72% of UK firms suffer fraudulent emails based on cyber security breaches survey

computer data — A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. Reuters/Kacper Pempel

The Department of Culture Media & Sport has released a cyber security breaches survey showing the risks that UK firms faced in 2016. There were 1,523 businesses that participated in a telephone survey while 30 businesses undertaken in-depth interviews. The result showed that 72 percent of the businesses suffered fraudulent emails.

According to the report, business suffered from four types of breaches including fraudulent emails (72 percent), viruses, spyware and malware (33 percent), people impersonating the organisation in emails or online (27 percent) and ransomware (17 percent). When a single breach or attack was considered, it still showed that phishing emails or websites have caused the most disruption to the business. The breaches could be linked to human factors including clicking on a malicious link or succumbing to impersonation.

Several occurrences of the breaches were also surveyed showing that 37 percent of all businesses has a one-off occurrence. However, it also showed that six percent of the businesses experienced it regularly while seven percent experienced it several times a day. For the accompanying qualitative survey, it showed that one large wholesale business that participated in the survey reported receiving approximately 340,000 phishing emails in 2016.

In the last 12 months, the report showed that 19 percent of the business that experienced at least one breach say that they have experienced material loss. The outcome showed that 23 percent experienced temporary loss of access to files or networks while 20 percent experienced their systems or software becoming corrupt or damaged.

Based on the report, businesses revealed that they identified an impact on the breaches that their company experienced. It showed that 57 percent of businesses needed to take measures for future attacks. It also showed that 34 percent should add staff time to deal with a breach or inform others while 23 percent should stop staff carrying out daily work.

When it comes to assessing cost, it was very uncommon for businesses to monitor the financial cost of cyber security breaches. The report revealed that only six percent of the businesses have anything in place to monitor or estimate the financial cost of breaches. It showed that the average cost per attack was £1,570 (AU$2673) for all companies while it cost £19,600 (AU$32,360) for large companies.

Direct cost, the cost of recovery and the long-term cost was also considered in the survey. Direct costs included the costs from lost, damaged or stolen outputs, data or assets. It also included cost from staff being prevented from carrying out their work and lost revenue if customers could not access online services. The recovery costs included additional staff time needed to deal with the breach or to inform stakeholders or customers and cost to repair infrastructure and equipment. The long-term cost of breaches included the loss of investors or funding, the loss of share value, the cost of handling customer complaints and the long-term loss of customers.