Taking a look at the survey results on Approaches to Cybersecurity.
Cybersecurity statistics are everywhere, revealing and disclosing all sorts of hidden treasures about how well or badly things are going.
Many research white papers and projects are often sponsored by a vendor though, and the results influenced by their product offering. So for Cybersecurity Awareness Month I’ve decided to look at one of the most comprehensive surveys we’ve seen in 2024 - the government’s cybersecurity breaches survey - to break it down into a series of articles to really determine the key factors in cybersecurity.
To start with in this first week of Awareness Month, we’ll look at the chapter around ‘Approaches to Cybersecurity'. Specifically, this covers areas including risk management (including supplier risks), staffing and training, cyber insurance and technical controls.
Taking the Tasks
The survey was quick to point out that businesses were not necessarily expected to be doing tasks such as monitoring, risk assessment, audits, and testing, as this depends on their own risk profiles.
For example, it was found that 33 percent of businesses used specific tools for security monitoring, 31 percent did a risk assessment to cover cybersecurity risks, and 18 percent conducted staff testing.
One of the main findings was that “relatively few businesses are taking steps to formally review the risks posed by their immediate suppliers and wider supply chain” with 11 percent saying that they review the risks posed by their immediate suppliers, and only six percent looking at their wider supply chain.
This is surprising, considering the impact of the ransomware attack on Synnovis and the NHS this summer, as well as the impact of the Snowflake breach on other companies.
Maybe one of the problems here is that cybersecurity is looped into the conversation too late. The survey claimed that some organisations felt it would be awkward to start having discussions about cybersecurity with suppliers who they have worked with for many years, while other organisations didn’t feel that it was necessary to have regular conversations with their supplier because the contract should ensure they will stick to their word.
Are we too trusting with friendly suppliers, to the detriment of cybersecurity? Of course one way to deal with this is to have a cybersecurity strategy in place, and the survey found that 66 percent of large businesses have a formal strategy, while 58 percent of medium and 47 percent of small businesses also have these.
These numbers are reassuring, as it shows that there is an element of these businesses who do take cybersecurity seriously. Further findings were that of the 33 percent of businesses have policies in place, 44 percent have reviewed them within the last six months.
Guidance and Certification
So considering policies the survey found “a clear majority of businesses and charities have a broad range of basic rules and controls in place” that were covered in the 10 Steps to Cyber Security or the requirements for Cyber Essentials certification.
The most frequently deployed rules or controls involved cloud back-ups, updated malware protection, passwords, network firewalls and restricted admin rights, each administered by two-thirds or more of businesses.
The least common rules and controls were two-factor authentication, user monitoring, separated wifi networks, applying software updates and use of Virtual Private Networks.
Is it clear where to get guidance from, and how to adopt it? Brian Honan, CEO of BH Consulting, said part of the reason there may be confusion and uncertainty around where to get information and guidance is there is a lot of hype generated by vendors: vendors need to sell their products and services and will naturally use the latest headlines to promote them.
Who’s Responsible?
A final factor in this section was on ‘responsibility for cybersecurity’ and the likelihood of employing someone who can take charge of cyber issues internally.
The results showed a breakdown among businesses of differing sizes: in a micro business it will be a chief executive; office managers in small businesses; an IT director or manager in large businesses; and for charities a trustee typically performs this function.
Richard Cassidy is CISO of Rubrik, and told SC UK that when a board is engaged with cybersecurity, they are more likely to be aware of security risks, “because they will have heard something and say ‘hope that doesn’t happen to us’.”
Cassidy admits that the CISO role is fairly new, and traditionally the CTO or CIO would have taken responsibility for those duties - but as the statistics above show that often, this level of person is not even employed in these businesses.
“I found it's almost half and half that organisations have CISOs or they don't, and if they don't they tend to have IT directors or cyber defence leaders who report into the CIO,” Cassidy says.
He had theories though on the success of reporting into different C-level leaders, as if they report to a CEO “they've got the capability to make an influence across all of the C-levels”, while those who report into CIOs tend to be much more compliance or energy-focused.
“If it is CTOs [they report to] it's a little bit more tactical base work, and to the CFO it tends to be the better role as they have better range for when something goes wrong,” he says.
Cassidy says that cybersecurity doesn’t get the time or attention from the board that it often deserves, and when there is a report the CISO doesn’t get to present directly, so there is some translation issues in getting the message across
“That's a board responsibility issue, they have to say they want the CISO to come to these meetings to report directly to them, because this is too big an issue to get wrong,” he says.
As we break down the many survey results over the course of the next month, we will see a lot of variety in how cybersecurity issues are being dealt with by businesses.
Here we see that there is acknowledgement of supply chain challenges, but a hesitation on how to address suppliers’ security, an adoption of tools and guidance, and at least one person taking control of cybersecurity in a business. We will look at Awareness and Adoption next time, something that will reflect upon some of the findings here.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.