The volume of cyber security breaches and other attacks against UK organisations seems to have dropped, with 32% of businesses and 24% of charities recalling incidents during the past 12 months, down from 39% and 30% respectively over the previous period, according to the government’s Cyber security breaches survey 2023, released without fanfare today by the new Department for Science, Innovation and Technology (DSIT).
However, the apparent decline was driven largely by smaller businesses, whereas the figures for medium and large businesses, and high-income charities, remain at similar levels to those in the 2022 report. According to government statisticians, this may be a result of smaller business owners and managers viewing cyber security as less of a priority given the current economic climate.
Indeed, the proportion of micro-businesses saying they put a high priority on cyber security dropped from 80% in spring 2022 to 68% today.
Among those organisations identifying breaches or attacks, the single most disruptive breach of the past 12 months cost organisations of any size approximately £1,100, rising to £4,960 for medium and large businesses.
“Looking at the figures released today, I’m unsurprised to see a downward shift from last year’s findings,” said Tom Kidwell, a former government intelligence specialist and co-founder of security consultancy Ecliptic Dynamics.
“In terms of preparedness, response and investment in cyber security on an organisational level, the numbers haven’t changed very much at all, except for smaller businesses, who are identifying attacks and implementing good cyber hygiene practices less. This is likely due to the current economic climate in the UK, and because many businesses still operate with the ‘it probably won’t happen to me’ mindset. Although, in the past you might have got lucky, now it’s not a case of ‘if’, but ‘when’, you get targeted,” he added.
Tom Kidwell, Ecliptic Dynamics
“In terms of the number of businesses which have been attacked, the number has fallen to 32%. However, as the survey itself highlights, underreporting is a huge issue identified by the cyber security industry, meaning this number could be far higher in reality,” said Kidwell.
“Underreporting is rife because for any organisation, especially those which handle sensitive information, admitting that you’ve been breached can have catastrophic effects. Trust in your brand can be wiped away instantly, and have long-reaching impacts for stakeholders, which is why so many affected organisations don’t report attacks when they happen,” he said.
Kidwell added that this underreporting may not be deliberate, because many organisations may not even realise they have been breached.
Richard Staynings, chief security strategist at Cylera, an internet of things (IoT) security specialist, said the statistics on the cost of an incident were also wide of the mark, likely by an order of magnitude.
“Organisations aren’t truly counting the cost of a cyber breach. Firstly, there’s the cost of the legal and security incident response teams, the forensic consulting, the PR, and any other experts you need to bring in to handle the impact of the incident. Then, you have the loss of business due to your data and system having been destroyed. It can take two to three weeks to restore data, but we have also seen situations where it has taken longer than six months after a breach before systems, devices and data are restored,” he said.
“Then there are the regulatory fines and punitive damages for data breaches. Taking all this into account, you are looking at the cost of a cyber attack being closer to a few million pounds, and this doesn’t take into consideration any ransomware demand, if you pay it, which is often in the tens of thousands of pounds alone.”
Alarming findings
The full report contains a wealth of information on how UK organisations are handling cyber incidents and the impact of cyber crime, and turned up many findings that cyber experts will consider worrying.
Among other things, it found that while the majority of organisations have a broad range of cyber hygiene measures in place, the numbers implementing password policies dropped from 79% in 2021 to 70% today, use of network firewalls is down from 78% to 66%, implementation of admin rights restrictions is down from 75% to 67%, and implementation of prompt patching policies (within 14 days of disclosure, for example) is down from 43% to 31%. These declines were again largely driven by smaller organisations.
In terms of risk management and supply chain issues, larger businesses tended to be the most mature, but even so, across the full spectrum of organisations, only three in 10 had undertaken any kind of risk assessment in the past 12 months, a similar proportion had deployed security monitoring tools and under four in 10 had cyber insurance. One in 10 said they reviewed the risks posed by their immediate suppliers – rising to 55% of large businesses, which is still too few.
Similarly, only three in 10 organisations had any board members – or trustees in the case of charities – explicitly tasked with cyber security, and among large businesses, only 30% had ever heard of the National Cyber Security Centre’s (NCSC’s) Board Toolkit.
In terms of seeking cyber security support and guidance, DSIT’s statisticians found that approximately half of organisations had done so in the past year, essentially stable, but still a source of concern because it implies half of organisations seem to be unaware of initiatives such as the NCSC’s Cyber Essentials scheme, or other formal guidance such as 10 Steps to Cyber Security. Nor do sufficient numbers seem to be adhering to recognised standards or accreditations such as ISO 27001.
Where organisations did seek outside guidance, they tended to turn to external security consultants or managed service providers (MSPs).
Cyber crime
Turning to the impact of cyber crime, DSIT again found evidence of underreporting. A total of 11% of organisations experienced cyber crime in the past 12 months, rising for larger businesses and wealthier charities – or read another way, approximately a third of cyber incidents led to cyber crime.
The statisticians estimate that across all UK businesses, there were 2.39 million instances of cyber crime and 49,000 instances of fraud as a result of cyber crime in the past 12 months. Among charities, there were 785,000 cyber crimes, but the sample size in this instance does not enable an accurate enough estimate of fraud.
The estimated mean annual cost of cyber crime for businesses comes out at approximately £15,300 per victim and, again, the sample size does not allow an accurate estimate for charities.
It is important to note that the cyber crime statistics are reported this year for the first time, so meaningful comparisons with past data cannot be made, and there is likely to be a wide margin of error.