UK Binary Code (Photo: fredex/Shutterstock.com)

On April 3, the U.K. Department for Digital, Culture, Media and Sport published the Cyber Security Breaches Survey. Only 32% of U.K. businesses contacted for the survey said their data was breached or attacked, a decrease from 2018's 43%. While that 11% decline might seem like a congratulatory statistic, it may underscore a trend of a smaller group of companies being successfully—and more frequently—targeted with cyberattacks.

The report was conducted with 1,500-plus U.K. businesses and 514 U.K. registered charities between October and December 2018. The fourth annual report is the first cybersecurity breach survey conducted after the GDPR went into effect.

The survey didn't provide an exact explanation for the drop in cyberattacks, citing various possibilities, including increased spending on cybersecurity and fewer companies willing to admit a breach occurred in light of the General Data Protection Regulation.

Another possibility is that hackers could be focusing on a narrower set of businesses. The survey found that the 32% who said their company's cybersecurity was attacked faced six median attacks in 2018, compared to the median two attacks in 2017. Notably, information or communications firms organizations accounted for 47% of cybersecurity breaches or attacks in 2018, according to the report.

Dentons London-based partner Simon Elliott said the survey's overall decline in breaches is counter to what he's seen but agreed that hackers might be targeting a narrower scope of companies. “The overall volume is reduced, rather than trying a lot of low-level very unsophisticated phishing attacks,” Elliott said. In turn, targeted organizations are increasing their level of protection and security to block the sophisticated cyberattacks, he said.

Of the 637 breached businesses, the top cyberattacks aimed at them varied from phishing attacks to ransomware. Specifically, 80% of those breached said they were attacked through a fraudulent email or by clicking a link on a fake website. Trailing a distant second were 28% who reported they were victim to someone impersonating an organization through an email or other online communication. Viruses, spyware or malware was the third-most popular type of attack suffered by organizations.

As organizations' data continues to be a target and despite the GDPR's implementation and required protocols, only 16% of businesses and 11% of charities in the U.K. have a formal cybersecurity incident management process, according to the survey.

To be sure, such written policies are only as beneficial as the steps taken by staff to safeguard data.

“I'm not saying policies and procedures aren't useful; they help codify what you do,” said Cripps senior associate Elliot Fry. “Ultimately, it isn't going to change anything if your on the ground practices aren't changing.”

Fry added companies should “have a continuously improving cybersecurity practice and have some dedicated individuals that are keeping aware of progress rather than having a comprehensive paper policy.”

Cyberinsurance also can protect companies after a cyberattack or incident, but according to the survey, only 11% of U.K. companies have such policies.

Dentons' Elliott said organizations are hesitant because they are unsure what will be covered under such plans. “The market hasn't settled on what is covered or what is the depth of coverage for them,” he explained.

Elliott cited a case pending in an Illinois court where U.S. snack-maker Mondelez International is suing its insurance company for $100 million after its claim over a ransomware attack was rejected. The insurance company said the cyberattack was an act of war not covered under its policy.