Home Cyber Security The Cyber Security Breaches Survey 2024: Executive Summary
Cyber Security

The Cyber Security Breaches Survey 2024: Executive Summary

By Contributor CSM
By Contributor CSM Online

The Cyber Security Breaches Survey 2024

For an understanding of the current threat from cyber crime for UK PLC, we are including here the executive summary from the Cyber Security Breaches Survey 2024.

The Cyber Security Breaches Survey 2024 is a research study for UK cyber resilience, aligning with the National Cyber Strategy. It is primarily used to inform government policy on cyber security, making the UK cyberspace a secure place to do business.

The study explores the policies, processes and approach to cyber security, for businesses, charities and educational institutions. It also considers the different cyber attacks and cyber crimes these organisations face, as well as how these organisations are impacted and respond.

Cyber security breaches and attacks remain a common threat

  • Half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months.
  • This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).
  • By far the most common type of breach or attack is phishing (84% of businesses and 83% of charities).
  • This is followed, to a much lesser extent,by others impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).
  • Among those identifying any breaches or attacks, we estimate the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830. For charities, it was approximately £460.

There were some changes this year to the question that seeks to capture the overall incidence of cyber attacks and breaches. Due to these changes, it is not possible to make direct comparisons between 2023 and 2024.

Cyber hygiene

The most common cyber threats are relatively unsophisticated, so government guidance advises businesses and charities to protect themselves using a set of “cyber hygiene” measures. A majority of businesses and charities have a broad range of these measures in place. The most common are updated malware protection, password policies, cloud back-ups, restricted admin rights and network firewalls – each administered by at least seven in ten businesses and around half of charities or more.

Compared with 2023, the deployment of various controls and procedures has risen slightly among businesses:

  • using up-to-date malware protection (up from 76% to 83%)
  • restricting admin rights (up from 67% to 73%)
  • network firewalls (up from 66% to 75%)
  • agreed processes for phishing emails (up from 48% to 54%).

These trends represent a partial reversal of the pattern seen in the previous three years of the survey, where some areas had seen consistent declines among businesses. The changes mainly reflect shifts in the micro business population and, to a lesser extent, small and medium businesses.

Risk management and supply chains

Businesses are more likely than charities to take actions to identify cyber risks. Larger businesses (defined as medium and large businesses as opposed to smaller businesses that cover micro and small business) are the most advanced in this regard.

  • 31% of businesses and 26% of charities have undertaken cyber security risk assessments in the last year – rising to 63% of medium businesses and 72% of large businesses.
  • A third of businesses (33%) deployed security monitoring tools, rising to 63% of medium businesses and 71% of large businesses. The proportion was lower among charities (23%).
  • Around four in ten businesses (43%) and a third of charities (34%) report being insured against cyber security risks, rising to 62% of medium businesses and 54% of large businesses (i.e. cyber insurance is more common in medium businesses than large ones).
  • Compared with the 2023 survey, the proportion of businesses with some form of insurance has increased from 37% to 43%, while the proportion has remained stable among charities.
  • Just over one in ten businesses say they review the risks posed by their immediate suppliers (11%, vs. 9% of charities). More medium businesses (28%) and large businesses (48%) review immediate supplier risks.

The qualitative interviews suggest that organisations have an increasing awareness of the cyber security risks posed by supply chains. Despite this, organisations, particularly at the smaller end, tend to have limited formal procedures in place to manage cyber risks from wider supply chains.

Board engagement and corporate governance

Board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organisations. Levels of activity have remained stable compared with 2023.

  • Three-quarters of businesses (75%) and more than six in 10 charities (63%) report that cyber security is a high priority for their senior management. This proportion is higher among larger businesses (93% of medium businesses and 98% of large businesses, vs. 75% overall). The same is true for high-income charities (93% of those with income of £500,000 or more,vs. 63% overall).

The proportion that say cyber security is a high priority has remained stable since 2023, following an apparent decrease in prioritisation in 2023. The qualitative interviews suggest that, despite economic conditions, many organisations have continued to invest either the same amount or more in cyber security over the last 12 months. This is in part a response to the perceived increase in the number of cyber attacks and their sophistication.

  • Three in ten businesses and charities (both 30%) have board members or trustees explicitly responsible for cyber security as part of their job role – rising to 51% of medium businesses and 63% of large businesses. There has been no change in the overall figures since 2023.
  • 22% of medium businesses and 33% of large businesses have heard of the NCSC’s Board Toolkit, rising from 11% and 22% respectively in 2020 (when it was introduced).
  • 58% of medium businesses, 66% of large businesses and 47% of high-income charities have a formal cyber security strategy in place. The figures for both businesses and charities are higher than in 2023 with significant changes seen for medium businesses and charities.

Qualitative data shows a similar set of issues to previous years that prevent boards from engaging more in cyber security, including a lack of knowledge, training and time. It also highlights a contrast between more structured board engagement in larger organisations, compared with more informal approaches in smaller organisations, where responsibility was often passed onto external contractors.

Cyber accreditations and following guidance

The proportion of businesses seeking external information or guidance on cyber security has fallen since 2023. In addition, a sizeable proportion of organisations, including larger organisations, continue to be unaware of government guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber Essentials standard. Linked to this, relatively few organisations at present are adhering to recognised standards or accreditations.

  • Four in ten businesses (41%) and charities (39%) report seeking information or guidance on cyber security from outside their organisation in the past year, most commonly from external cyber security consultants, IT consultants  or IT service providers. The  figure for  businesses is lower than in 2023 (49%), while there has been no change among charities.
  • 13% of businesses and 18% of charities are aware of the 10 Steps guidance – rising to 37% of medium businesses and 44% of large businesses. Nevertheless, 39% of businesses and 32% of charities have taken action on five or more of the 10 Steps.

This is much more common in medium businesses (80%) and large businesses (91%). Just 3% of businesses and charities have enacted all 10 Steps, increasing to 14% of medium businesses and 27% of large businesses.

  • 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme, consistent with 2023 but representing a decline over the last 2-3 years.
  • Awareness is higher among medium businesses (43%) and large businesses (59%). Although only 3% of businesses and charities report adhering to Cyber Essentials, a higher proportion (22% of businesses and 14% of charities) report having technical controls in all five of the areas covered by Cyber Essentials.

Qualitative findings suggest the desire to seek external accreditation can be due to client demand, pressure from board members, a motivation to enforce a positive change in staff culture, and peace of mind for stakeholders.

Incident response

While a large majority of organisations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this. These findings are consistent with previous years.

The most common processes, mentioned by around a third of businesses and charities, are having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting.

  • Formal incident response plans are not widespread (22% of businesses and 19% of charities have them). This rises to 55% of medium-sized businesses, 73% of large businesses and 50% of high-income charities.

External reporting of breaches remains uncommon. Among those identifying breaches or attacks, 34% of businesses and 37% of charities reported their most disruptive breach outside their organisation. Many of these cases simply involve organisations reporting breaches to their external cyber security or IT providers and no one else.

The qualitative interviews highlighted several challenges organisations might face when dealing with cyber incidents. In smaller organisations, there was a strong reliance on DSPs for incident response, such as IT providers and cloud storage providers. This was linked with a lack of in-house expertise or capacity. In larger organisations, the challenges were often more related to a disconnect between IT or cyber teams and wider staff, including senior managers.

Cyber crime

  • An estimated 22% of businesses and 14% of charities have experienced cyber crime in the last 12 months, rising to 45% of medium businesses, 58% of large businesses and 37% of high-income charities.
  • Looked at another way, among the 50% of businesses and 32% of charities identifying any cyber security breaches or attacks, just over two-fifths (44% for businesses and 42% for charities) ended up being victims of cyber crime.
  • Phishing is by far the most common type of cyber crime in terms of prevalence (90% of businesses and 94% of charities who experienced at least one type of cyber crime).
  • The least commonly identified types of cyber crime are ransomware and denial of service attacks (2% or less of businesses and charities who experienced cyber crime in each case).

When removing phishing-related cyber crimes, we estimate that 3% of businesses and 2% of charities have experienced at least one non-phishing cyber crime in the last 12 months.

  • A total of 3% of businesses and 1% of charities have been victims of fraud as a result of cyber crime. The proportion is higher among large businesses (7%).
  • We estimate that UK businesses haveexperienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes in the last 12 months.
  • For UK charities, the estimate is approximately 924,000 cyber crimes of all types in the last 12 months. It should be noted that these estimates of scale will have a relatively wide margin of error.
  • The average (mean) annual cost of cyber crime for businesses is estimated at approximately £1,120 per victim (this excludes crimes where the only activity was phishing).

Extracted from The Cyber Security Breaches Survey 2024

www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024

Lead analyst, Maddy Ell

Responsible statistician, Saman Rizvi

Enquiries: cybersurveys@dsit.gov.uk

www.gov.uk

 

 

 

SHARE   0 comment
0
FacebookTwitterPinterestEmail
Avatar

City Security magazine is proud to work with contributors from across the security sector and beyond, including police forces, security associations, security providers, consultants and specialists who produce a range of varied and interesting content.

Related Articles

Are you compliant with the Product Security and...

A blended approach to preventing a cyber attack

Guarding against cyber threats: procuring cyber security from...

Offset labour market challenges in security with Strategic...

Fraudsters targeting businesses with Remote Access Scams

Cyber security – it’s not magic

The Little Media Series with Big advice helping...

The persistent menace of ransomware and four steps...

Artificial Intelligence – how to protect the world...

How the Product Security and Telecommunications Infrastructure Act...