GDPR Compliance Has Helped to Reduce Data Breaches in the UK

The UK government has released the results of its annual cybersecurity breach survey which shows a fall in the number of cyberattacks experienced by UK businesses and charities. The decline suggests compliance with the EU General Data Protection regulation (GDPR) has helped businesses improve their security posture.

The survey was conducted in the final quarter of 2018. 1,566 UK businesses were asked whether they had experienced any cybersecurity incidents in the past 12 months. 32% of businesses said they had experienced an attack, down from 43% when the survey was conducted at the end of 2017.

The UK government says complying with GDPR has meant UK businesses have had to formally address cyber risks, improve their policies and procedures, and strengthen cybersecurity protections. The government notes in its report that microbusinesses and charities in particular have taken steps to address cyber risks and, as a result, have experienced fewer data breaches.

30% of businesses and 36% of charities have made cybersecurity changes as a direct result of GDPR. 60% of business and charities have created new policies, 11% of businesses and 4% of charities have changed their firewall and/or system configurations, and 6% of businesses and 10% of charities have created new contingency plans. 31% of businesses and 32% of charities have completed cyber risk assessments in the past 12 months, up from 24% and 20% last year.

While cyberattacks are down compared to 2017, businesses that have reported attacks say they are occurring more frequently and the cost of dealing with those attacks is increasing. 52% of high-income charities, 60% of medium sized businesses, and 61% of large businesses have experienced cyberattacks in the past 12 months.

The most common types of attacks are phishing attacks. 80% of businesses and 81% of charities that have suffered a breach said they had experienced a phishing attack. Email impersonation attacks are also common (28% of businesses/20% of charities), as are malware and ransomware attacks (27% of businesses/18% of charities).

The average annual cost of data and asset losses due to breaches is £4,180 for businesses and £9,470 for charities. The average cost of a breach for a medium-sized business is £9,270 and £22,700 for large businesses.

“Our qualitative findings suggest that GDPR has encouraged and compelled some organisations over the past 12 months to engage formally with cyber security for the first time, and others to strengthen their existing policies and processes,” wrote the UK government in the report, but warned that a lot more still needs to be done to improve cybersecurity and protect against cyber risks.