The UK government’s Cyber Security Breaches Survey: 2017, released this week, demonstrates relative weaknesses in the retail sector when it comes to cyber-attack vulnerability.
According to the report, only 33% of retail executives strongly agree that their core staff take cyber security seriously in their day-to-day work. Across other business sectors, this figure stands at 38%.
The researchers also found that in the retail and wholesale sectors, the percentage of respondents who strongly agreed that wider core staff tend take cyber security seriously was less than the percentage who thought that cyber security was a very high priority for senior managers. In every other sector the reverse was the case.
The average investment in cyber security in the retail sector is only £2,430, according to the survey, much lower than in the administration and real estate, or transport and storage sectors, for example, where the mean figures were around £6,000. Obviously the large number of small retailers will have dragged the average figure downwards. For large companies in general the spend is put at £387,000.
The survey found that relatively few businesses were making use of government resources for advice on cyber security. Awareness of government recommendations in the Cyber Essentials scheme, for example, was low. However, businesses that were making use of these resources were usually finding them useful.
A perceived need for more guidance on cyber security is apparent from the finding that 33% of businesses think there is conflicting advice, although 36% disagreed. These proportions held across size bands and sectors.
Among businesses that had actively sought advice a slightly higher proportion thought the advice was conflicting. Respondents who were IT specialists agreed that there was inevitably a conflicting view over technical aspects, although basic advice for the general user was consistent.
Many findings in the report will be familiar, particularly to large retailers. It will come as no surprise that more than two thirds of UK businesses identified a cyber-breach or attack during the past 12 months, or that businesses holding electronic personal data on customers were much more likely to suffer cyber-breaches than those that do not (51 per cent compared to 37 per cent).
In fact the proportion of businesses with a ‘cyber breach’ in the sense of having active malware on their systems is likely to be even higher. The survey included all such intrusions as breaches, not just “material” breaches where systems were shut down or damaged, or data were known to be stolen.
The most common breaches or attacks found in the survey were via fraudulent emails – for example coaxing staff into revealing passwords or financial information, or opening dangerous attachments – followed by viruses and malware, such as people impersonating the organisation online and ransomware.
The authors suggest the vast majority of these breaches or atacks could have been prevented using the Cyber-Essentials scheme.
The systems integrator World Wide Technology highlighted the survey’s finding that 46 per cent of UK businesses are exposed to the security risks of BYOD (‘Bring Your Own Device’ working) rising to 57 percent in web-orientated firms.
Mike McGlynn, Vice President, Security Solutions at World Wide Technology commented: “The range of devices being exposed to the internet are usually not known for having mature security software, and are often in a vulnerable state. Even their manufacturers may not be in a position to regularly patch software in order to protect against online threats, let alone the enterprises that adopt these devices.
“The device management task involved in some IoT projects is on a scale unlike anything most retailer’s networks have tackled so far.
“Currently, most device management applications are designed for tablets and smartphones which have much more predictable behaviour. They now suddenly have to deal with the number and variety of devices being connected: a smart building initiative, which uses sensors in one fixed location, creates a very different security challenge than a global supply chain project.
“Bring Your Own Device has certainly proved a challenge for many organisations, but the predicted explosion of connected devices – to reach 20.8 billion globally by 2020 – means that retail businesses must take a holistic approach to cybersecurity which prepares them to resist attacks at the endpoint, network, cloud, and application layers.”