Why Security Change is Hard

Doing the Basics

It’s weird. Year after year, report after report concludes that most cyber incidents could be prevented through the application of basic hygiene. I mean, it’s not weird that the reports come to that conclusion. But it is weird that it’s still being reported.

Source: Microsoft Digital Defence Report 2023

In 2021 the Irish National Health Service had a ransomware problem. Once the dust had settled, they asked PwC to take a look at what had gone wrong. PwC’s key points being: there was no-one with overall responsibility for security; there was nobody to investigate the alerts that were being raised; and there had been little to no patching (tens of thousands of machines were running an unsupported version of Windows, and the antivirus signatures were a year out of date). The basics. Similar story when the Electoral Commission got hacked in 2021. Unpatched devices and operating systems, combined with a lack of monitoring and the widespread use of default passwords.

This is the sort of stuff that the Cyber Essentials scheme was set up to deal with. Certification under the scheme (particularly the Cyber Essentials Plus variant) is intended to demonstrate that you have at least addressed the basics.

Against this background, the 2022 DCMS security breaches survey found that only 6% of businesses taking part had gained certification under Cyber Essentials, and only 1% under Cyber Essentials Plus.

And here’s something odd. The 2024 survey reported that even though some businesses actually had measures in place in all five of the areas covered by Cyber Essentials, they still weren’t seeking certification.

So given the choice between voluntary certification, and spending that money somewhere else, the decision was usually… somewhere else. Almost as though voluntary certification held no business value.

And yet people do spend money on cyber. In 2021/22, the market in the UK alone was estimated to be worth about £10Bn. That is a lot of money. So what are the drivers amongst those companies that do choose to invest? 🤔

Reasons for Investing

That was the research question in a study by Cavusoglu et al., who examined the relative impact of mimetic pressure (following what other people are doing), coercive pressure (meeting the needs of industry partners or regulatory bodies), and normative pressure (following best practice).

It’s a detailed and valuable study, and I don’t mean to do it an injustice, but my take-aways were…

1. Nobody invests in cyber just because they see their competitors doing it.
2. If you want to invest to meet regulatory pressures, go ahead. But…
3. … investing to follow best practice will require a supporting business case.

Bottom line, organisations seem happy to invest in order to demonstrate compliance with mandated standards. The idea of spending money on improving security for its own sake however, tends to be met with a less enthusiastic response.

The Potential Benefits of Compliance

The obvious answer here would be to enact new legislation forcing people to do the basics. The existing requirement for Cyber Essentials as a baseline for certain types of UK Government contracts for example, could be applied more widely and more stringently. In other words, we could force companies to demonstrate compliance.

The company St James’s Place is a large investment house providing fund management, life insurance etc.. In 2024 they mandated that each of their 2,800 branded supplier companies would need to achieve certification against Cyber Essentials Plus, if they wanted to remain as a supplier. Twelve months on, the number of cyber incidents being handled by St James’s Place had fallen by around 80%. Without everything else being held static, it’s not possible to state for sure that the reduction was driven exclusively by the certification. But it’s a strong indicator.

Certification under the scheme makes smaller companies eligible for £25,000 of free cyber liability insurance. The insurance company behind that arrangement has stated publicly that in comparison with companies taking out the same insurance but not gaining certification, those with certification were 92% less likely to make a claim. Now, there might be all sorts of factors at play here, for example the possibility that companies going for Cyber Essentials are more committed to security anyway. But again, it’s a strong indication that doing the basics right, even when you’re being forced to do it, does pay off.

The Actual Benefits of Compliance

A Gartner report in 2020 looked at the outcome of mandated compliance against current security standards. Again, a really interesting study. The central point is summed up as below:

“Executives believe that compliance will save them. Many of them know or sense the reality that compliance does not equal protection, but the regulators give them no choice. At worst, compliance forces us to spend money where we don’t need it and keeps us from investing where we should.”

An industry body report in 2020 interviewed over one hundred business leaders, asking whether or not their investments in cyber had led to any benefit. The adoption of a compliance-based approach against primarily technical standards was a common theme. Ninety percent of respondents agreed that security technology often doesn’t work as promised, a situation which they said “compromises defences and is partially responsible for the continued success of attackers”.

Docherty and Fulford took two groups of companies, one with a documented security policy and one without. The researchers expected to see a statistically significant difference between the two groups, in terms of the numbers of security incidents and/or their severity. Turns out there was no difference. Having a security policy in place didn’t correlate with an increased level of protection. Angst et al. found the same – the purely symbolic adoption of cyber did not lead to protection.

The Cost of Compliance

Prior to transposition into UK law, the initial version of the EU Network and Information Systems Directive (NIS) was the subject of an impact analysis, which concluded that the implementation costs over a 10 year timeframe would be about £400M. It also noted that “a 5% reduction” in the number of companies suffering a breach would be a reasonable outcome.

There were 422 large companies deemed to be essential service providers within scope for NIS. The contemporary (2017) DCMS survey estimated that the mean cost of breaches affecting large companies was around £19,600. Assuming that all of those 422 companies would have had a breach in a normal year (and that’s a bit pessimistic), the savings come to about £400k per year. That’s £4M over the ten years, assuming every year is a normal year. In case you haven’t got your calculator to hand, that’s a return of about one percent of the cost of implementation. Rough figures, that’s about a 100 year payback period.

Although… 🧐 … the 2022 breaches survey noted that only about 11% of businesses suffered incidents that would come under their definition of cybercrime. That’s reported elsewhere on this very website. The same report then discounts no-impact phishing attempts, to arrive at 60-odd instances out of a total sample size of about 2,300 (i.e. only about 2% of businesses suffered a non-zero impact). So the calculation really ought to be: 5% of 2% of 422 companies times £19,600 per company. Take away the number you first thought of, add two, divide by the number of days in January…. you should get to a payback period of about 5,000 years. It’s ok, I can wait…

Two years on, a Post Implementation Review (PIR) looked at how we were doing. It concluded that “… a minimum of 39% of large [service providers] who responded to the survey spent more than the high estimated additional costs per business (£200,000). A minimum of 27% of large [digital service providers] who responded spent more than the high estimated additional costs per business (£50,000)”.

It also found that “… given the nature of cyber breaches and the complex factors involved, it will not be possible to attribute incidents as having been prevented by measures taken under the Regulations” and that “It is also not possible to quantify whether there has been a reduced impact of incidents”.

So the financial burden on businesses was much greater than expected, and there was no way of identifying any consequent benefit. Research looking into the effects of GDPR found a similar picture, with an overall profit reduction of 8% for those companies within scope, mostly due to unexpectedly large levels of expenditure.

Two years later, the second Post Implementation Review updated the likely costs of implementation. To about £850M. That’s correct. About a billion quid. Turns out there had been a mistake in the Impact Assessment, when figures were turned into millions but nobody noticed. So that figure of £4.20 should have read £4.2M. I promise, I’m not making this up.

The second PIR also noted that there had been a reduction in reported incidents. Great. From thirteen incidents, down to twelve. Although apparently these weren’t all necessarily cyber incidents. Right.

Envoi

Mandating compliance isn’t necessarily a bad thing – see the St James’s Place example. But the current model of enforcement seems only to have levied a tax on target companies, with that money going direct to the cyber industry, seemingly for very little return, at least not in terms of protection. Possibly that’s because the current model of enforced compliance relates primarily to the use of high-margin technical products rather than being aimed at effectiveness.

Alternatives

I guess I could wax lyrical and suggest ways in which the global cybersecurity market could be ‘corrected’. Indeed, I’ve seen calls on social media for the cyber industry to get shaken up, to get them to deliver, to stop rinsing the customer. It’s a laudable aim, but misplaced. Given that Governments want a healthy, growing, profitable cyber industry (a vision shared perhaps not surprisingly by the industry itself), nobody’s going to rock the boat. And at the end of the day, customers are getting what they’ve been told they want – compliance.

Assaf points out that compliance enforced through legislation is not the only way Government can work with industry. The options range from e.g. nationalisation of CNI companies at one end, through to leaving everything to market forces at the other. But there are options in the middle, such as regulated self-regulation. Under that approach, industry bodies and Government agree on what security looks like in that sector, and companies are left to implement the requirements as they see fit, with the industry body monitoring adherence to the agreed behaviours. That way, companies are at least engaged in the process. Others have made the same point, saying that anything up to 80% of the CNI is in private hands, so some form of partnership is inevitable. Companies and industry bodies commenting during the NIS2 consultation phase made the same point, loud and clear. There’s a ton of evidence and a very strong argument that collaboration would be more effective than the current approach.

Personally I’d be happy just to get a more widespread application of the basics. Which is where we get to the subject of the article – why security change is hard. The current situation is very, very stable. Everyone’s getting what they want. Why would any of the parties to the discussion shift their position? For the cyber industry in particular, they create the standards, check you against them (for a fee), and then sell you the kit you need to get there. It’s a sweet deal. And at the end of the day, there’s not a great deal of profit to be made in selling people basic hygiene.

In their book, “Phishing for Phools”, George Akerloff and Robert Shiller suggest the idea of a “phishing equilibrium”. Free markets they argue, can bring about situations in which opportunities for increased profits are efficiently exploited by the market, but with that premium coming at the price of deception and manipulation. So much so, that at the equilibrium, customers are buying what they’ve been conditioned to buy, rather than what might be best for them.

If you want this situation to change, you either have to introduce a new party to the discussion (such as an industry body), or get one of the existing parties to change their position (e.g. customers start asking for something different from the cyber industry).

Or (I guess) someone in the cyber industry decides to offer something different. Something closer to customer needs.

None of which is impossible, but it’s a big ask, because it relies on switching attention away from developing the cyber industry, and towards the idea of achieving protection.

Selected Sources

1. Microsoft Digital Defense Report 2023. Available from: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/10-essential-insights-from-the-microsoft-digital-defense-report/ba-p/4022783
2. Sellman, M. The Times, 30th July 2024. Voter register was hacked because Electoral Commission didn’t change passwords.
3. Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), 385-400.
4. https://www.ncsc.gov.uk/blog-post/cyber-essentials-decade
5. https://www.ncsc.gov.uk/sites/default/files/documents/NCSC_Annual_Review_2024.pdf
6. Proctor, P. Gartner Report: The Urgency to Treat Cybersecurity as a Business Decision.
7. Debate Security. Cyber Security Technology Efficacy: Is cybersecurity the new “market for lemons”? Available from: https://www.debatesecurity.com/downloads/Cybersecurity-Technology-Efficacy-Research-Report-V1.0.pdf.
8. Doherty, N.F. and H. Fulford, Do information security policies reduce the incidence of security breaches: an exploratory analysis. Information Resources Management Journal (IRMJ), 2005. 18(4): p. 21-39.
9. NIS Regulations: Impact Assessment. Available from: https://www.gov.uk/government/publications/nis-regulations-impact-assessment.
10. Post-Implementation Review of the Network and Information System Regulations 2018. Available from: https://assets.publishing.service.gov.uk/media/60251d7c8fa8f5038238e996/CCS207_CCS0320329850-001_Network_and_Information_Systems_Regulations_Post-Implementation_Review_Web_V2.pdf.
11. https://www.gov.uk/government/publications/second-post-implementation-review-of-the-network-and-information-systems-regulations-2018
12. Global IT outage: All it took was a few lines of code and millions of machines were dead – the risks of complexity. 2024. Available from: https://news.sky.com/story/global-it-outage-all-it-took-was-a-few-lines-of-code-and-millions-of-machines-were-dead-the-risks-of-complexity-13181118
13. Assaf, D., Models of critical information infrastructure protection. International Journal of Critical Infrastructure Protection, 2008. 1: p. 6-14.
14. Allee, V., The future of knowledge: Increasing prosperity through value networks. 2003: Routledge.
15. Akerlof, G. A., & Shiller, R. J. (2015). Phishing for phools: The economics of manipulation and deception. Princeton University Press.

First published 2nd June 2024

Edited 9th June 2024

Edited 30th June 2024

Updated 4th August 2024

Added 2nd PIR 28th April 2026

Updated 3rd May 2026