Brian Jackson - stock.adobe.com

UK’s cyber resilience stagnates as more fall victim to attacks

The government is calling on businesses to ramp up their cyber protections as study shows improvements to resilience are stagnating amid an ever-growing volume of attacks

Three-quarters of medium and large enterprises in the UK, and four-fifths of high-income charities, have experienced some form of cyber security incident in the past 12 months, but improvements to overall cyber resilience appear to be stagnating, with economic headwinds and high inflation leading to less overall investment, the government has warned.

In a report published today – the third wave of an ongoing security review, the Cyber Security Longitudinal Survey (CSLS), that began in 2022 – the Department for Science, Innovation and Technology (DSIT) called on organisations to do more to ramp up their security protections.

Since the first running of the CSLS survey, there have been clear improvements across the board but as the report data shows in many areas, the numbers went up more between 2022 and 2023 than they did over the past 12 months.

“The UK is making remarkable progress in cementing our status as a key global player in cyber. Our cyber sector continues to generate unprecedented employment and business opportunities, but we know that there are still a host of challenges and risks that we cannot ignore,” said cyber minister Viscount Camrose.

“This is why I am calling on organisations of all sizes to step up their cyber security plans to guard against threats, protect their customers and workforce, and our wider economy.

“We are working shoulder to shoulder with industry to ensure organisations have a robust plan of action to tackle these threats head-on. From a code to help leaders toughen up cyber protections to up-skilling the workforce so businesses have in-house expertise, these government-backed measures can support organisations to safely unlock the potential digital technologies offer,” he said.

The report said organisations had clearly improved their resilience since Wave One of the CSLS in 2022, however to keep pace, more robust safeguards are needed to address emerging cyber risks. Among the safeguards many appear not to be implementing are appropriate incident response and recovery plans, and addressing employees’ security awareness and basic skills.

As an example, in Wave Three, 85% of business respondents said that they had taken steps to improve their cyber security in the past 12 months, an identical proportion to Wave Two, but up from 79% in Wave One. Qualitative interviews with some of the respondents revealed that many struggled to maintain the pace of change, accentuated by changes in the wider economic environment. This said, there were outlying areas of significant improvement, notably in take-up of cyber insurance.

The picture also improved among larger businesses, which were more likely to have appropriate risk management documentation available, to have adopted staff training, to adhere to accreditations such as the National Cyber Security Centre’s (NCSC’s) Cyber Essentials and Cyber Essentials Plus, and ISO 27001, and to be investing in patch management, user monitoring, and supply chain risk. Larger organisations, with greater access to resources, are clearly better able to maintain ongoing development of their cyber postures.

Areas of improvement

The report also set out areas where significant improvements need to be made in a hurry. In particular, too many organisations, especially charities, are lax when it comes to letting staff access work systems on personal devices, and very few businesses and charities properly assess their suppliers’ resilience.

Additionally, too few overall are attaining Cyber Essentials certification, or any kind of standard, and less than half are bothering to use the NCSC’s wider guidance. Nor do many seem inclined to use cutting edge solutions embracing artificial intelligence (AI), although given the wider conversation around AI’s use and abuse in security, this caution may be warranted.

“Some of these figures are scarcely believable, but as a government-controlled longitudinal survey, these may be some of the most realistic cyber security survey figures ever obtained in the UK,” said Andy Kays, CEO of Socura, a managed detection and response (MDR) and security operations centre (SOC) specialist.

“While other surveys may skew towards positive and sensational results, tracking the same 1,000 businesses over several years shows the grim reality that many UK businesses are not prioritising cyber security, or are making changes to their security posture at a glacial pace. 

“In the last year, only half of UK board members have had security training, only a quarter of businesses are assessing suppliers for possible security risks, and a fifth of UK boards failed to discuss cyber security even once. Only 17% of businesses are Cyber Essentials certified, which is one of the lowest bars for measuring security best practice. These figures are all far from perfect. 

“In a way, the most positive statistic in the whole survey is the fact that more than half of UK businesses say they rely on external consultation for security. Their reliance on trusted third-party security service providers and vendors may be a factor in the generally poor standards of internal security development.”            

Incident prevalence

In the past 12 months, the most commonly experienced form of cyber incident for both business and charity organisations was the receiving of fraudulent emails or attachments (often a precursor to something more sinister), observed at 70% of businesses and 74% of charities. People impersonating the organisation in emails or online was also frequently seen, in 43% of businesses and 28% of charities.

However, the proportion of damaging cyber attacks remained lower, with attempted hacking of websites, social media or user accounts affecting 15% of businesses and 18% of charities; malware infections affecting 12% and 10%; insider incidents affecting 6% and 5%; and attacks intended to slow or takedown websites or services, such as DDoS attacks, 8% and 7%. Incidents beyond phishing attempts were more likely to affect larger organisations.

In terms of attack volumes, 26% of businesses and 27% of charities saw attacks roughly once a month, 12% and 17% roughly once a week, 5% and 4% daily, and 10% and 7% several times every day.

However, most said they did not experience serious consequences, with around 23% of businesses and 24% of charities negatively affected, consistent with previous runnings of the study. The most commonly observed effects were temporary loss of access to files and networks, disruption to websites, apps and services, or compromised accounts used for dodgy purposes. Again, the larger the organisation, the more significant the impact.

In terms of financial costs, where they were incurred, the mean cost of a security incident across all businesses was £2,718, rising to £4,993 for the largest, and £2,583 for charities. For those that identified incidents with an outcome, these costs rose significantly, to £7,187, £12,273 and £6,932.

Read more about cyber investment

  • Cyber security services and technology will once again be the focus of major investment across EMEA during 2024, according to the latest Technology Spending Intentions study from TechTarget and ESG.
  • The cyber security function isn’t a back office team that is never seen and never heard. To truly protect the company, cyber security touches every corner of the business, and it starts from the top.
  • Highly publicised cyber attacks and growing regulatory obligations are keeping security and risk top of mind for Australian organisations this year, says Gartner.

Read more on Business continuity planning

CIO
Security
Networking
Data Center
Data Management
Close