In early April this year, the UK's Department for Science, Innovation and Technology (DSIT) released its Cybersecurity Breaches Survey 2024. It provides a comprehensive overview of the UK's cybersecurity landscape, exploring the different cyberattacks and cybercrimes businesses, charities, and private sector educational instructions face, the impacts on these organizations, and how they respond.
The report is a valuable resource for the cybersecurity community. It serves as a sort of cybersecurity "State of the Nation" and provides detailed insight into cybercrime's impact on the UK.
Unfortunately, the survey confirms what most of us already know: cybersecurity in the UK is far from where it needs to be. But hopefully, this report and others like it will help change that. So, without further ado, let's dive in.
The Scale of the Problem
The report, as one might expect, confirms that cybersecurity breaches and cyberattacks are an extremely pressing issue for the UK. 50% of businesses and 32% of charities experienced some form of cybersecurity breach or attack in the last 12 months.
But that's not to say all organizations face the same level of risk: far more medium businesses (70%), large businesses (74%), and high-income charities with £500,000 or more in annual income (66%) experienced a cybersecurity breach or attack in 2023 than their smaller counterparts.
Phishing Remains the Top Threat
Predictably, phishing was by far the most common type of breach or attack in 2023, with 84% of businesses and 83% of charities reporting experiencing this type of attack. Phishing scams are relatively easy to create and distribute on a massive scale, especially now that cybercriminals can utilize large language models such as ChatGPT to craft error-free copy, which likely contributes to their frequency across 2023.
Remarkably, however, despite the vast majority of organizations experiencing a phishing scam in 2023, only 54% have agreed upon processes for handling phishing emails. Granted, this percentage did rise by 6% from the previous year, but it's still concerning that so many organizations are woefully unprepared for even the most common, basic cyberattacks.
This lack of preparation is particularly concerning when considering the report's qualitative evidence. It's clear from the report's interviews with senior leadership that phishing scams are becoming more sophisticated – one head of IT said they "had [experienced] a couple of unusual [phishing scams] where [cybercriminals] actually spoofed the website, the branding, the person brilliantly. But then the general wording of the email just [didn't] read right."
Supply Chain Risks
61% of medium and 72% of large companies reported undertaking a cybersecurity risk assessment last year. Similarly, 63% of medium and 72% of large businesses deployed security monitoring tools in the past year.
While we'd like to see these percentages higher than they currently are, at first glance, they are not an immediate cause for concern. However, when we look at the broader picture, that changes. Overall, only 31% of businesses undertook a cybersecurity risk assessment in 2023, while a mere 33% deployed security monitoring tools.
One could be forgiven for not seeing the issue here. We know smaller businesses face far fewer cyberattacks than their larger counterparts, so it's understandable that they wouldn't need to run risk assessments or deploy security monitoring tools at the same frequency, right?
The problem is that smaller businesses often form part of larger supply chains. Cybercriminals frequently attack smaller businesses to infiltrate larger organizations. This issue is compounded when we look at how companies are prepared to deal with supply chain risks: just over one in ten businesses say they review the dangers posed by their immediate suppliers (11% vs. 9% of charities), while more medium companies (28%) and large businesses (48%) review immediate supplier risks.
Somewhat bizarrely, the report's qualitative interviews suggest that organizations are increasingly aware of the cybersecurity risks posed by supply chains – despite most of them, especially at the smaller end, failing to take any formal action to mitigate them. If this doesn't change in 2024, we will likely see a massive uptick in supply chain attacks in the UK.
How Cybersecurity is Perceived
Encouragingly, three-quarters of businesses (75%) and more than six in 10 charities (63%) report that cybersecurity is a high priority for their senior management – more than last year. Similarly, qualitative findings suggest that organizations are more aware of the increased risks associated with not prioritizing cybersecurity, which could explain the increase in businesses rating it as a high priority this year. However, cybersecurity has moved even further down the agenda for businesses that already viewed cybersecurity as a marginal priority and those with the least resources.
Businesses in the following sectors tend to treat cyber security as a higher priority than others:
- information and communications (65% a "very" high priority)
- finance and insurance (61% say it is a "very" high priority)
- health, social care, and social work (62% a "very" high priority).
Worryingly, despite widespread concern that geopolitical tension could result in more attacks on the farming industry, businesses in the agriculture sector tend to regard cybersecurity as a lower priority than those in other sectors (59% say it is a high priority, vs. 75% of businesses overall). This lack of preparation could result in the farming industry taking a significant hit from cybercrime in the coming year.
Overall, the report is a mixed bag. It includes some reasons to be cheerful and cause for concern. However, this is true for every one of these reports: the important thing is that organizations take notice of the results and adjust their cybersecurity programs accordingly. If they don't, 2024 could be a very tough year.
To find out how you can bolster your security posture, book a demo of Tripwire’s Security Configuration Management Software (SCM) today.
Tripwire Enterprise: Security Configuration Management (SCM) Software
Enhance your organization's cybersecurity with Tripwire Enterprise! Explore our advanced security and compliance management solution now to protect your valuable assets and data.