According to the latest annual UK cyber breaches survey, half of businesses and around a third of charities (32pc) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium businesses (70pc), large businesses (74pc) and high-income charities with £500,000 or more in annual income (66pc).
Of those businesses and charities reporting a breach or attack, just over two-fifths ended up actual victims of cyber crime. The survey estimated UK businesses experienced about 7.78 million cyber crimes of all types and 116,000 non-phishing cyber crimes in the last 12 months; while for UK charities, the estimate is 924,000 cyber crimes.
By far the most common type of breach or attack is phishing (cited by 84pc of businesses and 83pc of charities). Only a minority of businesses (31pc) and charities (26pc) have undertaken cyber security risk assessments in the last year. About one in ten businesses say they review the risks posed by their immediate suppliers (11pc, compared with 9pc of charities). Three in ten businesses and charities say they have board members or trustees explicitly responsible for cyber security as part of their job role – a statistic which rises to 51pc of medium businesses and 63pc of large businesses.
Those businesses seeking external information or guidance on cyber security has fallen since 2023. While a large majority of organisations say that they will take several actions following a cyber incident, in reality only a minority have agreed processes already in place to support this; a finding common with previous years’ surveys. As for reporting of breaches to others, that remains uncommon; and many of those who do report cases simply report to their external cyber security or IT providers and no one else.
For the full survey visit the Department for Science, Innovation and Technology (DSIT) website.
Comments
Christian Borst, EMEA CTO at Vectra AI, says: “Large UK businesses are directly in the firing line, with almost three quarters reporting a breach or attack in the past 12 months. But despite being the prime target, it’s shocking to see just 49pc of large businesses are reviewing supplier risks. This drops to 11pc for UK businesses of all sizes.
“With every new vendor added to their IT ecosystem, an organisation’s attack surface grows. Businesses must factor security into their decisions when selecting third-party providers. But security doesn’t stop after supplier selection. Firms must also work to drastically improve visibility into their own IT environments to protect against supply chain attacks, Generative AI powered phishing attacks, and a rapidly expanding attack surface.
“To boost cyber resilience, UK businesses must leverage AI to improve the quality and accuracy of security alerts to identify attacker behaviours, enabling firms to spot signs of malicious activity and stop the attack before it becomes a breach.”
Dale Waterman, at Diligent, says: “Navigating this fast-evolving threat landscape will require businesses to have strong cybersecurity governance practices in place. The ones that do will be the ones to come out on top. Diligent’s latest research found that there is a direct correlation between strong board oversight practices and better cybersecurity performance — and companies with advanced cybersecurity performance deliver 372% higher shareholder return on average, compared to their peers. This demonstrates how cybersecurity is no longer just an IT issue, but a high priority enterprise risk that has material impact on a company’s overall performance.
“The staggering number of cyber breaches serves as a timely reminder for businesses to prioritise cybersecurity and compliance with cybersecurity regulations. Developments such as the EU’s NIS 2 Directive and Digital Operations Resilience Act (DORA) present an opportunity for UK businesses to raise the bar in relation to cyber risk management and digital resilience. To effectively address cyber risks, organisations must strive for increased resilience by working towards compliance with updated regulations, aligning cybersecurity with their broader GRC programmes and treating security as a core business function.”
And Andy Kays, Socura CEO, describes it as incredibly disappointing to see such disregard for cyber among the UK’s small businesses. “Despite years of warnings from experts, countless data breach headlines, and increased regulatory action, this issue still isn’t on their radar.
“Only a fraction of UK businesses have any kind of formalised incident response plan, which I find astounding. Businesses will always have a plan in case of a fire, but will not apply the same due care for a data breach – which is statistically much more likely. It flies in the face of common sense.
“A lot of these responses seem stuck in the past. Most businesses’ experience with cyber incidents seems limited to phishing attempts, and their default response is to conduct security awareness training if they do anything at all. In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident. They are failing to do the bare minimum. It’s also important to note that businesses are doing very little to prevent or detect breaches in the first place.
“The estimated financial cost of a data breach in this survey is far far lower than other sources. I think we need to treat the Government’s £1205 figure with caution. Obviously this survey skews towards smaller businesses than many other surveys, so the numbers will be smaller. We know that large enterprise businesses can lose millions in the event of a data breach due to the disruption, reputational impact and share price drop.”
