Has UK Cyber-Resilience Plateaued?

All businesses should aspire to be more cyber-resilient. This means they’re more capable of defending against and surviving an attack and recovering when an incident occurs. However, measuring cyber resilience can be a challenge. That’s where the government’s Cyber Security Longitudinal Survey comes in.

Released earlier this year, it finds that organisations have barely improved their cyber resilience compared to surveys conducted in previous years. A lack of interest in Cyber Essentials and ISO 27001 is particularly concerning.

Resilience Remains Stable

The key with this survey is that it tracks the same 1000 businesses for each annual “wave” that it conducts to gauge progress over time among medium—and large-sized British firms. This latest wave (three) finds that cyber-resilience has largely remained stable despite a likely change in budgets and priorities in the wake of the pandemic.

On the policy side, there has been a slight increase in the number of businesses that have put together a business continuity plan that covers cybersecurity (76% versus 69% two years ago), a written list of their company’s vulnerabilities (61% versus 54%), a written incident response process (59% versus 51%), and a cyber-insurance policy (79% versus 66%).

Despite these marginal improvements, Brian Honan, CEO of BH Consulting, argues that the stats cannot be taken as indicators of a company’s cybersecurity resilience.

“Many of those items are now being stated as minimum requirements for companies wishing to take our cyber insurance,” he tells ISMS.online.

He adds that many businesses still do not see cybersecurity as a critical business risk but rather an IT problem.

“The sooner businesses better understand how much they rely on their IT systems, the internet, and the data they have, the sooner they will realise that cybersecurity should be treated and managed as a critical business risk,” he argues.

Simon Newman, CEO of the Cyber Resilience Centre, tells ISMS.online that he still sees many businesses struggle with even basic cyber-hygiene.

“One of the main reasons is a perceived lack of skill or knowledge, but we also know that there is a real challenge in getting them to understand the threat in the first place,” he argues.

In particular, he has seen businesses think it is best to wait for a few weeks before updating their software, as they “hear stories” about new updates causing issues.

Honan adds that to strengthen cyber posture, organisations should base their cybersecurity strategy on a comprehensive cyber risk program with a mature level of processes and procedures, and comprehensive buy-in and leadership from senior management.

Are Bosses Aware?

The longitudinal survey finds that 55% of businesses now have a member on their board whose roles include oversight of cybersecurity risks. There has also been an increase in the share of businesses reporting that their board discusses cybersecurity – 43% this year, up from 37% in Wave One.

Honan says boards and senior management need to understand that an ever-increasing volume of regulations around cyber, data protection, AI and the Internet of Things – both in the UK and in the EU – are increasing accountability for cybersecurity at the senior management and board level.

Trust the Process

Unfortunately, compliance with best practice standards and frameworks appears to be stalling. The survey reveals that only 38% of businesses are now following the best practice advice in Cyber Essentials (either Standard or Plus certifications), or ISO 27001. The Cyber Resilience Centre’s Newman says these options can be helpful, but there is often the challenge of what he calls an “uninformed customer”, where users don’t know where to go for technical expertise.

Newman adds that awareness and uptake of Cyber Essentials remain too low—particularly among smaller businesses, which don’t necessarily see the value in following it. Others do it only to meet contract requirements. He claims part of the problem is the government’s inability to promote the value of Cyber Essentials and best practice advice from the National Cyber Security Centre (NCSC).

Newman argues that cost is also an issue, with bolt-ons often bringing the total outlay for Cyber Essentials up to £1000. Although most organisations have implemented the controls required to attain Cyber Essentials, many have not actually gained full accreditation, according to the survey.

With a Little Help

This year’s survey found only 19% are complying with the ISO 27001 standard – little changed from Wave One (15%). That seems at odds with the survey’s suggestion that “findings from the qualitative interviews suggest the ISO 27001 certification is considered by businesses to be the most robust and substantive accreditation available.”

BH Consulting’s Honan argues that many organisations consider ISO 27001 too onerous or costly to achieve and maintain.

“So while many businesses may use ISO 27001 as a framework upon which to build their cybersecurity program, not all of them may take the next step to seek certification to the standard,” he says.

Achieving certification and maintaining compliance can take time, money and resources, although third-party compliance specialists can streamline the process significantly through digital tools.

Being certified to a standard such as ISO 27001 can allow an organisation to demonstrate to key stakeholders such as the board, senior management, clients and regulators that they are following industry recognised cybersecurity best practices.

Could AI help these firms accelerate their compliance journey? Honan says the key to ISO 27001, and indeed many current cyber regulations is to take a risk-based approach to security.

“As such, to make ISO 27001 applicable to your organisation it needs to focus on the requirements of the business,” he says. “While templated documents and even AI may help in developing your ISO 27001 project, I would be careful to ensure that the results of these tools are not too generic for your business.”