Joel Muckett 18 Oct 2017 11:41am

UK organisations ill-prepared for cyber attacks

Almost one in five (17%) UK organisations have not prepared for a cyber attack, despite an increase in frequency and severity

PwC’s Global State of Information Security Survey also found only 49% had conducted penetration tests to examine their defences.

More than a quarter (28%) of UK organisations did not know how many cyber attacks they had suffered in the past year and a third (33%) were unaware of how they were targeted.

PwC surveyed 9,500 senior business and technology executives from 122 countries, including 560 respondents from the UK.

“Cyber attacks could happen to any organisation at any time, so it’s important businesses and public sector organisations are getting the basics right and continually testing their approach to prepare themselves in the right way,” said PwC security partner Richard Horne.

“In that critical moment when an attack hits, the ability to act quickly and effectively is key to minimising business disruption and reputational harm.”

Last year, organisations in the UK recorded an average of 19 hours downtime due to security incidents and reported 23% of customer records and 20% of employee records as compromised, the study showed.

Additionally, 21% reported the loss or damage of internal records.

Only 44% of UK organisations, compared to 58% globally, had cyber insurance policy to cover the impact of breaches.

PwC’s report also highlighted how only two in five (44%) British organisations had collaborated with others in their industry to reduce cyber attack risks, compared to 54% across Europe and 58% globally.

Horne said companies should treat cyber security as a “team sport” rather than an issue for the IT department.

“Forging close working collaborations and sharing intelligence is often the best way to tackle the latest threats. New forms of attack require new ways of working to defend our society,” he said.

James Hampshire, cyber security senior manager at PwC, believed there were several ways for organisations in the UK to tackle the cyber threats they faced.

“Firstly, they should understand what attackers are likely to be going after within their organisation and what the business impact would be if important systems or data were not available,” said Hampshire.

“Secondly, we find that many attacks are often successful because of weakness in the basics – including IT controls and processes, low user awareness, simple passwords and irregular system updates. Tackling all of these will help reduce the likelihood of becoming a victim,” he added.

“Finally […] running realistic simulations not only allows you to confirm processes actually work, but also ensures that everyone involved in the process […] are comfortable with their role and have the muscle memory to fulfil that role under pressure.”

Over a quarter (27%) of breaches on UK organisations were performed through targeting employees, whereas the average global attack was likely to be caused by a mobile device being hacked (29%), the report said.

UK businesses and public sector organisations spent an average of £3.9m on their security budget last year.

The majority of companies (64%) had an overall security strategy in place, with 53% agreeing that spending is based on risk, however only 34% had boards actively participating in the strategy compared to the global average of 44%.