2022 Cyber Security Breaches Survey vs ICO Incident Data: What can we learn from the stats?
On March 30, 2022, the Department for Digital, Culture, Media and Sport published its annual cybersecurity breach survey (the “Survey”) – The official UK Cyber Resilience Study. According to the gov.uk website, the survey is primarily used to inform government cybersecurity policy.
The survey was conducted by random telephone interview with 1,243 businesses, 424 charities and 420 educational institutions. Divided into 7 chapters, the survey contains analysis including participants’ general approach to cybersecurity, cyber incident handling, general threat awareness, and more. The survey also contains a ‘Key Findings’ chapter which provides a summary of the findings from the survey.
We compared ‘type of incident’ data from the survey to publicly available statistics published by the UK Information Commissioner’s Office (‘ICO”) for the same period (from January 1 to December 31, 2021).
Although the number of survey participants is significantly lower than that of organizations that have reporting obligations to the ICO under various privacy and network security legislation, the proportion of incident types provides insights. valuable insights into the type of attacks businesses and organizations face on a daily basis. On the other hand, the ICO only receives data breach notifications regarding security incidents that exceed the risk severity threshold set out in Article 33 of the UK GDPR, which means that the regulator only deals with incidents that resulted in actual or probable risk to individuals.
What do the statistics show?
According to the ICO survey and statistics, phishing attacks are the most common type of cyber incident – with nearly 70% reported by survey participants and 38% recorded by the ICO. While an unsuccessful phishing attack in itself does not constitute a data breach, those reported to the ICO likely posed a risk to data subjects due to unauthorized access to an email or other account (also called “Business Email Compromise” or “BEC”). Therefore, the numbers can lead to the conclusion that over the past year, just under 50% of organizations that have experienced phishing attacks have actually fallen victim to one or more of them, resulting in a data breach. However, when the categories “phishing” and “unauthorized access” in the ICO data are combined, the proportion of victims jumps to over 50%.
The other curious difference in ransomware-related data. Although a large portion of cyber incidents are reported to the ICO, it only represents less than 4% of incidents identified in the survey data. It could therefore be concluded that while the volume of phishing attacks is high and experienced by many companies, they do not result in risk to data subjects or notification to the ICO.
Why is there a difference in the data?
Due to the ease of implementation, phishing attacks (including SMShing and other social engineering scams) are part of the daily reality of most UK organisations. However, they are also the most easily preventable vulnerabilities, provided organizations invest resources in staff training and technology solutions to minimize the risk of a successful phishing attack. Many companies across the country have recognized this and offer regular training and mock phishing campaigns to keep staff engaged and prepared. While phishing clearly remains the most important attack vector in reportable data breaches, the percentage of successful attacks is encouraging. The National Cyber Security Center (NCSC) recommends a 4-layered approach to phishing defenses for individual organizations, available here.
When it comes to ransomware, these investigations highlight the relative seriousness: a successful attack can be truly destructive and will more often lead to regulatory notifications. In particular, when data is lost due to backups being unavailable or exfiltrated and publicly hosted on a “shameful” dark website. The NCSC has released a 4-step plan for organizations to ensure maximum preparedness against the threat of ransomware.
These differences also underscore the importance of not focusing solely on preventing one attack vector. A balanced approach to avoiding both attritional and devastating cyberattacks must be taken.