益普索（Ipsos）：2020年英國企業和慈善機構網絡安全違規調查統計報告（英文版）（58頁）.pdf

1、 Cyber Security Breaches Survey 2020 The Cyber Security Breaches Survey is a quantitative and qualitative study of UK businesses and charities. It helps these organisations to understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It

2、 also supports the government to shape future policy in this area. For this latest release, the quantitative survey was carried out in winter 2019 and the qualitative element in early 2020. Responsible analyst: Emma Johns 07990602870 Statistical enquiries: cyber.surveyculture.gov.uk DCMSinsight Gene

3、ral enquiries: enquiriesculture.gov.uk Media enquiries: 020 7211 2210 Correction note: This publication was updated on 18 June 2020 to include the percentage of charities that reported their most disruptive breach to senior management (59%) on page 48. Department for Digital, Culture, Media and Spor

4、t Cyber Security Breaches Survey 2020: Statistical Release Contents Summary . 1 Chapter 1: Introduction. 4 1.1 Code of practice for statistics . 4 1.2 Background . 4 1.3 Methodology . 4 1.4 Changes since the 2019 survey . 5 1.5 Interpretation of findings . 5 1.6 Acknowledgements. 6 Chapter 2: Profil

5、ing UK businesses and charities . 7 2.1 The digital footprint of different organisations . 7 2.2 Use of industrial control systems . 8 2.3 Use of personal devices . 8 Chapter 3: Awareness and attitudes . 10 3.1 Perceived importance of cyber security . 10 3.2 Involvement of senior management . 11 3.3

6、 Drivers of attitudinal and behaviour change . 13 3.4 Sources of information . 14 Chapter 4: Approaches to cyber security . 19 4.1 Identifying, managing and minimising cyber risks . 19 4.2 Insurance against cyber security breaches . 24 4.3 Technical cyber security controls . 26 4.4 Staffing and outs

7、ourcing . 28 4.5 Cyber security policies and other documentation . 30 4.6 Implementing government initiatives. 32 Chapter 5: Incidence and impact of breaches or attacks . 35 5.1 Experience of breaches or attacks . 35 5.2 The breaches and attacks considered most disruptive . 37 5.3 Frequency of breac

8、hes or attacks . 38 5.4 How are businesses affected? . 39 5.5 Financial cost of breaches or attacks . 43 Chapter 6: Dealing with breaches or attacks . 47 6.1 Identifying and responding to breaches or attacks . 47 6.2 Reporting breaches or attacks . 48 6.3 Actions taken to prevent future breaches or

9、attacks . 50 Chapter 7: Conclusions . 52 Annex A: Further information . 53 Annex B: Guide to statistical reliability . 54 Department for Digital, Culture, Media and Sport 1 Cyber Security Breaches Survey 2020: Statistical Release Summary The extent of cyber security threats has not diminished. In fa

10、ct, this survey, the fifth in the series, shows that cyber attacks have evolved and become more frequent. Almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium business

11、es (68%), large businesses (75%) and high-income charities (57%).1 The business findings are in line with those in 2017 (when the question was first asked). The charity findings show a rising incidence, from 19 per cent in 2018 (when charities were first surveyed) and 22 per cent in 2019, to 26 per

12、cent in 2020. This may mean that more charities are being targeted but could also mean that they are better at identifying breaches than before. Among this 46 per cent of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 (32%, vs. 22% in 20

13、17). There is a similar pattern over time for charities, although the changes across years are not statistically significant. In 2020, a fifth of these charities (22%) say they experience breaches at least once a week. The nature of cyber attacks has also changed since 2017. Over this period, there

14、has been, among those identifying any breaches or attacks, a rise in businesses experiencing phishing attacks (from 72% to 86%), and a fall in viruses or other malware (from 33% to 16%). Organisations have become more resilient to breaches and attacks over time. They are less likely to report negati

15、ve outcomes or impacts from breaches, and more likely to make a faster recovery. However, breaches that do result in negative outcomes still incur substantial costs. Among the 46 per cent of businesses that identify breaches or attacks, one in five (19%) have experienced a material outcome, losing m

16、oney or data. Two in five (39%) were negatively impacted, for example requiring new measures, having staff time diverted or causing wider business disruption. Similarly, among the 26 per cent of charities reporting breaches or attacks, a quarter (25%) had material outcomes and over half (56%) were n

17、egatively impacted. Since 2017, the proportion of these businesses listing any outcome has fallen by 19 percentage points and the proportion being negatively impacted has fallen by 18 percentage points. For charities, there is also a downward trend for each of these measures since 2018 although the

18、changes are not statistically significant. It is also more common for businesses to immediately recover from breaches or attacks in 2020 than in 2017 (72% vs. 57%). Where businesses have faced breaches with material outcomes, the average (mean) cost of all the cyber security breaches these businesse

19、s have experienced in the past 12 months is estimated to be 3,230. For medium and large firms, this average cost is higher, at 5,220. Over the last five years, there has been greater board engagement in cyber security and increased action to identify and manage cyber risks. These improvements may un

20、derpin the fact that organisations have become more resilient. Board engagement has increased over time among both businesses and charities: Eight in ten businesses say that cyber security is a high priority for their senior management boards (80%, up from 69% in 2016). Three-quarters of charities s

21、ay this about their senior management (74%, up from 53% in 2018). 1 For businesses, analysis by size splits the population into micro businesses (1 to 9 employees), small businesses (10 to 49 employees), medium businesses (50 to 249 employees) and large businesses (250 employees or more). For charit

22、ies, we look at annual income bands, with high income being 500,000 or more. Department for Digital, Culture, Media and Sport 2 Cyber Security Breaches Survey 2020: Statistical Release Half of businesses (51%) and four in ten charities (38%) update their senior management on cyber security at least

23、quarterly. The proportions that say they never update them have steadily declined, both for businesses (from 26% in 2016 to 17% in 2020) and charities (from 38% in 2018 to 12% in 2020). Around two-fifths of businesses have board members with a cyber security brief (37%, up from 28% in 2016). Over tw

24、o-fifths of charities have responsible board members or trustees (45%, up from 24% in 2018). Improvements over time, in terms of identifying and managing risks, include: more businesses seeking out information and guidance (54%, vs. 44% in 2016) more businesses (35%, vs. 23% in 2016) and charities (

25、37%, vs. 20% in 2018) carrying out cyber security risk assessments more businesses (43%, vs. 34% in 2016) and charities (53%, vs. 38% in 2018) having staff whose job role includes information security and governance more businesses (38%, vs. 29% in 2016) and charities (42%, vs. 21% in 2018) having w

26、ritten cyber security policies more businesses (69%, vs. 58% in 2018 when this was first asked) and charities (61%, vs. 32% in 2018) backing up their data on cloud servers. Across all these findings, organisations appear to have maintained, but not necessarily enhanced, the technical controls and go

27、vernance processes they introduced for the General Data Protection Regulation (GDPR). While the overall trends since 2016 are positive and significant, the changes since the 2019 survey specifically are relatively modest. However, there is still more that organisations might do on a range of diverse

28、 topics such as audits, cyber insurance, supplier risks and breach reporting. Organisations may be confused about how they should be considering these topics and what best practice is. Half of businesses (50%) and charities (49%) say they have carried out an internal or external audit in the last 12

29、 months. However, our qualitative research indicates that the quality of these audits varies greatly. In some cases, external audits were broader financial audits that covered aspects of cyber security but did not focus on the topic. A minority of organisations: report being insured against cyber ri

30、sks (32% of businesses and 31% of charities) have reviewed the cyber security risks presented by suppliers (15% of all businesses, 43% of large businesses specifically, and 13% of charities) have reported cyber security breaches to anyone beyond their IT or cyber security providers (27% of businesse

31、s and 38% of charities, among those that identified any breaches or attacks). The qualitative research also suggests that current communications, both around supplier risks and reporting of breaches, can be confusing for organisations. Some interviewees considered supplier risks only in terms of IT

32、providers, internet service providers and other digital service providers not wider non-digital service suppliers. On the other hand, for charities, the term “supplier risks” can be too narrow, as it does not encompass the wider network of partner organisations that they interact with digitally. Rep

33、orting meant different things in different contexts reporting to IT or cyber security providers as part of incident response, reporting financial losses to banks and insurance companies, public declarations to customers or suppliers, or reporting to wider authorities. Organisations were also unclear

34、 on who to report to, and the impact of reporting. Department for Digital, Culture, Media and Sport 3 Cyber Security Breaches Survey 2020: Statistical Release Finally, our findings also highlight opportunities and channels to spread good practice. In the qualitative interviews, banks, insurance comp

35、anies and accountants often played a major role in guiding organisations on cyber security. We also found that organisations are often primed to think about cyber security during financial audits, when filing tax returns, in meetings with insurance brokers and when undergoing broader technological c

36、hanges, for example upgrades to operating system or moving to a cloud server. Department for Digital, Culture, Media and Sport 4 Cyber Security Breaches Survey 2020: Statistical Release Chapter 1: Introduction 1.1 Code of practice for statistics The Cyber Security Breaches Survey is an official stat

37、istic and has been produced to the standards set out in the Code of Practice for Statistics. 1.2 Background Publication date: March 2020 Geographic coverage: United Kingdom The Department for Digital, Culture, Media and Sport (DCMS) commissioned the Cyber Security Breaches Survey of UK businesses an

38、d charities as part of the National Cyber Security Programme. The findings help these organisations to understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the Government to shape future policy in this area, in lin

39、e with the National Cyber Security Strategy 20162021. The latest survey was carried out by Ipsos MORI. It covers: awareness and attitudes towards cyber security approaches to cyber security, including the technical and governance processes that organisations have in place to identify and manage cybe

40、r risks the nature and impact (including estimated costs) of cyber security breaches differences by size and sector. This 2020 publication follows previous surveys in this series, published annually since 2016. In each publication year, the quantitative fieldwork has taken place in the winter of the preceding year (for example, in winter 2019, for this latest survey). 1.3 Methodology As in previous years, there were two strands to the Cyber Security Breaches Survey: We undertook a random probability telephone survey of 1,348 UK businesses and