The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations.
It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts.
The full report is here: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023
The long-running longitudinal study of some 4000 UK organisations provides concerning information about how, while still recognised as a significant problem, cyber security must now compete with other priorities for investment and resources. It highlights the economic trade-offs that are going on and how they are affecting organisations’ visibility and potentially awareness of cyber security risks.
Seven deadly sins
Seven cyber security focus areas are featured in the survey. Each draws together observations about the cyber policies, processes and approaches across businesses, registered charities and educational institutions:
- Identification of cyber security breaches and attacks
- Cyber hygiene
- Risk management and supply chains
- Board engagement and corporate governance
- Cyber accreditations and following guidance
- Incident response
- Cyber crime
Identification of cyber security breaches and attacks
An interesting point here is how the large proportion of small business respondents has impacted some of the survey results. Overall organisations are identifying fewer threats; and yet the number of breaches and attacks for medium and large businesses and charities is relatively unchanged from last year.
It could be that attackers are getting more sophisticated or that certain types of attacks are decreasing in prevalence. But it may also be that the reduced economic resources of smaller firms have shifted their management priorities.
Whatever the reason, the drop off in attacks detected by small businesses is inconsistent with the recently released IBM’s X-Force Threat Intelligence Index, which shows that the UK accounted for 43% of all attacks in Europe over the past 12 months; with unpatched vulnerabilities being the major attack vector.
This trend is supported in that the breach numbers detected by medium and large businesses were much higher at 59% and 69% respectively than the overall average of 32% for all businesses. Qualitative evidence also confirmed that the priority of cyber security for small businesses had fallen more than 10% for the period.
Cyber hygiene
Almost universally, it is accepted that the most common reason for a cyber security incident is the failure in a basic or foundational control – so called cyber hygiene. See our blogs on this here and here.
Most respondents, but not all, had a range of basic hygiene controls in place. Examples include malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls, to name a few. Of concern, however, is that a number of key hygiene controls recommended by the UK National Cyber Security Centre were absent.
A critical consideration for security controls is not whether they are deployed but, how effectively? Monitoring the effectiveness of controls ensures that an organisation doesn’t unwittingly become reliant on the dictum: no news is good news. Because sometimes it isn’t.
This applies particularly to something like patching where unpatched vulnerabilities in operating systems and applications are frequently exploited by hackers. Simply put, the majority of vulnerabilities are known and widely publicised, but all too frequently organisations are too slow to patch their IT environment – leaving a potential point of attack!
The survey found a decline in performance in this area, from 43% in 2021 to only 31% today. So, concerningly two thirds of businesses (predominantly small and medium ones) are increasingly vulnerable to already widely publicised vulnerabilities. This is troubling as OS and application patching is fundamental to any cyber risk mitigation strategy.
Risk management and supply chains
Understanding cyber security exposure is an important first step in improving the cyber security posture of an organisation. This applies to organisations themselves as well as their suppliers who might store/process information on their behalf and unwittingly expose them to downstream cyber-attack risk or ransomware outbreak.
Apparently, 30% of businesses overall have undertaken a cyber security risk assessment to determine their control performance, coverage and maturity. Although, this figure is closer to 50% for medium and 60% for larger businesses (with the biggest supply chain exposure).
Only 40% of businesses (30% for charities) use cyber insurance as part of their risk mitigation strategy; with almost 40% of mid-sized businesses choosing not to insure despite many having not undertaken cyber risk assessments either.
The majority of larger businesses have increased their 3rd party risk visibility but across the other organisations, preventative supply chain risk management activities remain limited.
Board engagement and corporate governance
Again there is a disparity between the sophistication and cyber awareness of larger organisations compared to smaller ones. Overall, 30% of all organisations have board members or trustees that have a specific focus on cyber security. The figure is 41% for medium businesses and 53% for larger ones.
Looking back through the telescope then, 70% of businesses and charities have no board members with a specific cyber security mandate. This lack of cyber accountability can only hamper the advance of their knowledge and training and undermine the importance of the IT governance task. Still, too many boards appear willing to roll the cyber security dice, despite the scale of business risks they face.
Almost two thirds of high-income charities and 50% of medium businesses, appear to not have a strategy for cyber security risk management and governance. The survey notes the impetus to develop strategies can come from management board pressure, audits and business acquisition. If true, the implication is that if there is no ownership, or cyber security awareness at board level, it is unlikely that a coherent cyber strategy can result!
This limited level of cyber security accountability by board members or trustees, even in mid and larger organisations, compounded by any deficit in cyber skills and awareness, is a very risky combination.
Cyber accreditations and following guidance
A picture is emerging that has implications for achieving national cyber resilience ambitions. Despite highly publicised NCSC cyber security guidance like “10 Steps to Cyber Security” and the “Cyber Essentials” frameworks to guide cyber security efforts, the survey observes that “a sizeable proportion of organisations” are unaware of them. Although, mid and larger organisations appear more familiar with these advisories. Full adherence to them, however, is again limited.
The adoption of more sophisticated standards like the “all encompassing” ISO27001 is even less common at 9% of businesses overall, although for larger firms the adoption rate is 27%.
It would seem that more than 50% of organisations failed to seek external cyber security guidance, advice or standards certifications. And for those that did, it was initiated largely by customers or partners asking for it, rather than as part of a board driven strategy.
Incident response
A minority of organisations have an agreed or formalised incident response procedure in place. 20% of businesses and a slightly smaller proportion of charities have formalised response plans. It is a slightly better story for larger businesses, with 64% claiming to have a structured approach.
The gaps between security teams, the wider IT function and management teams are identified as a continuing impediment to incident response; with better cyber security readiness planning required.
Cyber crime
This is, apparently, a new area of investigation for the survey. It makes the point that not all cyber breaches or attacks are cyber crimes. The biggest organisations suffer the most cyber crime which is perhaps not unsurprising given the scale of their IT systems and resulting enlarged attack surfaces.
The survey rightly cautions the interpreting of some of the cyber crime statistics. It does, however, estimate the number of victim organisations to be:
“…across all UK businesses, there were approximately 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months.”
There are warning signs throughout this survey about cyber security prevention, containment and recovery. Equally, there are security control frameworks, recommended by the NCSC and others, that can provide visibility of each potential stage of a cyber attack. A number of those controls can be relatively inexpensive, particularly when compared to some of the costs mentioned in this report. And once in place, controls can be regularly monitored for effectiveness to improve cyber resilience and help lower your risk of cyber attack.
Products
Solutions by Industry
Learning & Resources
About Huntsman
