Nearly two-thirds of medium and large-sized businesses suffered a cyber-attack or breach last year, with security efforts suffering during the pandemic, according to the latest government figures.
The Cyber Security Breaches Survey 2021 on the face of it showed a slight improvement over last year’s: 39% of UK businesses of all sizes said they were breached or attacked over the previous 12 months versus 46% last year.
However, while the report posits that this could be due to many firms reducing their trading activity and therefore being less visible to attackers, it’s more likely that they are simply less aware of threat activity.
Fewer businesses are deploying security monitoring tools (35% versus 40% last year) or undertaking any form of user monitoring (32% versus 38%), for example.
Frequency and most common threat vector types were consistent with previous years’ reports. Around a quarter (27%) of businesses experienced attacks at least once a week, with phishing (83%) and impersonation (27%) most common.
A fifth (21%) of those reporting attacks end up losing money, data or other assets as a result, and 35% reported other negative consequences such as business disruption or lost staff productivity.
On the positive side, this figure is lower than previous years, possibly due to more widespread adherence to best practices and GDPR rules, the report claimed.
Unsurprisingly, COVID-19 has had a major impact on cybersecurity: many firms reported mass remote working had made user monitoring harder, complicated hardware and software upgrades and stretched resources to the limit.
There’s still plenty of room for improvement. The report noted that fewer than half of UK businesses currently have cyber insurance, undertake risk assessments, train and test staff, carry out vulnerability audits, review supplier risks and have a business continuity plan in place.
Fewer than a quarter (23%) have policies that cover home working, the report claimed.
Mimecast UK VP, Jamal Shakir, agreed that a distributed workforce is making it harder for organizations to detect and block attacks.
“The past 12 months have seen an increase in sophisticated digital deception campaigns where threat actors combine COVID-19-related social engineering with multi-channel campaigns to gain credibility with their targets so they can then be tricked into giving away valuable information or credentials,” he argued.
“Organizations must not take their foot off the gas and ensure that they have adequate tools and training in place to deal with these attacks.”