While fewer businesses are suffering attacks or breaches, cyberattacks are becoming more costly and targeted, according to government figures.
The shows that around one in three businesses (32%) was a victim of an attack or breach in the past 12 months. While this is lower than in 2018 (when it was 43%) and in 2017 (46%), those who were victims typically reported facing six attacks, compared to two in 2017.
The figures from the Department for Digital, Culture, Media and Sport also show that phishing attacks (identified by 80% of victims) and others impersonating an organisation (28%) – both of which rely on human error – are now more common that viruses, spyware or malware attacks (27%).
The report says businesses have increased their defences but suggests that attacks are becoming more focused. Jon Abbott, CEO of IT services provider and founder of cybersecurity platform , says the figures reflect the trends the industry is already seeing.
“Attacks are becoming more targeted and costly and cybercriminals are becoming more sophisticated. As IT teams shore up their defences, attackers are choosing softer targets and preying on people instead. They recognise that humans are now the weakest link and increasingly the targets are directors and senior decision makers.
“It demonstrates that cybersecurity is no longer just an IT issue but a company-wide challenge, one which involves people throughout the organisation and needs to be overseen at board level.”
The report shows that 30% of attacks had a negative outcome, resulting in loss of data or assets with the average (mean) cost to the business being £4,180, higher than in 2018 (£3,160) and 2017 (£2,450).
Around three in four businesses (78%) say cybersecurity is now a high priority for senior management – up from 74% last year. One in three businesses (33%) now has a written cybersecurity policy, 27% have had staff attend training in the past 12 months; and 56% have implemented the five types of controls recommended in the government’s Cyber Essentials scheme – all up on last year’s figures.
The report says GDPR has helped to change behaviour, with 30% having made some type of change as a result, but it has also led to organisations focusing on data breaches rather than wider risks. They might need to ‘think more holistically about the issue’ and could do more – only 35% have a board member responsible for cybersecurity.
Jon Abbott adds: “Dealing with the changing threat landscape requires a more integrated approach than before. Patching, web browsing protection and anti-virus software are critical but businesses also need the right policies, procedures and culture.
“As cybercrime becomes more complex, boards need to lead the fightback and work closely with IT teams and managers throughout the organisation to ensure they are in the best possible position to defeat themselves against the threats.”