Cyber attacks and related incidents at UK organisations continue their seemingly unstoppable upward trajectory, with new statistics from the Department for Digital, Culture, Media and Sport (DCMS) today revealing that 31% of businesses and 26% of charity organisations now experience incidents on a weekly basis.
The data, contained in the annual Cyber security breaches survey report, paints a stark picture of the scale of the threat facing the average organisation, and the urgent need to boost standards and defences.
“It is vital that every organisation takes cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk,” said cyber minister Julia Lopez.
“No matter how big or small your organisation is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online.”
Some 20% of businesses and 19% of charities said they had experienced a negative outcome as a direct consequence of an attack. The average cost of an attack, spread out across all organisations, now works out at £4,200, or £19,400 if only medium and large businesses are considered, although there is probably a vast amount of under-reporting, so the true figures are certainly higher.
Meanwhile, 35% of businesses and 38% of charities said they had experienced some kind of negative impact during the incident, such as service downtime.
The most impactful forms of cyber attack experienced in the UK were simple phishing attempts, cited by 83% of the 39% of UK businesses that identified an attack. More sophisticated attacks, which in DCMS’s metrics include denial of service, malware or ransomware hits, were seen in 21% of cases.
Note that phishing attacks, if successful, will usually be a precursor to a more serious incident, such as ransomware, highlighting the importance of addressing phishing in cyber risk assessments and training initiatives.
In terms of incident management, just 19% of businesses told DCMS that they had a formal incident response plan in place, while 39% had assigned roles should an incident happen. The survey did, however, identify very clear evidence of a strong reactive approach to incidents, with the vast majority saying they would both inform the board and make an assessment of the attack, should one occur.
In terms of risk management, just over half, 54%, of businesses said they had acted in the past 12 months to identify risk, covering a range of potential actions, of which implementing security monitoring tools was the most common. However, this figure was actually down from a high point of 64% in 2020.
In terms of following guidance on cyber hygiene, the DCMS report found that 49% of businesses and 40% of charities had taken action against at least five of the 10 components contained in the official National Cyber Security Centre (NCSC) 10 steps to cyber security guidance, with identity and access management (IAM) surveyed most favourably, and supply chain security the least.
Of those that do outsource some part of their IT or security to a third-party supplier – which is almost 60% of organisations in the UK – the survey found that just 13% of those organisations assessed the risks of doing so, and most tended to think that security was not a particularly important factor in the procurement process. Multiple high-profile breaches have shown recently that this is absolutely not the case.
UK organisations did tend to do better at engaging their leadership on security issues, with 82% of board members or senior managers rating security as either “very” or “fairly” high priority, up 5% on 2021. Half of businesses and 42% of charities said they updated their board on cyber security matters at least quarterly, with this figure increasing with the size of the organisation.
Finally, on external engagement on cyber security, leaving aside security suppliers and managed services providers (MSPs), organisations in the UK tend to engage most keenly with insurers, with 43% of businesses now having an insurance policy that covers risk. However, awareness of the NCSC’s work and its potential to assist remained disappointingly low, with only 6% having obtained its Cyber Essentials certification, and 1% obtaining Cyber Essentials Plus.
DCMS said the government was still aiming to strengthen the cyber resilience of critical businesses by updating the Network and Information Systems (NIS) Regulations – among other things, bringing MSPs in scope – which it is hoped will raise standards more widely, and has prioritised protecting UK organisations with £2.6bn of funding through the National Cyber Strategy, investing in key areas such as security skills and supply chains.