The 2024 UK Government Cyber Breaches Survey

Released on April 9^th, 2024, this year’s cyber security breaches report from the UK government makes for interesting reading. Report available here.

Consider how many organisations we all deal with on a regular basis, whether as companies or individuals, and these recent statistics are troubling. A small company will have half a dozen suppliers, and a large business, hundreds. Of course, the severity of a breach can vary, but these statistics suggest that over half of the companies with whom we deal are unable to adequately protect our data and risk having the services they provide to us disrupted.

The source of breaches

The 2024 report found that phishing (at 90% of all attacks) is the biggest source of breach, and this underlines the need for better user awareness around the risks associated with clicking on suspicious attachments, links, etc.

This type of risk continues to persist. And that is despite hygiene measures like malware protection, restricted admin rights, firewalls and other preventative measures slowly improving year on year, particularly for micro businesses.

The report notes: “The most common cyber threats are relatively unsophisticated, so government guidance advises businesses and charities to protect themselves using a set of “cyber hygiene” measures.”  This is a damning quote in that it appears businesses, despite being aware of the security controls necessary to improve their resilience, are not maintaining a level of effectiveness across these controls to close emerging security gaps quickly enough. This is confirmed by the rather disconcerting figure that over half the businesses that suffered a breach or attack admitted to repeated attacks “once a month or more often.”

We observed in a blog on the previous survey last year that it is almost universally accepted that the most common reason for a cyber security incident is the failure of basic security controls or ”cyber hygiene”. Further reading on past related blogs here and here.

With the 2024 report confirming the ongoing presence of gaps in cyber hygiene; it’s a good reminder that cyber hygiene is not a set and forget process. In a constantly changing threat environment it is vital that the controls you have in place are regularly checked for adequacy.

The state of readiness

The level of cyber security preparedness was highlighted (as has previously been the case in this survey series) as being a big area of concern.

Only 31% of businesses (26% of charities) have undertaken a cyber risk assessment, albeit it rises to 72% for larger businesses. So almost 30% of large organisations are at risk of their cyber vulnerabilities being discovered for them by an attacker. Across all organisations almost 70% do not know what exposures they have to a cyber-attack.

This lack of visibility suggests that, for far too many organisations, a breach would only be apparent after the event. In the case of something like a ransomware attack this might be inevitable, but for a data theft or other forms of malicious attack, knowing the state of your security can make a difference.

Incident response planning

Another area that gives some cause for concern is the degree to which business is prepared for a cyber breach. In the absence of many of the preventative steps discussed above it is even more important that organisations prepare themselves for an attack.

In last year’s survey report blog we observed that:

“A minority of organisations have an agreed or formalised incident response procedure in place. 20% of businesses and a slightly smaller proportion of charities have formalised response plans. It is a slightly better story for larger businesses, with 64% claiming to have a structured approach.“

Looking then at this year’s findings the survey found that incident readiness continues to be lacking. Only 22% of businesses overall have an incident response plan in place, and more than 25% of large businesses having no plan at all.

Cyber insurance may not be the answer

The concept of “risk transfer” through insurance is familiar to businesses. The use of insurance and the growth of the cyber insurance market is testament to this.

Yet despite that, the survey report highlighted that only 43% of companies overall have cyber insurance (rising to 62% and 54% of medium and large businesses). This is low, although the rates have increased over the last 12 months. The report notes a general level of uncertainty by respondents in relation to the cyber insurance coverage of their organisations which suggests a general lack of clarity around this newer risk control.

This survey provides a concerning picture of cyber security readiness, particularly for the high number of small business respondents. If the investment in security controls remains limited so too will the level of risk assessment and insurance. Read more on this here.

Governance and accountability

The role of the board and senior managers also came up for scrutiny in the survey. The importance of board level awareness and visibility is something that many compliance initiatives recognise. Increasingly cyber security compliance is no exception.

The survey noted:

“Three-quarters of businesses (75%) and more than six in 10 charities (63%) report that cyber security is a high priority for their senior management.

This proportion is higher among larger businesses (93% of medium businesses and 98% of large businesses, vs. 75% overall).”

So larger companies do have cyber security on the board agenda in most cases. Hopefully this will, in time, facilitate a degree of improvement in control posture, reduce breach frequency and make insurance more accessible to better protect businesses and customers in future.

Taking advice and getting accredited

On the uptake of advisory and voluntary schemes there are clearly gaps:

“A sizeable proportion of organisations, including larger organisations, continue to be unaware of government guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber Essentials standard.”

Given that more than 50% of businesses overall, and up to 74% of larger businesses, have had a cyber breach or attack in the last 12 months it would seem that the cyber security message is not being heard. Hopefully, there will be a shift toward adhering to recognised standards or accreditations in coming years as breach data and its implications are realised more across industries.

Final thoughts

With the apparent level of cyber security exposure identified by the report, the number and frequency of attacks, and their impact awareness, it may be helpful to establish a more effective strategy to address the issue of cyber security, particularly given the costs to the economy.

There seems to be an overall awareness of the fact that reduced cyber risk profiles and competitive advantages are available to organisations with improved cyber security resilience, but a limited adherence to frameworks. Guidance documents like  “10 Steps to Cyber Security” and the “Cyber Essentials” scheme need to see a greater uptake if organisations are committed to reducing their risk of cyber-attack. The cyber security gap right now would seem to be the inability of stakeholders to leverage those documents to greater affect, to improve their cyber resilience – and the results of future surveys like this one.  Read more here and here.

Access the report here: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024