The Department for Culture Media and Sport recently published its annual Cyber Security Breaches Survey (the “Survey”), which aims to capture trends in cyber security incidents and provides a snapshot of the approach of UK businesses to the risks of an incident and the types of incidents seen in the previous 12 months.
We have tracked the Survey since it was first published in 2016 and some interesting trends are emerging.
Cyber security as a priority area
Respondents to the Survey indicate that cyber security remains a priority for management boards. They have always said that. Three-quarters of businesses say cyber security is a high priority for their directors or senior managers: an 8% increase on the position that existed five years ago. That mirrors what we see in practice. Cyber security is always on the boardroom agenda but is becoming increasingly important over time.
Disconnect between concern and action
There has always been a disconnect between that evident concern around cyber security and businesses then putting into place formalised processes and procedures. In 2016, less than one in three businesses had a formal cyber security policy. That figure has barely shifted in the last five years. The Survey found that only 33% of businesses have a formalised policy around cyber security. Just over two in every three respondent businesses have no business continuity plan in place that would define and assist the business in how to respond to a cyber security incident.
Regulatory expectation
The GDPR has clearly driven public awareness of data protection and privacy and expectations have increased accordingly. The public expect their personal data and privacy to be protected. Shareholders and stock markets react when incidents happen. Regulators, in the form of both the Information Commissioner’s Office (“ICO”) and the Financial Conduct Authority (“FCA”), now expect organisations to have policies and procedures in place to manage cyber security risk.
By way of example, the ICO have produced an accountability framework that sets out its expectations of businesses and how they can evidence cyber security compliance under the GDPR, which includes an expectation that:
- Procedures and systems facilitate the reporting of security incidents and breaches.
- Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur.
- You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).
- The log documents the facts relating to the near miss or breach including:
- its causes;
- what happened;
- the personal data affected;
- the effects of the breach; and
- any remedial action taken and rationale.
The ability of a business to properly assess cyber security failure and make consistent and justifiable decisions as to the steps that are taken in the aftermath of an incident are issues best considered by a business before disaster strikes. The pressure of a cyber security incident – and all of the competing factors and moving parts that go along with it – is not the best environment within which a business should be designing and rolling out an incident response plan. But we often see that in practice and the Survey demonstrates that this is a systemic issue across the majority of UK businesses.
This is an issue that demands attention. No business is going to be impervious to a cyber security incident. Regulators and courts recognise that and when such action commences following an incident, the real issue that is focused on is whether the security in place was appropriate and whether the response was adequate.