DCMS has recently published its Cyber Security Breaches Survey 2022, based on data gathered by IPSOS MORI over winter 2021/22, which reveals that businesses and charities continue to be under prepared to respond to inevitable cyber security incidents and data breaches.

In this post, we highlight some of the key findings of the survey and identify advice, guidance and free solutions to common cyber resilience shortcomings.

Scale and nature of the cyber threat

The survey revealed that the number of respondent organisations reporting having identified a cyber attack in the previous 12 months remained steady at 39%.

Since the research does not distinguish between unsuccessful attempted cyber attacks and successful attacks and data breaches, this figure is likely to represent a severe under reporting of the scale of the threat, with the reality being that most organisations will experience multiple attempted cyber attacks on a daily basis. Information released by the National Police Chiefs’ Council in relation to Police CyberAlarm revealed that since its inception over a billion potential malicious incidents against members had been identified. This suggests that organisations may simply not be identifying suspicious activity on their networks and gateways.

The National Cyber Security Centre has issued guidance to organisations on how to approach determining the types of log data that organisations should collect and review to address the threats they face as part of their cyber security strategy. This might include logs of potential reconnaissance, scripts, log ins, executables, DNS requests, data exfiltration etc. Organisations can utilise the NCSC’s free ‘Logging Made Easy’ tutorial, which provides access to free and open source software and pre-set configurations.

Police CyberAlarm is a free tool made available by policing to all organisations to support them to identify and allow them to respond to malicious activity. Services include one-off or periodic vulnerability scanning of their website and external IP addresses, and the analysis of a variety of log data collected by the organisation, which is presented back to the organisation in the form of a report. Organisations can seek further advice from Protect officers within local and/or regional police Cyber Crime Units. Membership also enables law enforcement to gather intelligence on the scale and nature of the cyber threat to the UK and to take disruptive action against those involved in criminal activity. As such, even large organisations with sophisticated cyber resilience programmes can contribute to supply chain and wider UK cyber security by participating in the scheme. Membership can also streamline evidence gathering in the event of a successful attack. Organisations can register an interest in becoming a member here: https://www.cyberalarm.police.uk/register/.

Organisations can also sign up for the NCSC’s free ‘Early Warning’ service which aims to assist in identifying when their cyber security has been actively compromised, or their assets associated with malicious activity, and provides vulnerability and open port alerts.

Cyber security measures

While ransomware was reported to be considered the biggest threat, for the vast majority of cyber attacks on respondents (83%) phishing was reported to be the attack vector.

Despite this, only 19% of businesses and even fewer charities reported testing cyber security awareness among staff, for example by mock phishing exercises, with even fewer giving general cyber resilience training for staff, although staff training was the most common response after a disruptive cyber attack.

An online cyber security training package for small organisations and charities was launched by the NCSC in 2021, together with a ‘Top Tips for Staff’ online training package, to improve cyber awareness and cyber hygiene, addressing issues including device security, phishing, incident reporting password security, malware, and back ups.

The NCSC also offers an ‘Exercise in a Box’ free online tool to support organisations to assess their cyber resilience, which includes a ransomware attack delivered by phishing email. Commercial organisations also offer regular phishing exercises.

The NCSC’s Small Business Guide to Cyber Security includes advice on avoiding phishing attacks. It also provides more detailed guidance for organisations on resisting phishing attempts, and encourages the deployment of DMARC (Domain-based Message Authentication, Reporting and Conformance) to authenticate email sender identity as part of a multi-layer approach incorporating staff training and exercising on identifying fraudulent emails, multi-factor authentication, utilising a proxy server and implementing an incident response plan.

Action Fraud provides details of how to report phishing attempts. Email phishing attempts can be reported to the Suspicious Email Reporting Service (SERS) by forwarding the email or incorporating the Microsoft Office365 reporting button, whereas attempts by SMS can be forwarded to 7726 and by phone to Action Fraud directly.

Ransomware has, however, been identified by the NCSC as the most significant cyber threat facing the UK in its 2021 Annual Review and has been responsible for high-profile cyber security incidents worldwide.

As well as its guide to cyber security for small businesses, the NCSC publishes specific guidance on ‘Mitigating malware and ransomware attacks’, with recommendations including:

• backing up data;

• filtering mail;

• signing up for the NCSC’s ‘Mail Check’ platform for assessing email security compliance if eligible (currently for the public, education and charitable sectors);

• signing up for the NCSC’s Protective Domain Name Service (PDNS) if eligible (currently only for the public sector);

• intercepting proxies;

• deploying safe browsing lists;

• implementing least privilege models;

• utilising VPNs for remote access to services;

• enabling multi-factor authentication;

• disabling remote desktop protocol if not required;

• deploying patching of known vulnerabilities;

• segregating obsolete platforms and apps;

• reviewing and removing user permissions;

• restricting admin accounts;

• maintaining software;

• promptly deploying patches and updates;

• considering enterprise anti-virus and anti-malware; and,

• restricting non-trusted apps on devices.

The Information Commissioner’s Office has also issued guidance on ‘Ransomware and data protection compliance’. This identifies the most common eight ransomware compliance issues as being:

• organisations assuming that they won’t be the subject of an attack;

• assuming that a temporary loss of access to personal data is not capable of amounting to a reportable personal data breach;

• making an inappropriate assessment of the risk posed by a data breach;

• failing to notify affected individuals where necessary within an appropriate timeframe;

• failure to address the most common tactics, techniques and procedures (TTPs): phishing, remote access, privileged account compromise, and known software or application vulnerabilities.

• failing to have a disaster recovery plan in place;

• the risk associated with making ransomware payments; and,

• failure to regularly test, assess and evaluate the effectiveness of your technical and organisational controls.

Despite these measures, many small businesses and other organisations will feel that cyber security is beyond their expertise or capacity.

Respondents reported that four in ten businesses (40%) and almost a third of charities (32%) now use at least one Managed Service Provider (MSP), an external organisation offering IT services. Nevertheless, cost continues to represent a significant barrier to engaging cyber security expertise.

The NCSC publishes recommended security configurations for platforms including Windows, Android, MacOS and iOS.

Businesses in the Square Mile can draw upon the City of London Police’s Cyber Griffin project, which offers its ‘Baseline Briefing’ cyber security and threat awareness training, a table top exercise, incident response training and a cyber capability assessment. All services are free of charge.

Another initiative from the NPCC has been the funding of a national network of regional Cyber Resilience Centres, which are intended to offer free advice and guidance through core membership and low-cost cyber security services delivered by supervised students to SMEs, and referrals to trusted partners.

Organisations can also seek certification under the Cyber Essentials and Cyber Essentials Plus schemes. The assessment questions are available to prepare. Cyber Essentials certification is now a requirement for certain government suppliers.

The US Federal Trade Commission has also published an infographic factsheet on Cybersecurity for Small Businesses.

Sector specific advice is also available. The British Retail Consortium has published its Cyber Resilience Toolkit for Retail, for example.

A measure of benchmarking is provided by the most common cyber security measures reported to be in place: malware protection (83% business/68% charities), password policies (75%/57%), network firewalls (74%/56%), restricted IT admin rights (72%/68%), & secure cloud back ups (71%/53%), with other security controls including monitoring user activity (33%/32%), providing separate Wi-Fi networks for staff & visitors (33%/26%), establishing virtual private networks (32%/26%) & implementing multi-factor authentication (MFA) for network/app access (37%/31%).

Third party risk

19% of small firms, 44% of large firms and less than 10% of charities reporting having reviewed the potential cyber security risks presented by their immediate suppliers.

Whether or not third parties have direct access to your systems, the mere fact of engagement with external entities creates opportunities for cyber criminals. If an attacker can gain access to your supply chain, this can be used to launch attacks such as phishing, malware, ransomware and, man in the middle attacks. A US study reported by Forbes suggested that more than half of US cyber breaches could be traced back to third party affiliations.

While there are legal obligations under Article 28(1) UK GDPR on organisations engaging third parties to process personal data on their behalf to ensure that those entities provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”, it would be wise for organisations to establish standard verification checks on all suppliers and partner organisations. These should include ascertaining: where third parties are registered and what their compliance obligations are; what systems and data they will have access to and the associated risk; the physical and technical security standards in place, controls and monitoring; whether they hold any certifications, such as Cyber Essentials, Cyber Essentials Plus, ISO/IEC 27001 Information Security Management, ISO 27701 Privacy Information Management Systems and/or ISO 22301 Business Continuity Management; auditing arrangements; the legal arrangements governing the relationship between the parties; training and awareness; previous incidents; the third parties they utilise and their locations; and, incident response plans.

The NCSC has issued ‘Supply Chain Security Guidance’, as well as ‘Supplier Assurance Questions’ to support organisations in conducting their assessment.

Recent vulnerabilities identified in open source software, such as the Log4j vulnerabilities, demonstrates the need for the use of open source software to be considered as part of the third party risk assessment, which IBM’s Cost of a Data Breach report 2021 assessed as being the fourth most common cause of breaches, being responsible in 14% of cases.

While there is no consistent global standard for assessing third party supplier and software risk, some privacy management tools such as OneTrust seek to support the process through Vendorpedia and other tools, and organisations such as Protective.ai seek to utilise AI to analyse certain security and privacy measures to provide standardised scoring.

Embedding cyber resilience

Fewer than a quarter of businesses (23%) and a fifth of charities (19%) report having a formal cyber security strategy in place.

Engagement is a crucial underpinning to any effective cyber security strategy, and it is therefore imperative that board members or trustees understand the importance of and champion cyber security in the organisation. Cyber security isn’t a nebulous concept but is a legal obligation for every organisation processing personal data electronically, as a consequence of the obligation under Article 32 UK GDPR to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” to the rights and freedoms of data subjects. In the event of a successful cyber attack resulting in a personal data breach, i.e.  a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, the cyber resilience measures in place to prevent such an incident will be closely scrutinised by the Information Commissioner and copies of relevant policies and documents are often one of the first enquiries made. 

82% of UK business boards or senior managers reported rating cyber security as a very or fairly high priority, with half receiving updates at least quarterly and a third having a board member specifically accountable for cyber security. But some 16% of businesses and 23% of charities reported board members or trustees were never updated on cyber security.  

Directors owe statutory duties, including to promote the success of a company and to exercise reasonable care, skill and diligence in the exercise of their role. Failure to comply with these duties can lead to claims against the directors by shareholders by way of a derivative action under Part 11 Companies Act 2006. Directors can also be held criminally liable if an offence under the Data Protection Act 2018 has been committed with the consent or connivance of a director or where attributable to the neglect of a director.

Charity trustees have similar obligations to act in the charity’s best interests and manage its resources responsibly, acting with reasonable care and skill.

The World Economic Forum has published its report ‘Principles for Board Governance of Cyber Risk’, which recommends: allocating board responsibility for cyber issues; incorporating cyber risk into strategic decision making, aligned with business needs; to consider the organisation’s risk tolerance; ensure a cyber risk management framework is in place; require regular reports on cyber risk management and emerging threats; carrying out cyber incident response rehearsals; establishing lines of accountability; ensuring adequate investment in cyber security; inspiring a cyber security culture; incorporating cyber security expertise into board governance; considering third party auditing and/or benchmarking; and, ensuring that a systemic approach to risk is adopted which considers the risk of third party suppliers and partners.

The NCSC has also produced a Board Toolkit, which incorporates a framework for the board to assess cyber security and addresses details of security controls, the risk to board members themselves as targets, integrating cyber security, and managing the need for cyber security resource.

Incident response

The majority of businesses (89%) & charities (87%) restored operations from their most disruptive breach/attack in 24 hours, but for those having a material adverse outcome, 38% of businesses took 1 or more days to recover.

In the event of a successful cyber attack, a prompt and decisive response is crucial in mitigating damage and maintaining confidence in an organisation and its reputation.

It is universally recommended that organisations prepare and rehearse a practical plan for how they will respond to a cyber security incident. It is often in such rehearsals that issues are flushed out which inform an iterative approach to the response plan. Ensuring relevant individuals will have access to the plan, knowing who will take charge and who needs to be informed, how you will communicate in the event that systems are inaccessible, and having escalation and reporting thresholds to hand are invaluable in underpinning a coherent response. An incident response plan may dovetail with your organisation’s wider business continuity and disaster recovery policy.

In the event of a cyber incident that involves a personal data breach, Article 33 UK GDPR requires that it be reported to the Information Commissioner within 72 hours of discovery unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”.  

Entities in regulated sectors will need to consider whether they have additional reporting obligations and how these will be co-ordinated, see the obligations imposed by the FCA in relation to operational resilience, for example.

Publicly listed companies will also need to consider their obligations under the FCA’s Listing Rules and Market Abuse Regulations. There is clearly scope for successful cyber attacks and data breaches to have a significant effect on the price of financial instruments. Retailer ‘The Works’ was reported to have suffered a 10% drop in its share price on market opening after announcing that it had been subjected to a cyber attack which impacted its operations despite stating that customer data had not been affected and the company did “not currently expect the incident to have a 'material adverse impact' on its financial position or forecasts”.

Even if a cyber attack is successful, hopefully your wider cyber resilience measures, including secure off site back ups of data, will ensure that data and business continuity can be promptly restored.

Just over half of businesses (56%) & 40% of charities reported having policy not to pay ransom payments, although some reported breaching that policy when necessary.

Consistent with the Government’s “strong position against paying ransoms to criminals, including when targeted by ransomware”, which the Secretary of State for the Home Office, Priti Patel said “does not guarantee a successful outcome. It will not protect networks from future attacks, nor will it prevent the possibility of future data leaks. In fact, paying a ransom is likely to encourage criminals to continue to use this approach”, most businesses said that they would not pay a ransom payment even though it is not unlawful per se to do so.

In the event of a successful ransomware attack where backups are compromised or non-existent, however, there are likely to be wider ramifications and organisations may feel that they have no choice. No More Ransom is a law enforcement backed organisation that has been set up to assist in restoring encrypted data without having to have recourse to paying a ransom demand.

If a ransom is to be paid, it is likely to be demanded in cryptocurrency, such as Monero, and it will therefore be necessary in the first instance to buy the necessary currency. Ransomware payments can often be negotiated, although documentation relating to ability to pay is often sought to be exfiltrated by attackers.

With involvement in ransomware attacks such as WannaCry and the attack on Colonial Pipeline being attributed to North Korean and Russian linked cyber crime groups, respectively, organisations need to be mindful of complying with sanctions regulations when making any ransomware payment. Chainalysis has reported that it estimated 74% of all money made through ransomware attacks in 2021 went to Russia-linked hackers.

Medium-large businesses that experienced a cyber attack that resulted in an adverse outcome reported that the average cost of attacks was £19,400.

The costs of a cyber attack can range from overtime, the cost of external forensic IT support, lost business, contractual liability to customers, legal fees, and PR fees to ransomware payments, compensation to affected data subjects and regulatory fines. The Data Protection Ac 2018 specifies that the Information Commissioner can issue fines of up to the greater of £17.5m or 4% of annual global turnover in case of non-compliance.

While unanticipated costs in the tens of thousands are likely to be disruptive to any business, the costs of the most damaging data breaches can be exponentially higher. When an employee of Morrisons Supermarkets plc unlawfully published employee data, while it was found not to be liable to pay compensation to affected staff members, it nevertheless spent some £2.26m on its immediate incident response measures alone, including identity protection for affected staff. When TalkTalk suffered a data breach, its Chief Executive reported anticipated one-off costs amounting to between £30-35m, including incident response, handling calls from concerned customers, additional technology costs and depressed sales revenue.

It is therefore perhaps surprising that fewer than half of businesses (43%) reported having an insurance policy that covers cyber risks. Key drivers for obtaining cyber insurance were reported to be the included provision of threat management & monitoring support, incident response management & compensation cover, but obtaining cover was perceived to be more difficult with increasing premiums and the removal of ransomware cover.

Insurers are likely to move to exclude cyber from general policies (so-called ‘silent cyber’) and organisations seeking cyber insurance cover are also likely to be subjected to increased underwriting due diligence by insurers. The latter may result in greater incentivisation of cyber security through cyber insurance, which RUSI recently reported was currently lacking.

Recent geo-political developments are also driving insurers to seek to exclude acts of war from cyber policies.

When forced to call in the experts, it seems that very few organisations sought the support of or even bothered to notify law enforcement.

Only 10% of businesses reported their most disruptive cyber attack to Action Fraud , & 5% to their local police force.

As well as being in a position to support the immediate response to an incident, law enforcement can support organisations to capture relevant evidence and can gather intelligence and try and act upon incidents, co-operating with foreign partners to take enforcement action where possible The fact that a ransom has been paid does not preclude the police from supporting an organisation that has experienced an attack, and law enforcement may be able to advise on measures to trace and seek to recover ransomware payments.

The NCSC also invites reports on cyber security incidents.

At Handley Gill, we work with organisations to train staff, design and implement data protection and information management policies, to assess and mitigate cyber security and data protection risk, and to prepare for and respond to cyber security incidents and data breaches and their aftermath, including engaging with regulators. Should you require support or further information about our services, please don’t hesitate to contact us.