Home Business Cyber Security Survey Sorely Needed in M’sia!

Cyber Security Survey Sorely Needed in M’sia!

The United Kingdom and other developed countries have therefore it is time for Malaysia and other countries to follow suit and have a survey that would kiss and tell on the country's cyber security resilience against cyber threats. The Cyber Security Breaches Survey is a quantitative and qualitative study of UK businesses, charities and education institutions.

by George Mathews
time to have its own CS survey

The latest Government Cyber Security Breaches Survey shows that the risk level for businesses is potentially higher than ever under COVID-19. Businesses are finding it harder to administer cyber security measures during the pandemic as organizational resources are diverted to facilitating home working.

It also doesn’t help much when fewer businesses are also taking recommended cyber security measures, leading the Government to urge organizations to follow the NCSC’s “expert guidance” to boost their online resilience.

The annual survey, which the Government has run since 2016, looks at how UK businesses, charities and education institutes are affected by, and manage, cyber risk. The aim is to help organizations understand the risks they face and what others are doing to stay secure.

What the Survey Reveals

It can also help larger businesses understand where smaller firms (many of whom sit within their supply chain) may approach cyber risk differently. The Government uses the research to shape future policy, including its upcoming new cyber strategy.

Despite COVID-19, there were some positives to take from this year’s report. It was revealed that cyber security remains a priority for boards, with 77% of businesses (and 93% of large businesses) saying that cyber security is a high priority for their directors or senior managers.

Overwhelmingly businesses say the pandemic has made no difference to the importance they place on cyber security, while the qualitative research suggests that some organizations have accelerated their plans regarding (or increased their investment in) IT and cyber security in response. Many have adopted new security solutions including cloud security and multi-factor authentication.

For some (14%), cyber has become a higher priority as they have faced an increase in the frequency of attacks (especially phishing attacks) since March 2020 and/or felt their organizations were exposed to new risks as staff worked from home.

The survey also pointed out that more businesses are taking out cyber security insurance – up 11% to 43% this year. This is more likely to be through a broader insurance policy rather than a cyber specific one.

Fewer businesses are identifying breaches or attacks than in 2020 (from 46% to 39%). This may, however, be misleading as the frequency of attacks has not reduced for those reporting them. It could be the result of reduced trading activity from businesses during the pandemic, or because businesses are less aware of the attacks they are suffering.

However, the survey also highlights many areas that are still in need of improvement, as well as some new risks. The pandemic has made cyber security harder. With resources stretched and remote working creating new challenges, fewer businesses than last year report deploying security monitoring tools or having up-to-date malware.

Many more businesses now have staff working from home and/or using personal devices for work and yet the vast majority still do not have a cyber policy which caters for this. Only a third have a VPN for remote working and, in large businesses in particular, having laptops with unsupported versions of Windows is a significant risk (affecting 32% of large businesses).

Businesses therefore still need to implement new or adapt existing policies and procedures to reflect these new risks and working patterns, and to cater for future working environments which many anticipate will involve a blend of working remotely and in offices.

The Findings of the Survey Reveal that More Can be Done

In addition, the survey report also concluded that many long-standing issues remain and businesses could still do more to prepare:

Just under a third have continuity plans that mention cyber security and only 15% have audited their cyber security vulnerabilities. Despite cyber being a board level issue, only 38% have board members with a cyber security brief. The figure rises to 57% for larger businesses, but this still marks a fall from last year’s peak of 68%.

Only 14% of businesses train their staff on cyber security and only 20% have tested their staff response (for example with mock phishing exercises). This is despite the fact that phishing attacks were the most common threat vector (83% of reported attacks), and staff are a key vulnerability in relation to such attacks. The figures are, however, higher in larger organizations, where nearly half have carried out training or tested their staff response.

The vast majority of businesses (88%) do not review cyber security risks posed by suppliers. The figures are even worse when looking beyond immediate suppliers – only 5% of businesses (down from 9% last year) have reviewed their wider supply chain.

Barriers to addressing supplier risk ranged from a lack of time/money to suppliers not providing the information to carry out checks or not knowing what checks to carry out. Compliance with standards, like Cyber Essentials, was cited in responses as one way to ensure that suppliers took cyber security seriously without having to collect lots of specific information from them.

The Survey Concludes

Finally, the responses provided some interesting insights. Some reported that service continuity and flexibility have been viewed as competing with cyber security since the first UK lock down. However, it will be interesting to see if this view will change. When discussing cyber security priorities going forward, businesses talked about a greater emphasis on continuous improvement and integrating new technologies.

As staff increasingly expect access to new technologies to stay productive, some discussed gradually moving from an approach of locking down user activity towards one that prioritizes functionality and flexibility. Presumably cyber risk management processes, procedures and (some suggested) the personal responsibility of staff, will need to adapt to reflect these changes post pandemic.

The qualitative research also highlights organizations’ cyber security ambitions for the future and the broader challenges they expect to face. Many expect to make continuous improvements in their cyber security, which includes, for example, rolling out multi-factor authentication, or tweaking policies and processes to cover Software as a Service (SaaS).

Some also expect to move further away from an approach of locking down user activity, towards one that prioritizes functionality and flexibility. Cyber security teams may therefore need to realign themselves to wider strategic business needs in some cases, emphasizing how staff can use new technologies, software and platforms securely rather than banning them.

Related Articles

We use cookies to improve user experience, and analyze website traffic. For these reasons, we may share your site usage data with our analytics partners. By clicking “Accept Cookies,” you consent to store on your device all the technologies described in our Cookie Policy. Accept Read More

ESPC on the go