UK Breaches Drop, While Scope of Targets May Be Narrowing
Don't breathe a sigh of relief yet. While a U.K. survey found fewer businesses are reporting breaches, that decline could be prefaced by cyberattackers successfully—and more frequently—targeting a smaller group of organizations.
April 16, 2019 at 11:30 AM
4 minute read
The original version of this story was published on Legal Tech News
On April 3, the U.K. Department for Digital, Culture, Media and Sport published the Cyber Security Breaches Survey. Only 32 percent of U.K. businesses contacted for the survey said their data was breached or attacked, a decrease from 2018's 43 percent. While that 11 percent decline might seem like a congratulatory statistic, it may underscore a trend of a smaller group of companies being successfully – and more frequently – targeted with cyberattacks.
The report was conducted with 1,500-plus U.K. businesses and 514 U.K. registered charities between October and December 2018. The fourth annual report is the first cybersecurity breach survey conducted after the General Data Protection Regulation (GDPR) came into effect.
The survey didn't provide an exact explanation for the drop in cyberattacks, citing various possibilities, including increased spending on cybersecurity and fewer companies willing to admit a breach occurred in light of the GDPR.
Another possibility is that hackers could be focusing on a narrower set of businesses. The survey found that the 32 percent who said their company's cybersecurity was attacked faced a median of six attacks in 2018, compared to the median two attacks in 2017. Notably, information or communications firms accounted for 47 percent of cybersecurity breaches or attacks in 2018, according to the report.
Dentons' London-based partner Simon Elliott said the survey's overall decline in breaches is counter to what he's seen but agreed that hackers might be targeting a narrower scope of companies. "The overall volume is reduced, rather than trying a lot of low-level very unsophisticated phishing attacks," Elliott said. In turn, targeted organisations are increasing their level of protection and security to block the sophisticated cyberattacks, he said.
Of the 637 breached businesses, the top cyberattacks aimed at them varied from phishing attacks to ransomware. Specifically, 80 percent of those breached said they were attacked through a fraudulent email or by clicking a link on a fake website. Trailing a distant second were the 28 percent that reported they were victim to someone impersonating an organisation through an email or other online communication. Viruses, spyware or malware constituted the third-most popular type of attack suffered by organisations.
As organisations' data continues to be a target and despite the GDPR's implementation and required protocols, only 16 percent of businesses and 11 percent of charities in the U.K. have a formal cybersecurity incident management process, according to the survey.
To be sure, such written policies are only as beneficial as the steps taken by staff to safeguard data.
"I'm not saying policies and procedures aren't useful; they help codify what you do," said Cripps senior associate Elliot Fry. "Ultimately, it isn't going to change anything if your on-the-ground practices aren't changing."
Fry added companies should "have a continuously improving cybersecurity practice and have some dedicated individuals that are keeping aware of progress rather than having a comprehensive paper policy".
Cyber insurance also can protect companies after a cyberattack or incident, but according to the survey, only 11 percent of U.K. companies have such policies.
Dechert's Elliott said organisations are hesitant because they are unsure what will be covered under such plans. "The market hasn't settled on what is covered or what is the depth of coverage for them," he explained.
Elliott cited a case pending in an Illinois court where U.S. snack-maker Mondelez International is suing its insurance company for $100 million after its claim over a ransomware attack was rejected. The insurance company said the cyberattack was an act of war not covered under its policy.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Dechert partners Andrew J. Levander, Angela M. Liu and Neil A. Steiner have stepped in to defend Arbor Realty Trust and certain executives in a pending securities class action. The complaint, filed July 31 in New York Eastern District Court by Levi & Korsinsky, contends that the defendants concealed a 'toxic' mobile home portfolio, vastly overstated collateral in regards to the company's loans and failed to disclose an investigation of the company by the FBI. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-05347, Martin v. Arbor Realty Trust, Inc. et al.
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250