The state of IT security in UK businesses
20th December 2018
Businesses across the world are under a continuous stream of cyber attacks – how are UK businesses faring in this environment?
Hundreds of millions of cyber threats travel the internet every day and businesses of all sizes are at serious risk. For example, between 2010 and 2014, successful cyber attacks on businesses of all sizes increased by 144%.
On top of this, the National Cyber Security Alliance reports that approximately 60% of all businesses who experience a loss due to a security breach go out of business within six months.
This is quite staggering and clearly cyber-crime is big business—we’re talking large-scale organised crime and billions of dollars to be made from corporate and personal data.
And, the Web is the primary highway for these attacks. Sophisticated phishing emails, malware, and even spam target more than just servers and desktops; laptops, smartphones, and tablets can also be the focus of a cyber-attack, from any location around the globe.
Cyren recently conducted research to explore how smaller businesses are coping with the level of escalating cyber threats to look at whether it was just the larger organisations that are being attacked and how the small to medium sized enterprise and businesses are bearing up.
The research which was conducted by Osterman Research and sponsored by Cyren highlighted that security problems in small to medium sized businesses are rampant. It surveyed IT and security managers at 102 UK companies with anywhere from 100 to 5000 employees
The reason security problems are rampant is because 75% of organisations surveyed reported a security breach or infection in the last 12 months, rising to 85% for businesses with 1000 or fewer employees.
In terms of frequency and the type of breaches causing organisations anguish, the average number of known breaches reported was 2.1. The threats that were rated of greatest concern were data breaches, ransomware, targeted attacks and zero-day exploits.
Interestingly, ransomware infections were reported at twice the rate among organisations with fewer than 1,000 employees, when compared to organisations with 2,500-5,000 employees, which came out as 6 percent versus 3%, respectively.
The greatest security gaps, where IT managers’ level of concern most outstrips their evaluation of their security capabilities, are in dealing with targeted and zero-day attacks. The threat of data breaches, botnet activity, and malicious activity from insiders were also cited.
Only 19% of the respondents said that their web security is inspecting SSL traffic for threats.
The research also showed that IT managers are far more concerned about the costs of infection than the cost of protection. The initial cost of web or email security solutions or their total lifecycle cost were ranked much lower as decision criteria than features like ease of administration, visibility, and advanced security protection (the top three categories).
Therefore, it is safe to assume that IT managers are far more concerned with stopping malware than controlling employee web behaviour, with the exception of preventing access to pornography from business networks.
“Shadow IT” is a moderate concern for larger companies, but a low priority for those with 1,000 employees or less, with only 9% considering it of concern. The largest organisations surveyed, with 2,500 to 5,000 employees, are currently rating application control as the most important capability in evaluating new solutions, with 73% rating it extremely important. This compares to just 43 and 41 percent of organisations in the two smaller employee size categories.
Data loss prevention is highly utilised in the UK, ranking as the second-most-deployed capability for both web security (64%) and email security (62%), among the capabilities evaluated.
Less than 25% say they protect company-owned or BYOD mobile devices, and less than 30% of remote offices and Guest Wi-Fi networks have gateway security. The vast majority of organisations rely on endpoint protection for traveling employees’ laptops and to protect use of the web at remote offices.