News Hub

Half of UK businesses reported cyberattack or breach in the last 12 months

Written by Mon 15 Apr 2024

A UK Government survey has found half of UK businesses have reported a cyberattack or security breach within the last 12 months.

In the Cyber security breaches survey 2024, the Government found this figure is much higher for medium businesses (70%) and large businesses (74%), with phishing topping the threat list, affecting 84% of businesses.

Impersonation followed phishing on the threat list at 35%, and malware at 17%. Ransomware and denial of service (DoS) attacks were the least commonly reported, each affecting 2% or fewer of businesses.

Around 22% of businesses have encountered cybercrime in the past year, with higher rates among medium and large businesses. Among those reporting cybersecurity breaches or attacks, around 44% of businesses were victims of cybercrime.

Estimates suggested that UK businesses have encountered around 7.78 million cybercrimes overall and roughly 116,000 non-phishing cyberattacks in the past year.

The Government said these estimates may have a margin of error and the statistics on cybercrime differ from those on cyber security breaches due to variations in legal definitions and reporting criteria.

Comparisons between 2023 and 2024 data are impossible due to changes in survey questions aimed at enhancing data reliability, with the 2024 data still considered experimental.

Organisations Lack Cyberattack Incident Response 

The Government found that while most organisations intend to act following a cyber incident, the reality is that only a minority have established processes in place to support such actions, consistent with previous years.

Common processes include assigning specific roles and responsibilities to individuals and providing guidance on external and internal reporting. These processes were mentioned by around a third of businesses.

Del Heppenstall, Partner and Head of Cyber at accounting organisation, KPMG, said it is concerning to see how many organisations fail to review the security risks posed by their immediate suppliers, particularly in the wake of several high-profile breaches at third-party providers of solutions and services. 

“Almost every organisation relies on a complex web of suppliers, vendors, and partners to provide services to their business and customers. Therefore, they should prioritise monitoring and assessing the performance and security posture of third parties and address any security issues or gaps as a matter of urgency,” said Heppenstall.

Only 22% of businesses have formal incident response plans, but medium and large businesses tend to have higher adoption rates.

External breach reporting is rare, with only a third of businesses disclosing their most disruptive breaches beyond their organisation. Typically, organisations only report breaches to their external cyber security or IT providers.

Qualitative interviews revealed that smaller organisations heavily rely on Digital Service Providers (DSPs) for incident response due to a lack of in-house expertise or capacity.

In contrast, larger organisations struggled with a disconnect between IT or cyber teams and wider staff, including senior managers. 

Chris Roeckl, CPO at mobile app defence platform, Appdome, said the report underscored the need for heightened vigilance and for organisations to counteract social engineering tactics decisively.  

“The brand damage and financial repercussions of these attacks on businesses are staggering, costing billions in investigations, remediation, refunds, and potential regulatory penalties. The personal emotional pain and financial loss to victims can be tremendous,” said Roeckl.

Government Advises Cyber Hygiene Measures

The Government has recommended businesses protect themselves from ‘relatively unsophisticated’ common cyber threats using a set of cyber hygiene measures. 

The most common cybersecurity measures include updated malware protection, password policies, cloud backups, restricted admin rights, and network firewalls. Each of these measures is implemented by at least 70% of businesses.

Compared to 2023, there has been a slight increase in the deployment of various controls and procedures among businesses: the usage of up-to-date malware protection has risen from 76% to 83%, restricting admin rights has increased from 67% to 73%, network firewalls have gone up from 66% to 75%, and agreed processes for handling phishing emails have increased from 48% to 54%.

Boards Engages with Cybersecurity

The UK Government said board engagement and corporate governance practices regarding cybersecurity are more advanced in larger businesses, with activity levels remaining consistent to 2023.

Cybersecurity is also deemed a high priority by 75% of businesses, particularly in larger ones. The Government also found that many organisations have sustained or increased investment in cybersecurity in response to the rise of cyberattacks and their complexity. 

 Around three in ten businesses have board members or trustees specifically responsible for cyber security, with higher rates in medium and large businesses. Awareness of resources like the NCSC’s Board Toolkit has increased among medium and large businesses since its introduction in 2020.

Formal cyber security strategies are more prevalent in medium and large businesses, with significant increases since 2023.

Businesses Seeking Cyber Guidance Falls in 2023

Businesses seeking external cyber security guidance have declined since 2023, with many, unaware of Government cyber security guidelines. The Government added that few businesses currently adhere to recognised standards.

Nearly half (41%) of businesses sought external guidance in the past year, primarily from consultants or IT service providers, a decrease from 2023 for businesses.

This figure surprised Tom Henson, Managing Director at Managed IT Services Provider, Emerge Digital, who said this number should be 100%.

“Seeking advice is the first step in improving cybersecurity, and the fact that more than half of UK businesses are yet to take this step is concerning,” said Henson.

Awareness of the 10 Steps to Cyber Security guidance is low, with just 13% of businesses familiar with it. However, a significant proportion of medium and large businesses have acted on five or more of the ten steps.

Only 12% of businesses are aware of the Cyber Essentials scheme. However, a greater proportion of medium and large businesses claim to have technical controls in all five areas covered by Cyber Essentials.

The Government added that qualitative data indicated that organisations pursue external accreditation due to client demand, board pressure, efforts to cultivate staff culture, and to provide reassurance to stakeholders.

Last month, a Microsoft and Goldsmiths University report found that only 13% of UK businesses are resilient to cyberattacks. The report, titled Mission Critical: Unlocking the UK AI Opportunity Through Cybersecurity, said to become an artificial intelligence (AI) superpower, the UK must maintain its position as a cybersecurity superpower.

Security Business Group Director at Microsoft, Paul Kelly, said cybercriminals are ‘tooling up’ with AI to increase the sophistication and intensity of their attacks.

Join Tech Show London

6-7 March 2024, ExCeL London

Be a part of the latest tech conversations and discover pioneering innovations.

You won’t want to miss one of the most exciting technology events of the year.

Written by Mon 15 Apr 2024

Send us a correction Send us a news tip