The Department for Science, Innovation and Technology has recently released the official Cyber Security Breaches Survey of 2023.
The report informs government policy on cyber security whilst educating organisations on current threats, and how they can best protect themselves from attacks. This year’s report explores the policies, processes and approaches of modern cyber security, alongside the different cyber attacks and crimes that businesses, charities and educational institutions are facing.
what are the key findings?
1. IDENTIFICATION OF THREATS
The percentage of businesses and charities that experienced a breach last year dropped to 32% and 24%, from the previous year’s figures of 39% and 30%. A key factor which impacted these figures is a lack of Cyber Security awareness and monitoring from senior managers, an issue which has been prioritised less due to the uncertain economic climate. The majority of cyber-attacks are relatively easy to identify and therefore prevent, accordingly, the government has recommended businesses to create and implement a set of ‘cyber hygiene’ measures. Popular and effective methods of maintaining ‘cyber hygiene’ include malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls are all critical steps to ensure cyber security. However, some methods have seen steady declines over the years, particularly password policies (down 9%), network firewalls (down 12%) and restricting admin rights (down 8%).
2. Cyber Hygine
The cyber security survey reveals that larger organisations consistently commit to identifying risks within their supply chain, however these security reviews are still scarce overall, with only 3 out of 10 businesses carrying out a cyber security risk assessment last year. Communications from the National Cyber Security Centre around supply chain risks encourage businesses to act with more prioritisation and assess their supply chains, according to qualitative data.
3. board engagement
Only 3 in 10 businesses & charities have board members or trustees explicitly responsible for cyber security, showing that a lack of cyber preparedness from boards and corporate governance is prevalent throughout the cyber security survey findings. Qualitative data highlights the challenges which prevent boards from prioritizing cyber security, issues such as a lack of knowledge, training and time (these factors have often been reported often in previous years).
4. accreditation & Guidance
Approximately, half of organisations are seeking external information and guidance on cyber security, consistent with the previous years cyber security findings. However this figure reveals that a large proportion of organisations are not adhering to cyber standards or accreditations, and are therefore unaware of the systems and actions they can take to prevent and defend against cyber attacks. Concerningly, government guidance’s such as 10 Steps to Cyber Security and the Cyber Essentials Standard are widely unknown to a large proportion of businesses.
A large proportion of businesses claim they will carry out set processes after a cyber attack, yet only 21% of businesses and 16% of charities have formal incident response plans. Qualitative data suggests that this issue could be tackled through better communications between the IT/Cyber teams and the wider organisation, regarding cyber security awareness and incident response. Educating wider teams and providing post incident reviews can amend the disconnect between these teams, improve cyber hygiene and increase wider engagement in cyber security.
6. Cyber crime
The DSIT estimates that around 2.39 million instances of cybercrime were committed in the last 12 months, and 49,000 instances of fraud as a result of said cybercrime took place in the last 12 months. It is reported that around 785,000 cybercrimes were committed against charities in this same period, however the DSIT highlights that these estimates of scale will have a relatively wide margin of error due to the sample size.
The cyber security survey presents evidence of underreporting across the board, with a total of 11% of businesses experiencing cybercrime in the last 12 months, rising to 37% for large businesses and 25% for high-income charities, another way of looking at these statistics is that around a third of businesses/charities who identified cyber security breaches or attacks, led to becoming a victim of cybercrime.
Important context for the UK cyber security breaches survey
It’s important to note that the economic climate during this cyber security survey has resulted in businesses facing financial uncertainty and rising inflation & energy costs. With this in mind, cyber security may not have been prioritised as highly, during qualitative interviews there were multiple businesses citing ‘wider issues’ as the main reason cyber hygiene measure were reduced.
The report emphasises that micro and small businesses have shown a lack of prioritisation of cyber security, a reduction in cyber hygiene measure and a lack of identification of cyber security breaches, more so than medium and large businesses.
The shift to widespread hybrid working, combined with a decline in restricted-access business owned devices have contributed largely to a common challenge of an organisation, identifying and managing cyber breaches/attacks. This factor has therefore impacted businesses ability to accurately report the number of cyber incidents they experienced over the last 12 months.
What are the key takeaways from this year’s UK cyber security breaches survey?
- Given that most breaches and cyber attacks are a result of phishing attacks, it is critical that there is consistent, two-way communication between IT/cyber teams and the wider staff of an organisation. Ensuring that users can recognise suspicious activity and have the initiative to report it to the relevant IT/cyber teams is essential is reducing human-error related issues.
- Integrating a cyber security policy which elevates and merges with any current policies and procedures will aid organisations in their approach to managing unexpected cyber breaches/attacks.
- The cyber security survey finds that there is a severe lack of SME’s reviewing any cyber risks in their supply chain, exposing a key vulnerability in their preparedness for a cyber-attack. Information and guidance from trusted sources such as the NCSC map out the steps that businesses can take to secure their supply chain.
- Many directors/trustees may be aware of cyber security threats, but there can also be a lack of guidance on how their role should navigate cyber incidents. Curating a formal incident response plan will outline a range of actions that can be taken, ensuring organisations take all necessary measures.
Want to know how we can help you improve your cyber security posture?
This report ultimately finds that it is essential for SMEs to have reliable and comprehensive IT and security support that can help them navigate and mitigate modern security risks.
At Stripe OLT, we’ve made it our mission to provide security-first IT services, underpinned by cutting-edge Microsoft cloud and security technologies.
Want to know more about how our zero-trust approach to Managed IT can help protect your organisation? Get in touch today.