A survey carried out by the Internet Services Providers’ Association (ISPA) has found that Government must streamline its approach to cyber security to achieve its ambition of making the UK the safest place to be online. In response to the survey, ISPA members voiced concerns over the risk of creating unnecessary complexity and duplication of reporting and responsibilities across regulatory bodies that Government must address. 

ISPs play a unique role in protecting both their own network and customers and are often the first port of call for online users experiencing difficulty. As cyber security continues to grow in importance and significant new regulations bed in, ISPs are well placed to assess the strengths and weaknesses facing cyber security in the UK.  

Respondents emphasised the important role Government has to play in promoting good cyber security practice, setting minimum standards and raising awareness of new regulations. Cyber threats are one of the most significant security challenges of our time, impacting governments, businesses and individuals as well as national infrastructure and the economy.  

In the time elapsed since ISPA’s previous cyber security survey in 2016, ISP investment in cyber security has increased and looks set to continue on this trajectory, with 94% of respondents saying they are expecting to increase their investment in the next three years.  

Launching the report and recommendations, ISPA Chair, Andrew Glover, said: “Despite increased awareness about the importance of cyber security, Government and law enforcement must turn their words into actions. In order to ensure the UK has an effective cyber security regime, the Government should streamline the number of organisations involved in the cyber security landscape to minimise confusion. This needs to be underpinned by clear minimum standards on cyber security, set by Government, and improved online cybercrime reporting processes.  

The survey indicates that ISPs are working hard to provide a first line of defence for consumers, investing significantly in order a wide range of cyber security services to their customers. This work must be supported by increased awareness of good practice amongst users and improved training for law enforcement officers to ensure that they are properly equipped to tackle cyber crime.” 

Secure and resilient networks are a top priority for ISPs 

88% of the ISPs that responded stated that they are regularly subject to cyber attacks, with 44% experiencing daily attacks. Given this, it is no surprise that 94% of respondents expect their company’s cyber security spend to increase over the next 3 years, on average by 25%. This is reflective of the fact that all respondents stated they believe ISPs should play a proactive role in cyber security, with 78% stating that they already offer dedicated cyber security services to their customers. 

ISPs are not confident about the ability of law enforcement to uphold cyber security 

62% of respondents suggested that the handling of cyber crime could be significantly improved if law enforcement agencies took a more coordinated approach to the problem, with 31% suggesting that better cyber crime training for law enforcement officers was necessary. These were also the top two priorities reported in the 2016 survey which suggests that more progress needs to be made by law enforcement agencies in this area. 

10 key findings 

ISPA’s key findings from the survey of members are as follows:  

  1. An overwhelming majority (94%) of ISPs surveyed indicated that they expect to increase their investment in cyber security over the next three years.  
  2. Cyber security remains an important priority for ISPs, with 61% of respondents stating that cyber security is a high or very high priority in their company’s day-to-day operations.  
  3. 88% of respondents are regularly subject to cyber attacks, with 44% experiencing daily attacks.  
  4. ISP’s customers are largely the ultimate target of cyber attacks, with 69% of cyber attacks targeted at respondents’ customers as opposed to their own networks. 
  5. Confusion about data breach thresholds and reporting systems persists, with responses suggesting that some ISPs may be unsure about what constitutes a reportable breach.  
  6. The majority (86%) of respondents are implementing or planning to implement Active Cyber Defence measures, as recommended by the National Cyber Security Centre (NCSC). 
  7. All respondents believe that ISPs should play a proactive role in cyber security, with 78% stating that they already offer dedicated cyber security services to their customers. 
  8. ISPs are divided on the importance of sharing their experiences of dealing with cyber attacks with industry colleagues: with 50% of respondents not doing so as a matter of routine. This contrasts with the finding that 40% of respondents think that the handling of cyber crime could be improved if there was better collaboration and coordination within the internet industry.  
  9. 62% of respondents suggested that the handling of cyber crime could be improved if law enforcement agencies took a more coordinated approach to the problem. 
  10. ISPs want the Government to focus on setting out a clearer strategy and standards for cyber security, raising awareness of good practice, particularly amongst SMEs, and providing financial assistance or subsidies to businesses wishing to enhance their cyber security. 

Recommendations  

In response to the survey and in consultation with wider industry, ISPA has made the following recommendations:  

  1. Government should set out clear and practical minimum cyber security standards for industry, which are regularly updated to take account of evolving threats. 
  2. Government should focus on raising awareness of best practice in cyber security, using targeted subsidies, such as vouchers to help subsidise services, to help raise standards. 
  3. Government should streamline the number of organisations involved in the cyber security landscape to minimise confusion and duplication, including on areas like breach reporting. 
  4. Law enforcement agencies should take a more coordinated approach and boost training to improve consistency in cyber crime enforcement outcomes. 
  5. There needs to be a significant improvement in online cyber crime reporting processes to help and facilitate the sharing of information between interested parties. 

ISPA Cyber Security Survey