01 June 2023

On 12 May, the UK Government Science, Innovation and Technology Department along with the Digital, Culture, Media and Sport Committee published the results of their 2023 Cyber Security Breaches Survey. Respondents were asked about their approach to cyber security and any breaches;

The outcome of the survey can be found here: Cyber security breaches survey 2023 - GOV.UK (www.gov.uk).

Main findings

The main findings were:

1. Small businesses and organisations are identifying less cyber security breaches and attacks than identified in the 2022 survey. This is seen to be a reflection of senior managers in smaller organisations viewing cyber security as less of a priority in the current economic climate, so less monitoring and pro-active logging is taking place. For example the number of small businesses who identified cyber security as “high priority” has decreased from 80% in 2022 to 68% in 2023;
2. “Cyber hygiene” measures have seen a consistent decline among businesses. For example effective maintenance and policing of password policies and network firewalls have seen a decline from 2022 to 2023;
3. Although still low there is an increase in consideration of cyber security when assessing supply chain risks (13% businesses and 11% of charities reporting to have undertaken risk assessments of such). 37% of businesses and 33% of charities have also reported having cyber insurance.
4. Corporate reporting of cyber risks remains low.
5. A high number of businesses report awareness of government published cybersecurity guidance yet fail to adhere to recognised standards or accreditations, such as Cyber Essentials and/or ISO 27001;
6. Formal incident response plans are not common (21% or businesses and 16% of charities have them).

The survey concludes that there is a lack of progress by management of businesses at all levels to manage cyber security risks and there is an apparent de-prioritisation of cyber risk management by micro and small businesses.

Cyber Risks for Small Businesses: Effective Management is Key

The report identified that the trend for micro and small businesses seems to be that cyber security is of lower importance as a result of recovery from the COVID pandemic, cost of living crisis and soaring inflation. Small businesses are deciding to allocate resources to other areas to the detriment of cyber security. However, effective management of cyber security risk should be a key consideration for all businesses as breaches can have serious consequences on customer base and reputation, along with ICO fines for breaches, ultimately damaging cash flow.

Failure to effectively manage cyber risks leaves the door open for attacks by malicious software and malware, which is becoming increasingly sophisticated and difficult to spot. Businesses require to be mindful that ransomware can catch any person or business unaware, no matter the size (and especially those not taking appropriate steps to manage cyber risk). One of the first widely reported incidents of cyber-attacks on business in Scotland was that of Ellen Conlin Hair and Beauty Salons in Glasgow who fell victim to an attack in 2015 and paid hackers €1000 in bitcoin to retrieve their customers’ data (Scottish hairdressing firm warns of cyber attack threat - BBC News).

The largest attack of recent times was that on the NHS in 2017, where the system fell subject to the “Wannacry” ransomware demanding a substantial payment and bringing the countries health service to a halt, affecting, among other things, the deployment of ambulances (NHS cyber-attack: GPs and hospitals hit by ransomware - BBC News).

The ICO take a hard-line stance with those who fall victim to ransomware attacks, particularly where victims pay the attackers to recover the stolen information (which the ICO and other agencies strongly advise against). This was exemplified in 2020 when Tuckers Solicitors LLP fell victim to an attack which saw hackers obtain and encrypt 972,191 files, 24,712 relating to court matters. Tuckers, who paid the attackers to recover their data, were fined £100,000 by the ICO for breaches of GDPR and the Data Protection Act 2018. In issuing the fine the ICO noted “The commissioner considers that Tuckers’ failure to implement appropriate technical and organisation measures (…) rendered it vulnerable to attack”. Continuing that Tuckers’ had given the attackers a “weakness to exploit” and were responsible for the protection of personal data citing their failure to use “multi-factor authentication”, despite it being recommended since 2018.

The ICO’s position remains that personal data is the responsibility of the organisations’ (controllers) that hold them and ransomware attacks tend to result from organisations’ failures to adequately protect data. Payment to recover the data is not enough in and of itself and preventative measures require to be taken. The ICO has also noted that the recommended measures come at “relatively low-cost”.

What can businesses do to prevent data breaches as a result of ransomware?

The ICO provides guidance here - Ransomware and data protection compliance | ICO.

Businesses are now opting to back up data to the cloud as safe storage for recovery in the event of an attack. While this may be effective from a business continuity perspective, it serves little comfort for preventing data breaches and attacks themselves. Cloud back-ups do not actively prevent or mitigate the possibility of ransomware attacks happening in the first place, which is the main focus of ICO comments on the subject.

Instead, preventative measures such as ransom/malware detection and prevention software, firewalls, pentesting, and comprehensive writing and policing of cyber-security policies should be implemented as active prevention of attacks in the first place.

The protection of data, not only from malware and attacks, but on a day to day basis, should be a priority for businesses of all levels.

If you, or your business, require assistance in effectively managing and protecting data or fall victim to a ransomware attack, please contact the BTO Data Protection team on DataDefence@bto.co.uk.

Paul Motion, Partner and Accredited Specialist in Data Protection and FOI: prm@bto.co.uk / 0131 222 2939

Jamie Stewart, Trainee Solicitor: jgs@bto.co.uk / 0131 222 2939