Half of UK businesses and a little under a third of charities say they have experienced some form of cyber attack or data breach in the past 12 months, rising to 74% of large enterprises and 66% of higher-income charities making over £500,000 per annum, according to the latest edition of the government’s Cyber security breaches survey.
This would appear at face value to be a significant jump on the statistics presented in the 2023 edition of the annual study, in which 32% of businesses and 24% of charities recalled incidents, but unfortunately a change to the question seeking to capture the incident volumes means it is not really possible to make a direct comparison.
The 2024 survey also found that, by a considerable margin, the most common type of incident experienced was phishing, seen at 84% of businesses and 83% of charities, followed by impersonation attempts, affecting 35% of businesses and 37% of charities, and viruses or other malware, including ransomware, affecting 17% of businesses and 14% of charities.
Among those organisations that identified attacks or breaches, the average cost of the single most disruptive incident was £1,205, rising to £10,380 for medium and large businesses, and £460 for charities.
Given the relative unsophistication of the most common threats, the report contained bountiful evidence that some of the messaging around basic cyber security hygiene is getting through, with the deployment of various controls, policies and tools, such as up-to-date malware protection, restricted admin rights, implementation of network firewalls, and agreed processes for phishing emails, up across the board and representing a partial reversal of a declining trend seen since the start of the Covid-19 pandemic in 2020. The government believes these changes reflect shifts in the microbusiness population and among SMEs.
In other areas, however, the picture was less rosy. Cyber security awareness and buy-in among senior leadership and in boardrooms remains static, few organisations are doing much to address supply chain security, and few have established incident reporting policies or ever bother to report incidents externally – such as to bodies like the National Cyber Security Centre (NCSC), which is empowered to help in many ways.
Added to this, the proportion of those following external guidance, such as the official 10 Steps to Cyber Security, or achieving NCSC Cyber Essentials certification is dropping – indeed, only 12% of businesses and 11% of charities are even aware the Cyber Essentials scheme exists.
‘Incredibly disappointing’
Andy Kays, CEO of managed detection and response (MDR) specialist Socura, said it was “incredibly disappointing” to see such disregard for cyber security, particularly among smaller businesses.
“Despite years of warnings from experts, countless data breach headlines and increased regulatory action, this issue still isn’t on their radar,” he said.
“Only a fraction of UK businesses have any kind of formalised incident response plan, which I find astounding. Businesses will always have a plan in case of a fire, but will not apply the same due care for a data breach – which is statistically much more likely. It flies in the face of common sense.”
Andy Kays, Socura
Kays hit out at business owners who seemed stuck in the past and accused them of failing to do the bare minimum beyond conducting perfunctory awareness training on phishing emails. He lamented the lack of appropriate record keeping and the unwillingness to inform police and regulators or assess the scale and impact of breaches.
Kays also pointed out that the survey may paint a somewhat inaccurate picture of the financial costs of a cyber incident, and risks inducing complacency among organisations.
“The estimated financial cost of a data breach in this survey is far, far lower than other sources. I think we need to treat the government’s £1,205 figure with caution,” he said.
“This survey skews towards smaller businesses than many other surveys, so the numbers will be smaller. [But] we know that large enterprise businesses can lose millions in the event of a data breach due to the disruption, reputational impact and share price drop. The Information Commissioner’s Office can also impose serious fines to businesses that fall foul of GDPR.”
Panaseer security evangelist Marie Wilcox also decried the ongoing failure of UK organisations to put essential security controls in place. “At best, organisations are still below 2021’s standards. Even large businesses that understand the risks often fail to implement controls properly – at least 29% don’t have controls in place for patch management or restricting access to organisation-owned devices.
“With attackers tending to pick off the lowest hanging fruit, 98% of breaches could be prevented by focusing on security fundamentals and better cyber hygiene. Moving towards the middle of the pack by having the right controls and policies in place will help head off the vast majority of attacks.”
However, Wilcox went on, having appropriate policies and controls in place is only half the battle – the rapidly shifting sands of the landscape renders security a moving target and organisations also need to do more to attain continuous visibility over what they are doing, where things are going well, and closing up gaps. Too many rely on incomplete, siloed and often contradictory data, and even the best security tools can be unreliable witnesses, leading to conflicting reports, missed vulnerabilities, overwhelmed security teams, and more opportunity for threat actors to strike.
“Overcoming these problems is a big data challenge. CISOs need a validated system of record they can trust that gives total visibility over coverage gaps and their true control status,” said Wilcox.
Take back control
“The survey also lays bare why it’s so important for CISOs to seize and demonstrate control,” said Wilcox. “The CISO is increasingly a crucial linchpin of organisations’ risk management strategy. More businesses than ever before have to cover cyber risk in their annual reports and this focus will increase with additional regulatory scrutiny. And almost half (46%) of large businesses still lack cyber insurance.
“To adapt to their new role, CISOs need to understand the risks they face, and communicate these to all potential stakeholders in the language of the business. Showing that security controls are in place, and constantly monitored, will go a long way to reassuring the board, investors, insurers and regulators.”