In April 2024, the UK Government released the latest cyber security breach survey results. This exercise has been ongoing since 2013 and provides a valuable view of the threat landscape over the last 12 months.
According to the 2024 data, about half of the businesses and a third of the charities have reported experiencing some form of cyber security breach or attack in the last 12 months. This percentage is much higher for medium businesses (70%), large businesses (74%), and high-income charities with an annual income of £500,000 or more (66%).
There has been a significant increase in the number of businesses experiencing a breach compared to the 2023 results. The 2023 data showed that only 32% of businesses and 24% of charities reported any breaches or attacks in the last 12 months. This percentage is much higher for medium businesses (59%), large businesses (69%), and high-income charities with an annual income of £500,000 or more (56%).
It is worth noting that the data in 2023 showed a decrease from 2022. Therefore, careful consideration needs to be given to what has made UK businesses and charities more susceptible to breaches and attacks.
Phishing remains the top method of breach
The data for the year 2024, like the previous year, reveals that most organisations experienced phishing and impersonation attacks as the most common security breaches in the last 12 months. The prevalence of these top two attacks has increased slightly compared to the previous year.
What could cause the increase in breaches in the UK in the last 12 months?
It’s important to understand why the UK has experienced more breaches in the last 12 months. Analysing the data reveals that some changes are necessary for UK businesses to improve their defence against cyber attacks. The survey assesses attitudes and approaches towards cyber security and how businesses have handled cyber attacks. These aspects have been analysed in greater detail to determine the reasons behind the increase in breaches over the last 12 months.
Attitudes
Although cyber security has been prioritised across businesses of all sizes over the past 12 months, there have been no statistically significant changes:
- 73% of micro-businesses say it is a high priority (vs. 68% in 2023)
- 84% of small businesses say it is a high priority (vs. 83% in 2023)
- 93% of medium businesses say this (vs. 91% in 2023)
- 98% of large businesses say this (vs. 96% in 2023).
Despite prioritising cyber security, there has been no significant change in the number of businesses attacked in the last 12 months. This suggests that cyber security may not be the only factor contributing to the increase in these attacks.
Approaches
Risk Identification
The data below shows the measures used by businesses to identify risks in their operations:
It has been observed that larger organisations are more likely to carry out certain activities related to cyber security. According to recent data, at least one of the listed activities has been carried out by over 83% of medium-sized businesses, 92% of large businesses, and 86% of high-income charities. Specific examples include:
- 63% of medium businesses and 71% of large businesses have used security monitoring tools
- similarly, 63% and 72%, respectively, have undertaken cyber security risk assessments.
However, this data has remained stagnant over the past 12 months, indicating that there have been no significant changes in the cyber maturity of UK businesses during this period. Despite the increasing threat landscape, with cyber criminals making more use of AI, businesses have not made significant changes in the way they identify cyber risks. This lack of progress may explain the increase in the number of companies being breached in the last 12 months, as cyber security requires businesses to keep up with the rapidly evolving threat landscape. Therefore, it is crucial for companies not to sit still and take proactive measures to protect their data and systems.
Supplier and Third-Party risk review
The survey asked respondents if they had evaluated the risk posed by suppliers and third parties since 2020.
It’s disappointing that after an encouraging trend from 2020 – 2023, the percentage of businesses evaluating the risk posed by their suppliers and the wider supply chain has fallen significantly in the last 12 months.
Looking at the qualitative answers to this question, it’s evident that organisations find supplier risk management both challenging and rewarding, especially when dealing with long-term suppliers. Sapphire has seen this challenge. To address this concern, we have created a managed third-party risk management service to remove this overhead from the business and provide assurance that cyber security experts are looking at the risks the supply chain can pose and how these risks can be mitigated.
Cyber Security Strategy
It is not surprising to learn that large businesses are more inclined to have a formal cyber security strategy in place. However, it is encouraging to see that there has been a significant increase in the percentage of medium-sized businesses having a formal cyber security strategy – rising from 49% to 58%. Similarly, the proportion of charities with formal cyber security strategies has increased from 36% to 47% in the past year.
Among the larger organisations with a cyber security strategy, 80% of businesses and 74% of charities report that senior executives or trustees have reviewed it within the last 12 months.
While the stats show that medium-sized businesses are now more likely to have a formal policy, it is concerning that only 66% of large companies in the UK have one.
Technical Cyber Security Controls
Medium and large businesses are more likely than average to have technical rules and controls in place. Specifically, across large companies, around nine in ten have adopted each of the following:
- restricting admin rights (96%)
- password policies (96%)
- security controls on their devices (93%)
- up-to-date malware protection (93%)
- network firewalls (93%)
- separate Wi-Fi for staff and visitors (93%).
- data backups, either via the cloud or other means (92%)
- VPNs (88%)
Businesses have slightly increased their deployment of controls and procedures compared to 2023:
- using up-to-date malware protection (up from 76% to 83% among businesses, similar to the 83% of businesses in the 2022 survey)
- restricting admin rights (up from 67% to 73%)
- network firewalls (up from 66% to 75%)
- agreed processes for phishing emails (up from 48% to 54%).
The ten steps to cyber security include technical controls that are crucial for safeguarding businesses against cyber threats. However, it is a matter of concern that many UK businesses are still not implementing the basic measures to protect themselves from cyber attacks. Cyber criminals are always on the lookout for such unprotected organisations, and it is not surprising that there has been an increase in attacks over the past year. This data indicates that a significant proportion of businesses are vulnerable and easily targeted by cyber criminals.
Conclusion
The threat landscape in the UK is constantly evolving, and while some businesses are adopting continuous improvement to keep up with the pace of change in threats, others are still not even doing the basics.
Many companies are concerned about the challenging economic climate and the increasing number of attacks. Although they feel they need to do more, they have fewer resources to do so. Despite these challenges, it’s surprising that the trend for organisations using external cyber security providers has remained flat over the last three years. Medium-sized businesses are more likely to use external providers than other organisations.
When it comes to implementing complex security measures that require expertise and significant costs, it would be wise to consider an external provider who offers cyber security services such as Managed SOC and Managed Threat Intelligence. This could greatly reduce the organisation’s risk profile and save costs compared to having an in-house team.
To find out more about how we can help improve your organisation’s security posture, get in contact with our team of consultants.
