The Cyber Security Breaches Survey is a research study for UK cyber resilience. It is primarily used to inform government policy on cyber security. The study explores the policies, processes and approach to cyber security, for businesses, charities and educational institutions. It also considers the different cyber-attacks and cyber crimes these organisations face, as well as how these organisations are impacted and respond. 

The survey itself covers around 84 pages which you are free to read here. However, like many of us if you’re looking for a summary, we’ve tried to condense as much as we can into this article. Here are just some of the key takeaways.

Cyber attacks

Cyber attacks remain a common threat, with half of businesses experiencing some kind of attack in the last year. This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%). It is apparent that larger businesses are more likely to identify breaches or attacks than smaller ones.

Attack type

Phishing is by far the most common type of cyber attack with 84% of businesses attacked. The next most common is impersonation of the organisation or staff in emails/online with 35% of businesses being affected. This is followed by targeting with other malware like viruses or spyware (17% of businesses).

Frequency and impact

Over half of attacked businesses experienced cyber attacks at least once a month or more frequently. Despite this frequency, only a minority experience negative outcomes resulting in financial or informational losses, indicating that large proportion of attacks are unsuccessful.

Cost of attacks

The average cost incurred from the most disruptive attack is £6,940 for a business of any size, around £40,400 for medium and large businesses, and approximately £1,850 for charities (excluding attacks without an outcome). For most breaches or attacks, organisations do not identify any material outcome and so no loss of assets or data. 

Cyber crime

An estimated 22% of businesses were victims to at least one cyber crime, as defined by the Computer Misuse Act, in the last 12 months. Similar to cyber attacks, this was higher in larger businesses and high-income charities. It is estimated that UK businesses experienced a total of around 7.78 million cyber crimes of all types and 116,000 non-phishing cyber crimes in the last 12 months.

Cyber hygiene

A range of basic hygiene measures like malware protections, password policies and network firewalls are in place at most businesses and charities. This shows an improvement in what was a 3-year decline in the adoption of such measures. But cyber accreditations like Cyber Essentials see a much lower uptake, with only around 1 in 10 businesses and charities aware of this scheme. If you need more information on this, we can help. 

Board engagement

Three-quarters of businesses and over 60% of charities say cyber security is a high priority for senior management, while 30% of both have board members responsible for cyber security. This responsibility is more common in larger businesses. Qualitative data show boards often lack skills, training and time to engage more in cyber security.

Size differential

Larger businesses have more advanced practices across risk management, strategies, incident response plans and other areas. Higher proportions experience attacks, but also report each measure to respond to the risks they face.

Risk management

31% of businesses and 26% of charities have done cyber risk assessments in the last year, rising to 63% of medium and 72% of large businesses. 33% of businesses use security monitoring tools (63% of medium and 71% of large businesses), compared with 23% of charities.

Outsourcing and supply chains

43% of businesses have an external cyber provider, and these are mostly small (56%) or medium (66%) businesses. Only just over 1 in ten businesses review risks posed by their immediate suppliers. Qualitative data show informal management of supplier risks.

Incident management

One-fifth of businesses (22%) have incident response plans, rising to 55% of medium, 73% large businesses and half of high-income charities. Challenges include smaller organisations’ lack of expertise and disconnects between technical teams and wider staff, including senior management.

External engagement

Around 40% of businesses and charities have sought cyber information externally, most commonly from IT providers rather than official guidance. But this figure has declined, as has awareness of government campaigns like Cyber Aware (now 25% for businesses) and guidance like Cyber Essentials (12% for businesses).

At Bridgeall we have a wide range of experience working across a full range of technology solutions to protect you against these threats. We believe in a multi-layer defence and recovery strategy to ensure your business can feel safe. If you’d like more information about keeping your business secure see our full range of services here or contact our team who can help.