Skip to content Skip to bottom

UK Cyber Security Breaches Survey 2023: A Summary of the Key Takeaways

The UK Cyber Security Breaches Survey 2023 is a comprehensive and influential research study conducted by the UK government to assess the nature and impact of cyber security breaches on UK businesses.

Recently, the Department for Science, Innovation & Technology released the report which surrounds the study results and we’ve summarised the key findings and takeaways.

This article aims to provide insights and guidance on how UK businesses can better protect themselves from cyber threats and improve their overall cyber security posture.

It uses official statistics to highlight various aspects of cyber security, including types of attacks, impact on businesses, and measures taken by organisations to prevent and respond to cyber incidents.

Cyber Security and Attacks in the UK 2023 – Overview

The cyber landscape is growing in complexity and sophistication, but many UK businesses face other problems which have resulted in cyber security falling down the priority list. Senior managers in smaller organisations view the current economic climate, and rising costs as more of a concern than cyber security. This explains why smaller organisations are identifying attacks and breaches less than last year. The results for medium and large businesses remain at similar levels to last year.

The proportion of cyberattacks against UK organisations has slightly dropped, and so has the cost and impact of an attack. This could either mean businesses are taking cyber security seriously and implementing the preventative methods, or organisations are underreporting due to other higher-priority business matters.

Wider economic concerns like the cost-of-living crisis, inflation, and general global instability have really affected the results of the UK Cyber Security Breaches Survey 2023.

Cyberattacks: Identifying Them

The identification of cyber security breaches and attacks in UK organisations has decreased in the last 12 months from 39% to 32%, but it’s important to note that the drop is driven by smaller organisations. The results for medium and large businesses remain at similar levels to last year.

A comparative breakdown of the results from last year and this year is shown below, suggesting that large and medium-sized businesses remain prime targets for cybercriminals. However, it’s important to consider the economic impact on the smaller businesses’ survey results. And the fact that they’re less likely to have the resources, knowledge, or technology to properly identify an attack or develop and implement effective cyber security measures.

Percentage of organisations that have identified cyberattacks in the last 12 months:

  • 32% of small businesses (48% last year)
  • 59% of medium businesses (59% last year)
  • 69% of large businesses (72% last year)

Cyberattacks: Type of Attack

From the 32% of UK businesses that identified a cyber breach or attack, the most common threat vector by far was phishing attempts (79%). For many resources such as remote work, advanced technology, and the fact that hackers are now using AI to target users, means phishing attacks are more convincing than ever.

This was followed by social engineering attacks (31%), which is the use of psychological manipulation techniques to influence or deceive people into divulging confidential information, performing actions or making decisions that are not in their best interests.

These results highlight that the harsh reality that cybercrime and cyber-attacks are business agnostic. Criminals often go after the weakest link in their hunt to profit from their victims. Phishing and social engineering attacks are consistently one of the most common attack methods because they are so easy and cheap to carry out from anywhere in the world.

Cyberattacks: The Financial Damage

Among the 32% of businesses that identified a breach or attack, a quarter (24%) experienced a negative outcome, such as a loss of money or data. Disruption to websites, and the temporary loss of access to files or networks are the most reported outcomes. However, the average total cost of the most disruptive breach or attack from the last 12 months is £4,960, up from £4,200 in 2022.

Website disruption and loss of access to files or networks is a concern along with the fact that the cost of cyber incidences is on the rise. This highlights the importance of businesses taking proactive steps to enhance their cyber security measure to prevent cyberattack and breaches, reduce the likelihood of negative outcomes, and mitigate the associated costs.

Cyberattacks: The UK’s Approach and Response (or lack of)

Although many organisations claim that they will undertake several measures after experiencing a cyberattack, the truth is that only a minority have established processes in place to support this. This indicates an ongoing area for improvement that the study should continue to monitor next year.

Assigning specific roles and responsibilities to individuals, providing guidance on external reporting, and offering guidance on internal reporting are the most common processes mentioned by between a quarter and two-fifths of businesses and charities.

Incident response plans that are formal are not prevalent, with only 21% of businesses and 16% of charities having them. However, the number increases to 47% for medium-sized businesses, 64% for large businesses, and 38 percent for high-income charities.

According to qualitative findings, there is another potential area for improvement, which is the lack of emphasis and importance placed on cyber security in micro businesses. The percentage of micro businesses who consider cyber security to be a top priority has dropped from 80% in 2022 to 68% in the current year. This could be due to the economic shift and the impact of this on smaller businesses. Larger organisations are more advanced in their defence and response plans to cyberattacks. For the first time, the majority of large businesses are reviewing supply chain risks, although this is still relatively rare across organisations overall.

Cyber Security Challenges in UK Organisations

Cyber Hygiene

Although cyber security attacks and breaches remain a common threat, key areas of cyber hygiene across all businesses have consistently declined over the last three years. Areas include:

  • Use of password policies (79% in 2021, vs. 70% in 2023)
  • Use of network firewalls (78% in 2021 vs. 66% in 2023)
  • Restricting admin rights (75% in 2021, vs. 67% in 2023)
  • Policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).

The report highlights that these trends mainly reflect shifts in the smaller business population and, to a lesser extent, small and medium businesses – large business results have not changed.

Cyber hygiene is critical for businesses to maintain the security and integrity of their digital assets and operations. By implementing good cyber hygiene practices, your business can protect its sensitive information, prevent cyber attacks, comply with regulations, build trust with customers, and save time and money.

A Disconnection Between IT Teams and the Rest of the Business.

The report highlighted errors in the perception of cyber security in many organisations. Business leaders often perceive cyber security as an ‘IT problem’ rather than a key business issue. Organisations leave themselves vulnerable if cyber security is only understood and responded to by the IT team and not an organisational issue.

For companies to truly defend their data from evolving threats, every person within the organisation needs to have a level of basic cyber security awareness. Humans continue to be the top cause of data breaches within UK businesses, and this is because phishing and social engineering continue to be the most sophisticated and successful forms of attack. Cyber security should be a crucial part of your leadership. Your people are your perimeter – train them with the right defence methods to best protect your business data.

Conclusions

The Crucial Role of Context in Trend Analysis

This study took place during unusual economic uncertainty which has impacted a large proportion of the results, particularly in smaller organisations. The qualitative results highlighted that they faced rising costs and challenges with financial planning, due to high inflation, higher energy prices and overall economic instability. As a result, cyber security may have dropped down the priority list among senior executives in smaller businesses. This helps to explain some of the differences in the survey results compared to 2022.

The study does however continue to highlight the fact that the impact of cyberattacks remains damaging, the biggest threats are still phishing and social engineering, and basic cyber hygiene is a rising issue every year.

The report also shows the various areas where organisations of all sizes can potentially improve their approaches and become more resilient to cyberattacks such as, bridging the gap between IT/cyber teams and the wider business, implementing Incident response plans, and educating staff on cyber awareness.

Overcoming the Challenges with Stronger Security

An effective cyber security strategy is critical for businesses to protect their assets, comply with regulations, maintain operational efficiency, and foster customer trust and loyalty.

But developing your strategy and maximising threat protection is about collating the right people, knowledge, resources, skills, and technology in order to protect your data, devices, and business reputation.

The 848 Group is a cloud IT partner with a dedicated cyber security practice. Our team of specialist experts possess extensive experience in infrastructure, identity, and endpoint security, enabling them to deliver tailored, secure, and robust solutions that empower businesses to flourish amidst the complexities of the cyber landscape.

Get in touch to book your consultation.

The UK Cyber Security Breaches Survey 2023

The UK Cyber Security Breaches Survey 2023 is an influential research study for UK cyber resilience, and is part of the government’s National Cyber Strategy. The survey is conducted annually with the same goal – to inform government policy on cyber security, making the digital world a secure place to do business.

The study uses qualitative and quantitative data from UK businesses, education institutions, and non-profit organisations. It considers the different cyber attacks faced by these organisations in the past 12 months as well as how they are impacted and respond. It explores the policies, processes, and approaches of UK organisations and how effective these are.

For the 2023 study, the quantitative survey was carried out in winter 2022/23 and the qualitative data was collected in early 2023.

Message Us