If the findings of the UK Government’s new Cyber Security Breaches Survey 2022 are to be believed, there is a growing (and much needed) recognition that cyber security needs to be a priority for senior business managers. However, it seems there is still very little responsibility at board level, despite very real threats, stiff regulatory penalties, and ramifications that could impact directors personally, should a breach occur.
Each year the UK Government conducts a survey, the results of which are used to inform its policy on cyber security. The findings of the 2022 report, are published at a tense time geopolitically and it serves as a reminder that when it comes to national cyber security, we all have a collective responsibility to sure up the defences of our respective nations.
It is certainly a positive that there has been an increase in the number of businesses citing cyber-security as a high priority, rising from 77% in the 2021 report to 82% in 2022. Yet only 34% of businesses have board members with a responsibility for cyber security. This lack of representation at board level may account for the fact that only 17% of businesses have reported carrying out a cyber security vulnerability audit.
Looking at specific elements of businesses’ cyber security capability, 75% have a password policy that ensures that users set strong passwords. But the question is why this is not 100%? Moreover, how effective are these policies in the real world, and how are they being implemented and managed? Especially given that poor password security management can leave the door wide open to exploitation, through a wide range of vectors including phishing, which coincidently is highlighted by the Government report as being the most common threat vector at 83%.
Multi-factor authentication (MFA) can be a good way to augment traditional password-based login credentials, yet its uptake varies significantly, depending on the industry. MFA (which commonly involves a username, password, and another ‘factor’, which could be a PIN, pattern, biometric, or SMS), is used by 63% of businesses working in information and communications when employees are accessing the network or applications. This drops to 28% in the utilities, production, and manufacturing sectors and just 18% for businesses in the food and hospitality sector. I suspect this is in part due to the perceived level of exposure to risk, combined with the assumed choice to prioritise convenience over the need for stronger security; however, you can have both.
When considering the findings of the report in the round a picture emerges that UK PLC is slowly improving, but a lot more could be done much faster to detect, prevent and respond to the threat of cyber-attack. Cost is clearly a concern, but steps such as checking the breached password status of every active and dormant user account, can be completed in a matter of minutes using online tools. Then to prevent password-related breaches from happening again, a Password Security Manager, that instills NIST SP 800-63B compliant password policy best practice with continuous lifecycle management, can be deployed starting at £1 per user per month, which surely any organisation from sole trader to the large enterprise can absorb.
Don’t be amongst the 38% of businesses that have identified breaches or attacks but have not taken remedial action to prevent it from happening again! So, to the board members that do not yet have the responsibility for cyber security on their shoulders, I say your company and your country needs you!
To read the UK Government’s Cyber Security Breaches Survey 2022 report in full click here