some cases, there was a perceived conflict between prioritising IT service continuity, and aspects of security, such as patching. A reduction in personnel and time also meant it was much harder to carry out security awareness training.
Once resource bottlenecks eased, senior management typically prioritised business continuity over cyber security, with a lack of acknowledgement that security itself should be a key component of business continuity, the report found.
RELATED RESOURCE
The DCMS' conclusions echo the views of experts in the field. Security professionals speaking on a panel discussion hosted by Orange Cyberdefense last month, blasted the “head in the sand” approach many organisations, particularly small and medium-sized businesses (SMBs), took to cyber security in 2020.
They agreed that some SMBs were undermining security efforts by failing to routinely patch newly-adopted technologies, as well as paying ransom demands against the advice of security experts.
“Prior to the pandemic, we saw that many small businesses and SMBs had very much a ‘head in the sand’ approach to cyber security, with a lot thinking they didn’t need to take it seriously,” said CEO and founder of the UK Cyber Security Association Lisa Ventura.
“But today, with the move to getting everybody working from home quickly last year, from a business continuity perspective, we’re seeing more small businesses and SMBs finally starting to take their cyber security posture much more seriously.”
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaignNews Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
-
Off-the-shelf ransomware is spurring a new era in the Ukraine warNews Experts agreed Russian forces could be overwhelmed, forced to use less sophisticated tools to meet the regime's demands
-
NCSC: “New class” of Russian cyber attackers seek to destroy critical infrastructureNews The cyber threat has been raised due to the heightened risk of ideologically driven cyber attacks from Russia-aligned adversaries
-
NCSC warns UK under state-sponsored spear-phishing attacks from Russia and IranNews The acceleration in spear-phishing campaigns last year coincided with the escalating conflict in Ukraine, according to the NCSC
-
NCSC founder details 'biggest regret' in underestimating organised cyber crimeNews In a rare public address, Martin also detailed his proudest achievement and how the idea for the NCSC came to be
-
Second Singtel subsidiary breach in a month sees customer and client data leakedNews The incident at Singtel subsidiary Dialog follows the earlier breach at Singtel-owned Optus, Australia's second-largest telco
-
UK, US condemn Iran for ‘unprecedented’ cyber attack against AlbaniaNews The Balkan nation has cut ties with Iran following the hack, which took down national infrastructure and exposed government information
-
Cyber attack on software supplier causes "major outage" across the NHSNews Unconfirmed reports suggest the attack may be ransomware-related, while the NHS contends with disrupted services on the 111 non-emergency line
