The proportion of UK businesses experiencing cyber breaches or attacks has dropped from 43 percent to 32 percent in the past 12 months, according to an announcement from the Department for Digital, Culture, Media, and Sport (DCMS).
The results have been published in the Department’s 2019 Cyber Security Breaches Survey. According to that report, the reduction is partly due to the introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018 – which was cast into UK law under the terms of the Data Protection Act 2018.
Thirty percent of businesses and 36 percent of charities have made changes to their cyber security policies and processes as a direct result of the regulations, said DCMS.
The findings echo comments made by Jonathan Bamford, Director of Domestic Strategic Policy at the Information Commissioner’s Office (ICO) in January.
Speaking at a Westminster eForum conference on the lessons to date of GDPR, Bamford said that the regulations had forced many organisations to get to grips with the basics of data protection for the first time, despite having existing legal obligations under the 1998 Data Protection Act.
He said, “One of the most interesting things we’ve noticed is how many organisations woke up to data protection for the first time with GDPR. And a lot of the work we’ve had to do in terms of advice and complaints-handling has been on what I regard as core data protection issues. Not new things that have cropped up under GDPR, but data protection basics that organisations should have been on top of for a long, long time.
“A lot of our effort hasn’t been on the minutiae of changes under GDPR or the Data Protection Act 2018, it’s been on core issues like subject access. A lot of the enquiries we’ve received have been about these data protection basics.”
Bamford warned that, as a result, many organisations now wrongly believe that data protection is solely about GDPR compliance, rather than their wider obligations under the 2018 Act.
According to DCMS, of those businesses that suffered cyber attacks over the past year, the typical median number of breaches has risen from four to six. In other words, affected organisations are being attacked more. The figures show that 48 percent of businesses and 39 percent of charities that were breached or attacked, identified at least one incident or attack every month.
According to DCMS, the most common incidents involved phishing emails, followed by instances of others impersonating their organisation online, viruses, or other malware – including ransomware.
Digital Minister Margot James said, “Following the introduction of new data protection laws in the UK, it’s encouraging to see that business and charity leaders are taking cybersecurity more seriously than ever before.
“However, with less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.”
Through the CyberFirst programme, the government is working with industry and education to improve cybersecurity and get more young people interested in taking up a career in the sector.
- The DCMS results contrast with a report published this week by Panda Security. The cybersecurity company warned that cyber attacks are becoming more sophisticated and less obvious, deploying legitimate applications or ‘goodware’ (as opposed to malware).
Two out of three attacks now employ ‘friendly’ applications and fileless malware, said the company in an announcement today.
According to Panda Security, 49 percent of organisations are unaware of the new threats that can lead to cyber attacks. The average time to identify a breach is 197 days, and the average time to contain it is 69 days, said the company. In short, victims could be affected by new kinds of cyber attack for up to nine months.