Businesses only take cybersecurity seriously after falling victim to an attack, according to a report published by the UK's Department for Culture, Media and Sport (DCMS) this week.
For the research, the UK government surveyed IT professionals and end users in 10 UK organizations of varying sizes that have experienced cybersecurity breaches in the past three years. This analyzed their existing level of security prior to a breach, the business impacts of the attack and how cybersecurity arrangements changed in the wake of the incident.
Nearly all respondents said their organization took cybersecurity much more seriously after experiencing a breach, including reviewing existing practices and significantly increased investment in technology solutions. In one case, the organization changed its IT provider, implemented multi-factor authentication (MFA) for all logins and is working towards Cyber Essentials Plus after an incident. In another, following a DDoS attack that caused a significant loss of revenue, the organization brought in changes so all their third-party infrastructure is always under DDoS protection. In addition, it now conducts regular security testing, including constant threat hunting exercises.
While there was a consensus among participants that there is a greater need for vigilance and investment in cybersecurity, there was significant variation between organizations’ practices in this area. Medium and large organizations tended to have formal plans in place and budget allocated for further cybersecurity investment, but smaller businesses mostly did not due to resource constraints.
Encouragingly, most participants reported feeling their organization was better protected than before the attack due to the changes. In many cases, leadership became more engaged in cybersecurity post-breach, with some treating it as ‘a board level business problem.’
Commenting on the findings, Tim Sadler, CEO at Tessian, said: “This new report from DCMS reveals that businesses do take steps to strengthen their defenses after attacks occur, investing in new security solutions, and implementing new policies and training programs for staff.
“However, this is often too little, too late and business leaders need to listen to their security teams to understand the ways they can proactively protect their organization before a costly breach occurs.”
Dan Middleton, VP UK&I at Veeam, stated: “It’s simply not acceptable that the penny keeps dropping only after data has been accessed by cyber-criminals. At the most senior level, there is a clear need for every enterprise to have a CISO, and for their advice to be heeded by those at the top.”