Welcome to Equilibrium Security’s take on the just-released Government UK Cyber Breaches Survey 2024. If you’re leading Cyber Security efforts at your organisation, staying ahead of industry changes and threats is always on your agenda. This survey is your chance to see how your challenges stack up against the broader patterns affecting businesses across the UK.
Today, we’re diving straight into the heart of this crucial report. Our goal is clear: to sift through the data, identify the most impactful findings, and bring these insights straight to you. This effort will not just deepen your grasp of the current security landscape but also sharpen your approach to dealing with threats.
So, let’s dive in!
First let’s start with: What is the UK Cyber Breaches Survey 2024?
The Cyber Security Breaches Survey is an annual study aligned with the UK’s National Cyber Strategy. The main goal is to provide crucial insights to the government to help shape national policies. The aim is to make the internet safer for UK businesses, charities, and schools.
The survey examines how companies defend against cyber threats. It also explores the types of threats they encounter, the impact on their operations and how they react to these threats. This gives a direct insight into the current state of Cyber Security in these sectors.
The key findings: Awareness and attitudes
- Prioritising Cyber Security:
It’s encouraging to see that Cyber Security is climbing higher on the agenda for UK organisations. Now, 75% of businesses and 63% of charities consider it a high priority for their senior management. This marks a noticeable improvement from last year, especially among businesses, highlighting a rising awareness of the need for strong Cyber Security defences.
- Senior Management Engagement:
The involvement of senior management in Cyber Security is also on the rise. 63% of medium-sized businesses and 78% of large businesses now provide senior teams with Cyber Security updates at least quarterly.
30% of both businesses and charities have board members or trustees specifically tasked with overseeing Cyber Security. This is a positive development, ensuring Cyber Security gets the necessary attention and resources.
- Seeking Information and Guidance:
In the past year, 40% of businesses and charities have sought information and guidance on Cyber Security from external sources. Many businesses use outside consultants and IT service providers. However, they are not aware of or utilising government resources like the Cyber Aware campaign and Cyber Essentials scheme.
Impact of Government Information and Guidance:
The influence of government information is clear, with nearly half of the organisations familiar with government communications adjusting their Cyber Security. These changes include technical updates like better firewalls and antivirus software, and governance enhancements like increased funding and policy revisions. This really shows the practical benefits of government-led Cyber Security initiatives.
Challenges and Opportunities:
Despite these positive trends, there are still challenges. Micro and small businesses are lagging in engagement with government Cyber Security resources. Economic pressures are forcing some firms to cut back on proactive Cyber Security measures, leading to a more reactive approach due to budget constraints.
Approaches to Cyber Security:
- Risk Management and Cyber Insurance:
Organisations are increasingly proactive in managing cyber risks. Over the past year, about half of businesses (51%) and four in ten charities (40%) have engaged in activities to pinpoint Cyber Security risks.
Common methods include using security monitoring tools and performing risk assessments. However, few organisations really dig into the risks from their suppliers and broader supply chain, which needs more attention.
Regarding cyber insurance, 43% of businesses and 34% of charities have some form of insurance covering cyber risks, though only a small fraction has policies dedicated exclusively to Cyber Security.
- Technical Controls and Staff Training:
Most organisations employ basic technical measures to reduce the risk of cyber breaches, such as cloud backups, updated malware protection, strong passwords, firewalls, and restricted admin rights. Yet, the uptake of advanced controls like two-factor authentication, user monitoring, and VPNs is still not widespread.
Staff training on Cyber Security is another critical component, yet only about 18% of businesses and charities have conducted training in the past year. Medium and large businesses are more likely to invest in this area, with much higher training rates.
- 10 Steps to Cyber Security:
Regarding the government’s 10 Steps to Cyber Security, most businesses (94%) and charities (82%) have followed at least one step. However, only about two-fifths of businesses and a third of charities have tackled five or more steps. Large businesses are leading here, with 91% working on at least five steps. This shows that smaller organisations especially aren’t fully embracing the guidelines.
- Incident Response:
The UK Cyber Breaches Survey found that while most organisations have some form of incident response in place, there’s still room for improvement.
77% of businesses and 81% of charities notify their leadership when a cyber incident occurs, about half keep an internal log, and just over half assess the incident’s impact.
However, only 22% of UK businesses and 19% of charities have a comprehensive incident response plan. Roughly a third have clearly assigned roles during these incidents.
- External Reporting of Breaches:
It turns out that reporting breaches externally is quite rare. Among organisations identifying breaches, only 25% of businesses and 29% of charities take the step to report externally, beyond their IT support teams.
The main outlets are banks for businesses and ISPs for charities, plus the police and Action Fraud. A significant 68% don’t report because they don’t see the incident as serious enough. Others are unsure who to report to or doubt whether it’ll make a difference.
Actions Taken to Prevent Future Breaches:
On a positive note, 59% of businesses and 70% of charities are proactive about preventing future breaches. Common actions include more staff training and updates to firewalls and systems. Charities, interestingly, are more focused on changes involving people (41%) than tech (29%), a balance also reflected in business responses. When incidents cause significant loss, organisations are likelier to beef up training and improve tech defences.
This highlights a need for more structured response strategies and a culture shift towards recognising the importance of every breach, no matter the perceived severity.
Prevalence of Cyber Crime:
The survey estimates that 22% of businesses and 14% of charities have been victims of at least one cybercrime in the last 12 months, excluding cyber-facilitated fraud. There are roughly 312,000 businesses and 27,000 registered charities in total.
Medium and large businesses, as well as high-income charities, are more likely to experience cybercrime compared to their smaller counterparts.
Nature and Scale of Cyber Crimes:
Among organisations that have been victims of cybercrime, phishing attacks are by far the most common type (90% among businesses and 94% among charities). Other types of cybercrime, such as hacking, viruses, ransomware, and denial of service attacks, are much rarer in comparison.
The survey also reveals a high level of repeat victimisation among organisations experiencing cybercrime. On average, businesses experienced 25 cybercrimes of any kind in the last 12 months, while charities experienced 34. The median figures show that businesses had 4 cybercrimes, compared to 2 for non-profit organisations. This may be a more accurate representation of the average organisation.
Cyber-Facilitated Fraud:
The survey also digs into how often cybercrimes lead to fraud. About 3% of businesses and 1% of charities—roughly 43,000 businesses and 2,000 charities—were hit by fraud due to cyber-attacks in the past year.
Among businesses that fell victim to cyber-facilitated fraud, phishing attacks (43%) and hacking of online bank accounts (35%) were the most common enablers. Other forms of cybercrime are less likely to result in fraud.
Cyber Security: Where Do You Stand?
The UK Cyber Breaches Survey 2024 offers a real-time look at how businesses and charities are handling cyber threats and attacks. After reviewing these insights, think about where your business stands. Are you well-prepared, or could you be doing more?
If you’re not sure or know you need help strengthening your defences, reach out. Call our security experts at 0121 663 0055 or email enquiries@equilibrium-security.co.uk for advice.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.