The UK’s businesses had about 2.39 million instances of cyber crime against them in the last 12 months; while across charities, there were about 785,000 cyber crimes. That’s among estimates arising from the UK’s annual Cyber Security Breaches Survey.
The average annual cost of cyber crime for UK businesses was estimated at about £15,300 per victim. Around a third of businesses (32pc) and a quarter of charities (24pc) report having experienced any kind of cyber security breach or attack in the last 12 months. As in previous years, larger businesses or charities are more likely to identify breaches or attacks than smaller ones.
Around seven in ten businesses (71pc) and six in ten charities (62pc) report that cyber security is a high priority for their senior management; researchers note both those results represent an apparent decrease in prioritisation from last year. Food and hospitality businesses tend to regard cyber security as a lower priority than those in other sectors (only 58pc say it is a high priority, compared to that overall for business of 71pc).
Small businesses interviewed for the survey spoke in terms of spending when they need to, to survive generally; and that ‘it’s tempting to cut corners when you see how much cloud systems, antivirus, firewalls are costing’. Only a minority of businesses and charities have heard of any cyber-security initiatives or campaigns.
Insurance
As for insurance, just under four in ten businesses (37pc) and a third of charities (33pc) report being insured against cyber security risks in some way. In most cases, cyber insurance is an addition to a wider insurance policy – only 7pc of businesses and 8pc of charities have a specific cyber policy.
Most of those businesses and charities surveyed have various basic rules and controls; such as, cloud back-ups, updated malware protection, passwords, network firewalls and restricted admin rights. The survey also covers response to breaches; external reporting of breaches remains uncommon.
For the results in full, visit https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023.
Comments
Rob Otto, CTO at Ping Identity, said the survey results do not bode well for online customers. “The qualitative evidence shows that cyber security has dropped off the priority lists for smaller organisations, but it should remain a must-have for all businesses. It is critical it is for organisations to use multiple layers of security to strengthen their cyber resilience – such as multi-factor authentication, adaptive risk signals and employee training – to stay ahead of advancing threats and ultimately protect end-users and overall company reputation.”
Faki Saadi, Director of Sales, SOTI UK said: “It is concerning that just under half of UK businesses don’t have security controls on organisation-owned devices. For medium-sized businesses specifically, this has dropped from 91pc in 2022, to 79pc this year.
“Our own data found that 36pc of UK businesses in the last year have invested in additional devices for employees due to the rise of the distributed workforce. But over half are managing workflows through potentially unsecured manual systems, posing significant data risks. As cyberattacks become ever more creative, sophisticated and dangerous, protecting all devices should be non-negotiable.”
And Dr Simon Wiseman, Chief Technology Officer for Global Governments and Critical Infrastructure, at the cyber firm Forcepoint, says: “Business leaders in any organisation must take everyday cyber hygiene seriously. Employees are always the first line of defence – so regular cybersecurity training is a must to make sure a small chink in your armour isn’t your the downfall, particularly when it comes to post-pandemic hybrid working.
“The drop in adoption of password policies and firewalls in micro-businesses could reflect the move to the cloud as password managers and 2FA take on the ‘strong password’ burden and SAAS apps make them easy to deploy.
“Leaders should be investing in the cloud as a mechanism to protect themselves. When times are tough and cash flow is tight, it’s easy for capital expenditure and staff security costs to take second place – but moving to the cloud can provide better protection while spreading implementation costs.”
And Andy Robertson, Head of Enterprise and Cybersecurity Business at Fujitsu UK and Ireland said: “A rise in phishing attacks always correlates with negative economic or social events and is targeted at those who stand to benefit the most from socially engineered messaging. So, as the cost-of-living crisis continues, don’t expect cyber risks to go away.
“Cyber security experts face another hurdle too. With the big rise of artificial intelligence tools that we’re seeing in the form of generative AI and platforms such as ChatGPT, this is creating a surge in phishing attacks. For instance, Chat GPT has the ability to create cyber security attacks and these attacks can be created by someone with very little cyber security and computing experience. On the flip side, it can be very powerful, performing a lot of the heavy lifting to understand what is happening.
“Going forward, organisations must identify equally sophisticated methods to protect themselves. Now more than ever, organisations need to be reviewing their high-level accounts, who has access to them, and when the passwords were last changed, having a strict approach to Multi-Factor Authentication (MFA) and Conditional Access (CA).”
Tom Hudson, Senior Security Engineer at the red-teaming provider Bishop Fox noted that of UK businesses surveyed, only 11pc named penetration testing as part of their risk assessment activity. He said: “For many, not taking advantage of such a powerful tool is likely due to dealing with an overwhelming amount of “alert fatigue” from defensive technologies, and the firehose of public vulnerability triage. This, combined with an incomplete picture provided by point-in-time tests, leaves a dangerous gap in understanding what weaknesses are most vulnerable, and how quickly attackers are adapting methods to circumvent defensive adjustments.
“Even those employing point-in-time tests are lacking a full understanding of attackers’ offensive mindset and what aspects of their environment are most attractive, and most exposed. Many have understood the need for continuous vigilance on the defensive side, and have deployed associated products and services. Forward leaning organisations have recognised the advantages of employing continuous offensive security methods, such as red teaming and penetration testing to validate that their assets are fortified against, and defensive posture is focused on, the most pressing risks.”
Miri Marciano, Associate Director at Boston Consulting Group, said: “Specifically, the cost-of-living crisis has led to an uptick in ransomware attacks such as phishing with the UK experiencing 310 security incidents between January and March this year. This can devastate a business and its processes and it’s important not be naïve in this situation as cyber risks aren’t disappearing anytime soon.
“Organisations should prioritise developing cybersecurity capabilities to protect their business. With extensive use of cloud services, growth in connectivity and smart devices and the impact of geopolitical situations, businesses are more vulnerable than ever. Investing in recovery and restoration will be key going forward. It is not so much a matter of if but when.
“And with technology becoming more and more sophisticated with the emergence of GPT- 4 and other AI technologies there will be more loopholes for criminals to run through, but this also means there will be cybersecurity tools and capabilities that can contribute to prevention. The key takeaway here is to be prepared now.”
