Digital Economy Business Survey 2017

Cyber Security

Digital technologies bring enormous opportunities for businesses, but they also bring new threats and vulnerabilities that we must manage safely. The National Crime Agency describes the cyber threat as a "major and growing threat" to businesses ^[4] . It assesses that the cost of cybercrime to the UK economy is billions of pounds per annum, and that the accelerating pace of technology and criminal cyber capability development currently outpaces our collective response to cybercrime.

Scotland's Digital Strategy makes clear that businesses operating in the online world must view cyber resilience as a fundamental enabler to their digital ambitions. Scotland's cyber resilience strategy, " Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland", published in 2015, sets an ambition for Scotland to become a world leading nation in cyber resilience by 2020, with a global reputation for being a secure place to work, learn and do business.

The Programme for Government in September 2017 sets out a commitment to develop and implement a range of action plans in respect of cyber resilience for the public, private and third sectors, as well as for learning and skills and for economic opportunity.

This section looks at the extent to which the cyber security skills required by business are readily available in the workplace, and the technical controls and accreditation that are in place within businesses to ensure they are digitally secure.

Figure 7: Extent to which the organisation feels equipped with the relevant skills to protect against and deal with cyber-security threats (%)
Base: All businesses (3,258)

Cyber-security skills (see Figure 7)

• Amongst all organisations surveyed, 49 per cent were responsible for managing their own IT infrastructure and systems, while 34 per cent did not manage any of their own IT infrastructure and systems.
• 30 per cent felt that they were fully equipped with the relevant skills to protect against and deal with cyber security threats.
• 19 per cent of businesses felt that they were poorly, or not at all, equipped with the relevant skills to protect against and deal with cyber security threats.

Figure 8: Technical controls applied by businesses (%)
Base: All businesses (3,258)

Technical controls and Cyber-security accreditation (see Figure 8)

• Regarding some of the technical controls that organisations can put into place to help manage their cyber security, 87 per cent of businesses made use of malware protection ( i.e. anti-virus software) and 73 per cent used boundary firewalls ( i.e. preventing unauthorised access).
• 51 per cent of organisations used patch management to improve cyber security ( i.e. updating software).
• 10 per cent of businesses had obtained a cyber-security accreditation, such as Cyber Essentials or Cyber Essentials Plus.
• Amongst those who did not have a cyber-security accreditation, only 8 per cent were planning to obtain accreditation in the next 12 months.

Figure 9: Cyber-security technologies used by businesses (%)
Base: All businesses (3,258)

Specific cyber-security technologies (see Figure 9)

• The most commonly used cyber-security technology was anti-virus software, which was used by over 9 in 10 businesses (91 per cent).
• 47 per cent made use of Data Loss Prevention technologies, while 44 per cent filtered content such as web pages and e-mails.
• The least commonly adopted cyber-security technologies were sandboxing ( i.e. isolating applications from other programs and resources; 8 per cent), and behavioural analysis (9 per cent).
• 6 per cent of businesses made no use of any of the cyber-security technologies listed in Figure 9.