IT management software company SolarWinds today released the findings of its latest Freedom of Information (FOI) request investigating cybersecurity challenges and preparations in UK public sector organisations.
While over a third (38%) of respondents claimed to have experienced no cyber attacks in 2018, compared to 30% who said the same for 2017, there was also an increase in the number of organisations reporting in excess of 1,000 cyber attacks.
Eighteen percent of respondents said this was the case in 2018, up from 14% in 2017, despite the Minimum Cyber Security Standard being published in June 2018, a guideline that 98% of respondents were aware of.
Among respondents who shared the types of attacks their organisation had experienced, the most common were phishing (95%) and malware (86%), with a large step down to third place, ransomware (54%).
Malicious targeted attacks either from an insider or from a foreign government were the least common type of attack experienced, with just three percent of respondents affected.
This may explain why the most common defences in place were firewalls (98%), antivirus software (98%), and malware protection (96%).
However, other critical parts of cybersecurity infrastructure were less pervasive.
Under three-quarters of respondents used log management (73%) or network traffic analysis (74%), both tools which can be useful for monitoring unexpected activity that could be a sign of a cybersecurity weakness.
''While preparation is generally high throughout the public sector, the growth in large numbers of attacks shows that there is still a significant risk,'' says SolarWinds head geek Sascha Giese.
''These results highlight the importance of finding simple-to-use, affordable, and scalable security solutions that can work across the varied IT environments like those in the NHS and central government, to ensure the most comprehensive protection available for these vital services.''
Finally, when asked what the biggest roadblocks to maintaining and improving cybersecurity were, the most-cited issues were competing priorities (71%), budget constraints (67%), and a lack of manpower (59%).
In total, 28 central government organisations, 164 NHS trusts and Clinical Commissioning Groups (CCGs), and the MOD responded to the Freedom of Information request.
All percentages are based on the number of respondents per question who provided input, rather than the whole sample, as some organisations did not provide answers for every question.Key Findings
While cyber attacks became less widespread in 2018, more organisations experienced over 1,000 attacks than in the previous year.
- While the overall percentage of public sector respondents who experienced a cyber attack in 2018 compared to 2017 went down (38% experienced no cyber attacks in 2018, while 30% experienced none in 2017), there were also more organisations that experienced over 1,000 cyber attacks - 18% in 2018 compared to 14% in 2017.
- Most healthcare organisations (74%) who provided an answer to how many cyber attacks they experienced in 2017 and 2018 experienced less than 50 cyber attacks in 2018, slightly less than experienced less than 50 in 2017 (75%) - this seems somewhat at odds with the fact that the WannaCry outbreak was in 2017, which cost 92million and caused 19,000 appointments to be cancelled, but suggests that the attack may have been a one-off for many.
- 83% of government organisations who responded on the subject of cyber attacks in 2018 had experienced in excess of 1,000 attacks in the year. This was up from 67% in 2017.
The majority of attacks experienced echoed consumer trends focused on phishing and malware, and protection predominantly consisted of firewalls, antivirus, and malware protection.
- Attacks were predominantly phishing or malware - 95% of organisations that shared the types of attack they had experienced cited phishing, and 86% had experienced malware.
- The least common types of detected attacks or threats according to respondents were from malicious insider threats (three percent) or foreign governments (three percent).
- In terms of defences, firewalls (98%), antivirus (98%), and malware protection (96%) were the three most common solutions deployed. 94% also had patch management.
- The least common tools were log management (73%) and network traffic analysis (74%).
- Nine percent of organisations had not invested in employee training for the whole organisation around cybersecurity, and 15% had not invested in additional employee training for the IT team.
- Where respondents knew how much was allocated to cybersecurity defence budgets, most public sector organisations allocated between $100,001 - $500,000 for their cybersecurity budget, with the mean spend being over $350,000
Limiting factors for cybersecurity maintenance and improvement were centred around resources and meeting competing priorities.
- The main challenge experienced by public sector organisations was competing priorities (71%), followed by budget constraints (67%). Lack of manpower was third at 59%, followed by complexity of the internal environment at 48%.
- Budget concerns were more of a problem for healthcare organisations than for central government -68% of NHS trusts and CCGs reported budget constraints as an issue, compared to 50% of central government respondents.