Skip to main content
main content, press tab to continue
Article

Cyber security breaches: Examining cyber security risks in a turbulent landscape

By Sara Kocylo and Dr. Joanne Cracknell | July 5, 2024

Our Professional Indemnity Insurance for Law Firms team breaks down the latest Department for Science Innovation and Technology (DSIT) annual report and what this means for the legal sector.
|Financial, Executive and Professional Risks (FINEX)
N/A

The cyber security landscape in the United Kingdom (UK) should be an integral focus of any organisation’s strategies, objectives, and budgets regardless of their sector and size, particularly as the UK is the third most targeted country in the world for cyber attacks, after the US and Ukraine. [1]

Necessary steps must be taken to minimise exposure from cyber security breaches as incidents increase year on year; becoming more complex, variable, and sophisticated. The Department for Science Innovation and Technology (DSIT) published its latest annual report in April 2024 [2] following a survey examining the threat of cyber security breaches in businesses, charities, and educational institutions (the DSIT Report). The survey which was conducted from 7 September 2023 to 19 January 2024 involved 2,000 UK businesses, 1,004 UK registered charities and 430 education institutions. [3]

This is the eighth survey of this nature undertaken by the UK Government with the aim of understanding the different cyber security breaches organisations face and the impact of such incidents, particularly as the Government has invested heavily to improve the UK’s resilience to cyber attacks under its Cyber Security Strategy. [4]

The Information Commissioner’s Office (ICO) published a report in May 2024 exploring the cyber security threat to personal information (the ICO Report). [5] The ICO Report explores lessons learned from mistakes made and using case studies concentrating on personal information.  What the ICO Report has identified is that as more of our personal information has transitioned to the digital world, and we adopt and rely upon new technologies to go about our day to day and business lives, cyber threats not only continue to exist but are increasing in volume, sophistication, and severity. This article will summarise the key findings identified in the DSIT Report and analyse the breach statistics published in the latest ICO report.

Findings from the DSIT cyber breach report and common causes

Fraud-UV

Phishing

The DSIT Report shows that the most common cyber security breach affecting 84% of businesses is caused by phishing attacks [6], which are increasing in volume annually. We have seen attacks become more sophisticated as a consequence of technological advancements. Phishing is significantly higher than the other reported causes and should pose a concern to businesses as it is a breach which can be easily prevented as many phishing attacks arise as a consequence of human error caused by a member of staff clicking on a link or opening an attachment.

The DSIT Report stated that during the last 12 months UK businesses experienced in the region of 7.78 million cyber crimes categorised as all types and approximately 116,000 of those were non-phishing cyber crimes. [7] When comparing the latest report with the inaugural study published in 2016 [8] viruses, spyware or malware was the highest cause of cyber security breach at 68%. Phishing was not yet categorised as a common cause of breach.

Phishing attacks if successful can have serious consequences such as business interruption and reputational damage and once cyber threat actors have access to an organisation’s IT system, they will seek to exploit any vulnerabilities in that system in order to gain access to highly sensitive and valuable information. An effective way to reduce risk from phishing attacks is for organisations to reduce their digital footprint and review the information that is placed in the public domain such as on their websites and across social media channels as this can limit the information that cyber threat actors can use to target organisations in phishing campaigns.

Hazard-uv

Business email compromise (BEC)

The next common cause of breach arises from business email compromise. 35% of businesses reported having experienced BEC breaches which is also a form of phishing attack. BECs are social engineering attacks which are tailored to certain individuals within an organisation, often impersonating senior management which can add an air of urgency and legitimacy to the email.

Moneybag-uv

Ransomware

Interestingly, the DSIT Report identified ransomware as one of the least commonly identified types of cyber crime (2% of businesses experienced a ransomware attack), yet the ICO Report states that ransomware continues to be the “most persistent and significant online threat to the UK economy and people”[9]. The ICO Report adds that most ransomware incidents arise as a consequence of poor cyber hygiene rather than sophisticated attacks.

Banknote-uv

The paying of ransoms

There has been concern by regulatory bodies and law enforcement about organisations paying ransoms. The National Cyber Security Centre (NCSC) considers the threat from ransomware attacks to be the key threat facing organisations in the UK with victims facing an extortion threat that their data will published or sold unless a ransom is paid.

The NCSC has partnered with insurance industry bodies ABI, BIBA, IUA to publish guidance for organisations experiencing a ransomware attack in efforts to reduce disruption and costs to businesses, minimise the impact and limit the number of ransoms paid. [10] The guidance can be found here. The NCSC Guidance [11] recommends considering the following key points: -

  • Don’t panic
  • Review alternatives, including not paying
  • Where possible, consult experts
  • Involve the right people across the organisation in decisions, including technical staff
  • Assess the impact
  • Be aware that payment does not guarantee access to your devices or data
  • Consider the correct legal and regulatory practice around payment
  • Know that paying a ransom does not fulfil your regulatory obligations
  • Report the incident to UK authorities

Organisations are urged to consider the correct legal and regulatory practice before paying any ransom and know that paying the ransom does not fulfil any regulatory obligations and will not reduce any penalty imposed by the ICO. Making a payment does not guarantee access to devices or data impacted by the attack and it may result in further attacks as the criminal groups will know that the organisation is willing to pay the ransom. Furthermore, there are legal and ethical issues to consider such as if a ransom payment is made to an entity or area sanctioned by the UK, or the payment may be used to fund further criminal activity.

Siren-uv

Other factors

Another common cause arising from the DSIT Report related to the challenging economic environment. Some of the participants who were interviewed as part of the survey considered the difficult economic conditions to be a contributory factor to the increase in cyber attacks, driving opportunistic cyber criminals to take advantage of the current conditions. It was recognised that in harder economic conditions, greater vigilance and investment by organisations was needed as social engineering attacks were increasing in both number and sophistication.

Summary

What the DSIT Report identifies is that no organisation is immune to cyber security incidents. The types of attacks have not changed since the first publication of the cyber security survey report, yet the volume and sophistication of incidents have. The fallout from a cyber security breach could be catastrophic for an organisation, possibly resulting in the disclosure of confidential and sensitive information, theft of monies, reputational damage, and damage to IT infrastructures. Having a robust cyber security culture embedded in the organisation can minimise the risk from such threats. We continue our discussions on cyber threats to law firms and the knock on implications they can create in our following article, The importance of cyber security awareness and investment in the legal sector.


Contact WTW today

Want to know how WTW can help your organisation mitigates its risks against cyber threats? Speak to us to arrange an introductory conversation to begin the process of securing your cyber security risks.

Footnotes

  1. UK Parliament Committee (2023). How resilient is UK Critical National Infrastructure to cyber-attack? Return to article
  2. Department for Science, Innovation & Technology (2024). Cyber Security Breaches Survey 2024. Return to article
  3. Sole traders and public-sector organisations are not included and were outside the scope of the survey Return to article
  4. National Cyber Security Centre. (2024). Global ransomware threat expected to rise with AI, NCSC warns. Return to article
  5. The Information Commissioner’s Office. (n.d) Learning from the mistakes of others – A retrospective review. Return to article
  6. Department for Science, Innovation & Technology (2024). Cyber Security Breaches Survey 2024. Return to article
  7. Department for Science, Innovation & Technology (2024). Cyber Security Breaches Survey 2024. Return to article
  8. Department for Culture, Media and Sport (2017). Cyber Security Breaches Survey 2017. Return to article
  9. The Information Commissioner’s Office. (n.d) Learning from the mistakes of others – A retrospective review. Return to article
  10. National Cyber Security Centre. (n.d). Guidance for organisations considering payment in ransomware incidents. Return to article
  11. National Cyber Security Centre. (n.d). Guidance for organisations considering payment in ransomware incidents. Return to article
Authors

PI FINEX
email Email

Director - PI FINEX Legal Services

Contact

Head of Legal Services - PI FINEX

SERVICE

Professional Indemnity Insurance for Law Firms

Act today by entrusting a PII broker that not only has access to a large portfolio of insurers in the market but also the risk management capabilities to ensure you are paying the correct premium

Contact us