- Freedom of Information request conducted by SolarWinds examines cyberattack preparedness among NHS, central government, and defence public sector organisations
- Over a third (38 percent) of respondents experienced no cyberattacks in 2018, with the mean reported annual budget for cybersecurity being over £350,000
- Prominent obstacles in maintaining and improving cybersecurity centred on competing priorities, budget constraints, and a lack of manpower
SolarWinds has released the findings of its latest Freedom of Information (FOI) request investigating cybersecurity challenges and preparations in U.K. public sector organisations. While over a third (38 percent) of respondents claimed to have experienced no cyberattacks in 2018, compared to 30 percent who said the same for 2017, there was also an increase in the number of organisations reporting in excess of 1,000 cyberattacks. Eighteen percent of respondents said this was the case in 2018, up from 14 percent in 2017, despite the Minimum Cyber Security Standard being published in June 2018, a guideline that 98 percent of respondents were aware of.
Among respondents who shared the types of attacks their organisation had experienced, the most common were phishing (95 percent) and malware (86 percent), with a large step down to third place, ransomware (54 percent). Malicious targeted attacks either from an insider or from a foreign government were the least common type of attack experienced, with just three percent of respondents affected. This may explain why the most common defences in place were firewalls (98 percent), antivirus software (98 percent), and malware protection (96 percent). However, other critical parts of cybersecurity infrastructure were less pervasive. Under three-quarters of respondents used log management (73 percent) or network traffic analysis (74 percent), both tools which can be useful for monitoring unexpected activity that could be a sign of a cybersecurity weakness.
“While preparation is generally high throughout the public sector, the growth in large numbers of attacks shows that there is still significant risk,” said Sascha Giese, Head Geek™, SolarWinds. “These results highlight the importance of finding simple-to-use, affordable, and scalable security solutions that can work across the varied IT environments like those in the NHS and central government, to ensure the most comprehensive protection available for these vital services.”
Finally, when asked what the biggest roadblocks to maintaining and improving cybersecurity were, the most-cited issues were competing priorities (71 percent), budget constraints (67 percent), and a lack of manpower (59 percent).
In total, 28 central government organisations, 164 NHS trusts and Clinical Commissioning Groups (CCGs), and the MOD responded to the Freedom of Information request. All percentages are based on the number of respondents per question who provided input, rather than the whole sample, as some organisations did not provide answers for every question.
Key Findings
While cyberattacks became less widespread in 2018, more organisations experienced over 1,000 attacks than in the previous year.
- While the overall percentage of public sector respondents who experienced a cyberattack in 2018 compared to 2017 went down (38 percent experienced no cyberattacks in 2018, while 30 percent experienced none in 2017), there were also more organisations that experienced over 1,000 cyberattacks—18 percent in 2018 compared to 14 percent in 2017.
- Most healthcare organisations (74 percent) who provided an answer to how many cyberattacks they experienced in 2017 and 2018 experienced less than 50 cyberattacks in 2018, slightly less than experienced less than 50 in 2017 (75 percent)—this seems somewhat at odds with the fact that the WannaCry outbreak was in 2017, which cost £92m and caused 19,000 appointments to be cancelled, but suggests that the attack may have been a one-off for many.
- 83 percent of government organisations who responded on the subject of cyberattacks in 2018 had experienced in excess of 1,000 attacks in the year. This was up from 67 percent in 2017.
The majority of attacks experienced echoed consumer trends focused on phishing and malware, and protection predominantly consisted of firewalls, antivirus, and malware protection.
- Attacks were predominantly phishing or malware—95 percent of organisations that shared the types of attack they had experienced cited phishing, and 86 percent had experienced malware.
- The least common types of detected attacks or threats according to respondents were from malicious insider threats (three percent) or foreign governments (three percent).
- In terms of defences, firewalls (98 percent), antivirus (98 percent), and malware protection (96 percent) were the three most common solutions deployed. 94 percent also had patch management.
- The least common tools were log management (73 percent) and network traffic analysis (74 percent).
- Nine percent of organisations had not invested in employee training for the whole organisation around cybersecurity, and 15 percent had not invested in additional employee training for the IT team.
- Where respondents knew how much was allocated to cybersecurity defence budgets, most public sector organisations allocated between £100,001 – £500,000 for their cybersecurity budget, with the mean spend being over £350,000.
Limiting factors for cybersecurity maintenance and improvement were centred around resources and meeting competing priorities.
- The main challenge experienced by public sector organisations was competing priorities (71 percent), followed by budget constraints (67 percent). Lack of manpower was third at 59 percent, followed by complexity of the internal environment at 48 percent.
- Budget concerns were more of a problem for healthcare organisations than for central government—68 percent of NHS trusts and CCGs reported budget constraints as an issue, compared to 50 percent of central government respondents.