In April 2024, the Cyber Security Breaches Survey was published; an annual research study into UK cyber resilience that aligns with the National Cyber Strategy. The primary use of the survey is to inform government policy on cyber security and as the spectrum of cyber threats grows, the importance of this increases greatly. The survey explores how businesses, charities and educational institutions approach cyber security, considering the different cyber attacks and cyber crimes organisations face, as well as how organisations are impacted and respond.

To gather the data, the authors undertook a random probability telephone and online survey of 2,000 UK businesses, 1,004 UK registered charities and 430 education institutions from 7th September 2023 to 19th January 2024. The quantitative data throughout the Survey underscores the pervasive nature of cyber security breaches, with a significant portion of businesses and charities falling victim to various forms of attacks. Among these, phishing stands out as the most prevalent, affecting a staggering 84% of businesses and 83% of charities. This is followed by impersonation attacks and malware infections, albeit to a lesser extent. Such breaches not only compromise sensitive data but also come with a financial toll, with an average cost per victimised business estimated at approximately £1,205. Among businesses, there has been a shift in the proportion saying cyber security is a “fairly” high priority, from 35% of businesses last year to 40% this year.

It’s important for organisations to have good cyber hygiene and utilise government guidance and backed schemes to fortify defences against common threats. Encouragingly, a majority of businesses and charities have adopted these practices, including updated malware protection, password policies and network firewalls. Nonetheless, the methods that cyber criminals use are constantly changing, so the need for vigilance and adaptation is key.

In our increasingly interconnected digital world, the integrity of supply chains emerges as a critical concern. While businesses are increasingly cognisant of cyber risks, particularly larger enterprises, formal procedures to manage these risks from wider supply chains remains limited, especially amongst smaller organisations. In the Survey, it states that suppliers can pose various risks to an organisation’s cyber security, for example:

• Third-party access to an organisation’s systems
• Suppliers storing the personal data or intellectual property of a client organisation.
• Phishing attacks, viruses or other malware originating from suppliers.

Just over one in ten businesses say they review the risks posed by their immediate suppliers (11%) and under one in ten are looking at their wider supply chain (6%). Among charities, the figures are slightly lower (9% look at their immediate suppliers and 4% at their wider supply chain). Even with a substantial budget, and a dedicate person or team for cyber security, all efforts could be nullified by a supplier lacking awareness of cyber security and lacking proactive measures. Securing the top 1% of UK companies, government departments and Critical National Infrastructure (CNI) requires bolstering the security of the remaining 99% as they represent crucial links in the supply chain. This is where our OpAudit system emerges as invaluable, providing full visibility into compliance in one configurable platform and fortifying organisations against potential vulnerabilities in their supply chains. Lifting the minimum standard of cyber security for supply chain is one of our main missions at Pervade, and through our work on the Cyber Essentials scheme and Police CyberAlarm scheme, we are able to help thousands of organisations every year.

The role of senior management and corporate governance in fostering a cyber-resilient culture cannot be overstated. Promisingly, a significant proportion of businesses and charities prioritise cyber security at the board level. However, challenges persist, ranging from lack of knowledge and training to a disconnect between IT teams and senior management. It’s more common for larger businesses to prioritise cyber security and the same is true when it comes to high-income charities. This pattern has been seen throughout the surveys from 2020 to now, where larger organisations typically treat cyber security more seriously and consequently allocate more resources to it. However, due to budget cuts, many smaller organisations are left with little to no funds to allocate to cyber security, leaving themselves more vulnerable to attack. However, there are solutions such as Police CyberAlarm which is a free tool, provided by local police forces and funded by the Home Office, which helps organisations monitor and report suspicious cyber activity they face.

External reporting of breaches remains uncommon, further complicating efforts to combat cyber crime effectively. This year, among those identifying attacks or breaches, a third of businesses (34%) and almost two-fifths of charities (37%) reported their most disruptive breach outside their organisation. The charities and businesses that didn’t report their most disruptive breach or attack, the most common reason given was that it wasn’t considered significant enough to warrant reporting (for 68% of both businesses and charities). After this, the most common reasons are:

• They do not know who to report to (for 13% of businesses ad 11% of charities)
• They do not think reporting will make any difference (for 9% of businesses and 4% of charities)
• The breach or attack was too recent or that they haven’t had enough time to report it (for 4% of businesses and 3% of charities)

It’s clear from the above stats that there is still the need for further education on breaches and how they are reported. A large proportion of organisations don’t fully understand the severity of cyber breaches or the potential consequences of underreporting. They may underestimate the impact of breaches on their operations, finances, and reputation. Time and time again, we read media articles detailing the devastating effects of cyber attacks on organisations across various sectors. From hospitals struggling to provide patient care due to compromised systems, to logistics companies facing disruptions in supply chains, and even schools being forced to close - the repercussions are far-reaching and profound.

Overall, the survey underscores that most businesses and charities have implemented various measures to safeguard against cyber threats. However, as cyber attacks grow in frequency and sophistication, it’s imperative for organisations to remain vigilant and continually enhance their cyber defences.