In our recent article, ‘Cyber security breaches: examining cyber security risks in a turbulent landscape’ we provided a breakdown of the Department for Science Innovation and Technology (DSIT) annual report and its findings with regards to cyber attacks.
This article serves as a follow on from our first publication to help make the DSIT Report’s findings into tangible suggestions and food for thought for your organisation.
74% of UK businesses surveyed said that cyber security was a high priority for their senior management
What we understand from the DSIT Report is that senior management continues to take cyber security risk seriously and the risk is a board room agenda item [1] . Three-quarters (74%) of UK businesses surveyed said that cyber security was a high priority for their senior management with the amount of investment into cyber security over the last 12 months either increasing or staying the same.
There is evidence to suggest that effort is being made by senior management to prioritise cyber security risks and prevent future incidents in their organisations. However, some recurring reasons behind the lack of senior management engagement was due to a limited understanding or interest in cyber security and the topic can get taken off the agenda to make way for day-to-day business operations, Interestingly some organisations considered that they were not particularly high risk from the threat of falling victim a cyber attacks.
In the last twelve months, it is estimated that the average total cost that organisations have faced from their single most disruptive breach are as follows [2] :-
<50% of businesses surveyed purchase cyber insurance
Less than 50% of businesses surveyed purchase cyber insurance, although the figure has increased to 43% from 37% the previous year. It was found that more medium sized businesses (62%) were investing in cyber insurance rather than larger businesses (54%). It would be interesting to understand the reasons behind this. Is it a lack of understanding about what cyber insurance covers or is it seen as a luxury item in a challenging economic climate?
The DSIT Report identified that 32% of businesses surveyed experienced a cyber security breach or attack within the previous 12 months[3] . Of those 32%, four in 10 businesses reported incidents occurring monthly or more often and a fifth reporting that they had experienced breaches or attacks at least weekly. Of those businesses experiencing monthly or weekly breaches 61% were large businesses and 60% were medium sized businesses.
There has been a decline in the frequency of cyber security incidents since 2022. Could it be argued that the reduction is as a consequence of businesses implementing robust cyber security risk measures to prevent breaches, greater awareness and being more resilient to cyber incidents. However, caution is needed as it was understood that due to the increased sophistication of cyber attacks some breaches are going undetected.
The findings in the DSIT Report are reflective of the data security incidents reported to the Information Commissioner’s Office (ICO) by organisations after they have suffered an incident. Examining the latest data breach statistics for the legal sector published by the ICO for the final quarter of 2023 (1 January 2024 to 15 April 2024)[4] the number of data security incidents reported by the legal sector was 247 (an increase from 197 the previous quarter)[5] .
The ICO categorises the data breaches into ‘non cyber security incidents’ and ‘cyber security incidents’.
The most common causes of non cyber security incidents reported by the legal sector to the ICO during 1 January 2024 to 15 April 2024 were as a result of data being emailed or posted to the incorrect recipient and equated to half of the overall reported non cyber breaches.
Breaches of this nature occur as a result of human error often due to individuals working under extreme pressure either from clients or tight timescales and internal pressure and can arise owing to a lack of attention to detail.
The number of cyber security incidents reported to the ICO for the same period identified a sharp increase from the previous reporting quarter, with almost 50% of those incidents resulting from phishing attacks with the largest increase arising from ransomware attacks which increased by 400%.
The DSIT Report suggests that the reporting of breaches still remains an uncommon practice with 34% of businesses reporting breaches externally. When breaches are reported it is banks, building societies and credit card companies who are the first to be notified, followed by the police and the business’ website and network service providers.
Notifiable breaches must be reported to the ICO without undue delay and no later than 72 hours of organisations becoming aware them. Not all breaches need to be reported to the ICO however, each case would need to be assessed on its own merits and the potential level of risk/negative consequences on the individual data subject and how sensitive the data is that has been breached must be considered. This would include a risk to an individual’s rights and freedoms which may result in emotional or physical distress, or any other emotional or social disadvantages, reputational damage and financial loss.
The best practice advice from the ICO is if organisations are unsure about whether the impact of an incident is significant or not, it is safer to report the breach as the ICO can impose financial penalties on organisations who violate data protection laws.
Not all breaches need to be reported to the ICO however, each case would need to be assessed on its own merits and the potential level of risk/negative consequences on the individual data subject and how sensitive the data is that has been breached. This would include a risk to an individual’s rights and freedoms which may result in emotional or physical distress, or any other emotional or social disadvantages, reputational damage, and financial loss.
The best practice advice from the ICO is if organisations are unsure about whether the impact of an incident is significant or not, it is safer to report the breach as the ICO can impose financial penalties on organisations who violate data protection laws.
The ICO has issued new data protection fining guidance on how the Commissioner decides to issue penalties and calculate fines for data infringements [6]. The Commissioner will assess the seriousness of the infringement, taking into account:-
In determined whether it is appropriate to issue a penalty notice the Commissioner will consider the seriousness of the infringement or infringements; any relevant aggravating or mitigating factors; and whether imposing a fine would be:
The level of fine the Commissioner can impose for a data protection violation is subject to the statutory maximum, depending on the statutory provision that has been breached. Two levels of maximum fine can be imposed:
The applicable statutory maximum amount is calculated by reference to a percentage of turnover where an undertaking’s total worldwide annual turnover exceeds:
The Commissioner will determine the severity of the infringement and categorise the infringement according to its degree of seriousness as follows:-
Artificial intelligence (AI) is featuring heavily in our daily lives and as such organisations should be assessing the risks and opportunities such technological advancements can pose. It is crucial that cyber security underpins the use of AI. The DSIT Report does not cover emerging technologies, yet it is anticipated that AI will feature in future studies, particularly as the DSIT has issued a call for evidence seeking views on new measures for software vendors and AI cyber security risks[7]. The call for evidence may result in two new codes of conduct as part of a new global standard and forms part of the UK Government’s £2.6 billion National Cyber Strategy aimed at protecting and promoting the UK’s interests in cyber space and ensuring that AI is used safely, ethically, and sustainably.
There is also a concern that AI is being used to create deepfake video calls and voice cloning, taking CEO emails to the next level.
The ICO has recently published a report setting out its strategic approach to AI regulation (ICO Report[8]. The ICO Report touches on the use of AI and that criminals are taking advantage of new technologies and using generative AI to create phishing campaigns faster and more effectively with a wider reach, eliminating the typographical errors and poorly drafted requests that we are familiar with, making it increasingly difficult to decipher genuine emails and those from malicious threat actors. There is also a concern that AI is being used to create deepfake video calls and voice cloning, taking CEO emails to the next level.
The ICO Report recognises the benefits AI can bring to enhancing cyber security risk and the advice from the ICO is that organisations should assess the risks and opportunities that emerging technologies create, ensuring proportionate and layered controls are implemented to minimise exposure to any such risks.
What is clear from the DSIT Report and the ICO Report is that cyber security breaches continue to threaten organisations and as we increasingly rely on and adopt new technologies, cyber security breaches will remain. Organisations should understand the volume and types of data that they hold in order to consider how to remedy or mitigate potential threats and be proactive in minimising their risk of exposure to a cyber security incident. It is acknowledged that such risks cannot be abolished but they can be managed effectively.
Want to know how WTW can help your organisation mitigates its risks against cyber threats? Speak to us to arrange an introductory conversation to begin the process of securing your cyber security risks.
…it is safer to report the breach as the ICO can impose financial penalties on organisations who violate data protection laws.