UK businesses and charities admit to lax cybersecurity amid warnings of Russian attacks
Fewer than three in ten businesses and two in ten charities have a formal cybersecurity policy, despite the escalating risk of online attacks from Russia, the government has said.
A survey for the Department for Digital, Culture, Media and Sport found that 27 per cent of businesses had structured contingency plans, down from 33 per cent in last year’s survey.
Only 67 per cent of businesses and 32 per cent of charities said they spent money on cybersecurity, while a quarter of businesses and half of charities admitted that the issue was not a “high priority” for management.
This month, GCHQ and the US Department of Homeland Security warned that Russia was carrying out a campaign of cyberespionage and infiltration of UK and US government bodies, businesses and homes.
The agencies said that Russia was systematically spying, stealing intellectual property and laying the groundwork for future offensive cyber operations. Hacks on individuals or businesses that are perceived as low-risk may give attackers access to information that can help them to compromise high-value targets.
In the poll by Ipsos Mori and the University of Portsmouth, two-thirds of medium and large businesses identified at least one breach or attack in the last 12 months, which is no lower than the previous year.
The report did not identify the attackers, but many are likely to be cybercriminals outside the UK. In terms of state-sponsored activity, experts have identified China and Iran as serious threats in addition to Russia.
The total proportion of the 1,519 businesses surveyed reporting a breach or attack in the past year was down from 46 per cent in the previous survey to 43 per cent.
Of all busineses, 15 per cent had software or systems corrupted, 10 per cent had their website slowed or taken down and 7 per cent had money, assets or intellectual property stolen. Common attacks involved phishing or more targeted “spearphishing” emails to trick staff into clicking on malicious links.
Fewer than two-thirds of the businesses surveyed were aware of official cyber advice campaigns and some were sceptical of the government’s own expertise in this field.
One business owner said: “I wouldn’t think of the government as being necessarily cybersavvy. Look at the NHS attack. You think the NHS is under the control of the government, so the government can’t be doing its own due diligence.”