UK Binary Code (Photo: fredex/Shutterstock.com)

On April 3, the U.K. Department for Digital, Culture, Media and Sport published the Cyber Security Breaches Survey. Only 32 percent of U.K. businesses contacted for the survey said their data was breached or attacked, a decrease from 2018's 43 percent. While that 11 percent decline might seem like a congratulatory statistic, it may underscore a trend of a smaller group of companies being successfully – and more frequently – targeted with cyberattacks.

The report was conducted with 1,500-plus U.K. businesses and 514 U.K. registered charities between October and December 2018. The fourth annual report is the first cybersecurity breach survey conducted after the General Data Protection Regulation (GDPR) came into effect.

The survey didn't provide an exact explanation for the drop in cyberattacks, citing various possibilities, including increased spending on cybersecurity and fewer companies willing to admit a breach occurred in light of the GDPR.

Another possibility is that hackers could be focusing on a narrower set of businesses. The survey found that the 32 percent who said their company's cybersecurity was attacked faced a median of six attacks in 2018, compared to the median two attacks in 2017. Notably, information or communications firms accounted for 47 percent of cybersecurity breaches or attacks in 2018, according to the report.

Dentons' London-based partner Simon Elliott said the survey's overall decline in breaches is counter to what he's seen but agreed that hackers might be targeting a narrower scope of companies. "The overall volume is reduced, rather than trying a lot of low-level very unsophisticated phishing attacks," Elliott said. In turn, targeted organisations are increasing their level of protection and security to block the sophisticated cyberattacks, he said.

Of the 637 breached businesses, the top cyberattacks aimed at them varied from phishing attacks to ransomware. Specifically, 80 percent of those breached said they were attacked through a fraudulent email or by clicking a link on a fake website. Trailing a distant second were the 28 percent that reported they were victim to someone impersonating an organisation through an email or other online communication. Viruses, spyware or malware constituted the third-most popular type of attack suffered by organisations.

As organisations' data continues to be a target and despite the GDPR's implementation and required protocols, only 16 percent of businesses and 11 percent of charities in the U.K. have a formal cybersecurity incident management process, according to the survey.

To be sure, such written policies are only as beneficial as the steps taken by staff to safeguard data.

"I'm not saying policies and procedures aren't useful; they help codify what you do," said Cripps senior associate Elliot Fry. "Ultimately, it isn't going to change anything if your on-the-ground practices aren't changing."

Fry added companies should "have a continuously improving cybersecurity practice and have some dedicated individuals that are keeping aware of progress rather than having a comprehensive paper policy".

Cyber insurance also can protect companies after a cyberattack or incident, but according to the survey, only 11 percent of U.K. companies have such policies.

Dechert's Elliott said organisations are hesitant because they are unsure what will be covered under such plans. "The market hasn't settled on what is covered or what is the depth of coverage for them," he explained.

Elliott cited a case pending in an Illinois court where U.S. snack-maker Mondelez International is suing its insurance company for $100 million after its claim over a ransomware attack was rejected. The insurance company said the cyberattack was an act of war not covered under its policy.