As cybersecurity breaches remain a common threat globally, the UK government has published a cybersecurity breach survey detailing various cybersecurity policies, processes, and reliances for all types of business.
Common Cyberthreats and Protections
Because the most common cyberthreats are relatively unsophisticated, the UK government advises using a set of “cyber hygiene measures” to combat them. A majority of businesses (more than two-thirds) have a range of these measures in place, including malware protection, cloud backups, passwords, restricted administrative rights, and network firewalls.
However, the last three waves of the survey indicated that certain areas of cyber hygiene have consistently declined among businesses, including the following decreases: use of password policies (79% in 2021 vs. 70% in 2023), use of network firewalls (78% in 2021 vs. 66% in 2023), restricting admin rights (75% in 2021 vs. 67% in 2023), and policies to apply software security updates within 14 days (43% in 2021 vs. 31% in 2023).
Larger business percentages remain unchanged, so these decreases mainly reflect shifts in the smaller business population.
Key Metrics
Some other key insights from the survey include the following:
- 69% of large organizations and 32% of smaller firms experienced a breach and/or cyberattack.
- 68% of victims say that they had a fraudulent loss of money resulting from a phishing attack.
- The percentage of microbusinesses that consider cybersecurity to be a top priority has declined from 80% in 2022 to 68% in the current year.
- Only 30% of businesses (and 31% of charities) have board members or trustees taking explicit responsibility for cybersecurity as part of their job.
- 11% of businesses and 8% of charities have been victims of at least one cybercrime in the last 12 months.
- It is estimated that UK businesses have experienced around 2.39 million cybercrimes of all types and 70,000 nonphishing cybercrimes in the last 12 months
- The mean cost of businesses experiencing any cybercrime other than phishing was £20,900 (approximately $26,627).
Incident Response
A large majority of businesses say that they intend to take certain actions following a cybersecurity incident, but in reality a minority currently have formal processes in place to support this. The most common processes include having specific roles and responsibilities assigned to individuals and having both guidance on external reporting and internal reporting. The lack of formal policies and processes represents an area for ongoing improvement, which the study will continue monitoring next year.
Interpreting the Results
The cyber security breaches survey shows that smaller organizations have not prioritized cybersecurity, possibly because of rising costs and overall economic uncertainty. Some trends may also reflect shifts in working models since the pandemic. For instance, the proportion of businesses restricting access to business-owned devices has fallen substantially over the last four years. Furthermore, fewer charities are undertaking any monitoring of user activity this year.
Summer associate Cooper Attig contributed to this post.