Identification of cyber security breaches and attacks
Cyber security breaches and attacks remain a common threat. However, smaller organisations are identifying them less than last year. This may reflect that senior managers in smaller organisations view cyber security as less of a priority in the current economic climate than in previous years, so are undertaking less monitoring and logging of breaches or attacks.
- 32% of businesses and 24% of charities overall recall any breaches or attacks from the last 12 months. This is much higher for medium businesses (59%), large businesses (69%) and high-income charities with £500,000 or more in annual income (56%).
- This is a decrease from 39% of businesses and 30% of charities in 2022. The drop is driven by smaller organisations – the results for medium and large businesses, and high-income charities, remain at similar levels to last year.
- Among those identifying any breaches or attacks, we estimate that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. For medium and large businesses, this was approximately £4,960. For charities, it was approximately £530.
- The proportion of micro businesses saying cyber security is a high priority has decreased from 80% in 2022 to 68% this year. Qualitative evidence suggests that cyber security has dropped down the priority lists for these smaller organisations, relative to wider economic concerns like inflation and uncertainty.
The most common cyber threats are relatively unsophisticated, so government guidance advises businesses and charities to protect themselves using a set of “cyber hygiene” measures. A majority of businesses and charities have a broad range of these measures in place. The most common are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls – each administered by two-thirds or more of businesses and half or more charities. However, across the last three waves of the survey, some areas of cyber hygiene have seen consistent declines among businesses. This includes:
- use of password policies (79% in 2021, vs. 70% in 2023)
- use of network firewalls (78% in 2021 vs. 66% in 2023)
- restricting admin rights (75% in 2021, vs. 67% in 2023)
- policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).
These trends mainly reflect shifts in the micro business population and, to a lesser extent, small and medium businesses – large business results have not changed.
Risk management and supply chains
A larger proportion of businesses take actions to identify cyber risks than charities. Larger businesses are the most advanced in this regard. For the first time, the majority of large businesses are reviewing supply chain risks, although this is still relatively rare across organisations overall.
- Three in ten businesses have undertaken cyber security risk assessments (29%, vs. 27% of charities) in the last year – rising to 51% of medium businesses and 63% of large businesses.
- A similar proportion of businesses deployed security monitoring tools (30%, vs. 19% of charities) – rising to 53% of medium businesses and 72% of large businesses.
- Under four in ten businesses (37%) and a third of charities (33%) report being insured against cyber security risks – rising to 63% of medium businesses and 55% of large businesses (i.e. cyber insurance is more common in medium businesses than large ones).
- Just over one in ten businesses say they review the risks posed by their immediate suppliers (13%, vs. 11% of charities). More medium businesses (27%) and large businesses (55%) review immediate supplier risks. The latter result is up from 44% of large businesses in 2022.
- Qualitative data suggests that receiving messaging around supply chain risks from bodies such as the National Cyber Security Centre (NCSC), or having the topic raised in audits, helps encourage organisations to take action in this area.
Board engagement and corporate governance
Board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organisations, although corporate reporting of cyber risks remains relatively uncommon, even among large businesses.
- Three in ten businesses (30%) and charities (31%) have board members or trustees explicitly responsible for cyber security as part of their job role – rising to 41% of medium businesses and 53% of large businesses.
- 21% of medium businesses and 30% of large businesses have heard of the NCSC’s Board Toolkit (https://www.ncsc.gov.uk/collection/board-toolkit) – rising from 11% and 22% respectively in 2020 (when it was introduced).
- 49% of medium businesses, 68% of large businesses and 36% of high-income charities have a formal cyber security strategy in place. Qualitative data suggests the impetus to develop strategies can come from management board pressure, audits and business acquisition. It can also coincide with cyber teams gaining operational independence, for example from IT departments.
- In the last year, 16% of corporate annual reports across medium businesses covered cyber risks, rising to 33% of the reports published by large businesses. Across charities (of all income groups), 9% of these reports covered cyber risks.
- Qualitative data shows a similar set of issues to previous years that prevent boards from engaging more in cyber security, including a lack of knowledge, training and time. It also highlights the importance of people in cyber roles being able to write persuasive business cases for cyber security spending, especially when they report directly to finance leads.