The UK Cyber Security Breaches Survey 2019 released on April 3 shows that around one in three businesses (32%) was a victim of an attack or breach in the past 12 months. While this is lower than in 2018 (when it was 43%) and in 2017 (46%), those who were victims typically reported facing six attacks, compared to two in 2017. This may be because certain targets get circulated on the dark web or because of a focus on certain companies or types of company.
The IT partner, reseller or managed service provider is the top source of guidance for business, the survey found. The most common sources of information and guidance, raised unprompted in the survey, are: external cyber security consultants, IT consultants or managed service providers (mentioned by 33% of businesses and 21% of charities.
Where organisations had external cyber security providers, IT providers or consultants, these were often their first port of call for information and guidance. This highlights the strong influence that external cyber security providers have on their clients.
Simple publicity does not work in engaging customers. The impact of news stories about cyber security meant that organisations often remembered seeing or hearing mainstream media news stories about cyber attacks on other organisations.
Because there was a media focus on attacks on very large organisations, with examples (raised spontaneously in interviews) including the NHS, TalkTalk and British Airways, and a focus on the large financial cost, through fines or money lost, organisations generally felt that these stories had a positive impact. That is to say, they were considered effective in raising awareness of cyber security, and in helping to keep the topic fresh in people’s minds.
However, there was a limit to the impact of these stories. At most, some organisations with cyber security or IT professionals had used them to see if they were exposed to the same vulnerabilities that were in the news story. However, other organisations said the types of organisations in these stories were too different from them to be relevant. Some also said they did not see a clear course of action they should take after reading these stories, as the stories did not signpost to further information or guidance.