The latest Cyber Security Report from the Department for Digital, Culture, Media and Sport (DCMS) has been released. This annual survey details the cost and impact of cyberattacks and data breaches on businesses, education institutions and non-profit organisations across the UK.
This article discusses the key findings and takeaways from the UK Cyber Security Breaches Survey 2022. It uses official statistics to highlight the risks, impacts and responses of cyberattacks to help organisations enhance approaches to cyber security.
An overview of cyber security and attacks in the UK
The proportion of cyberattacks against UK organisations has remained the same high-level as in 2021, however the cost and impact of a cyberattack has caused heightened financial and reputational damage. Despite the fact that the frequency of attacks and breaches has stayed high, businesses continue to overlook proactive cyber security approaches.
While many businesses are recognising cyber security as a ‘high priority’, a lack in expertise and board engagement across UK businesses has resulted in a large majority turning to external cyber providers to help strengthen their security. Furthermore, the DCMS believe that a lack of cyber security ‘maturity’, means cyberattacks and breaches are underreported. This means the figures on the frequency and number of attacks are likely far higher than official statistics state.
Cyber security and UK businesses
In the last 12 months, 39% of UK businesses identified and reported a cyberattack of some kind. This remains consistent with the previous year, but is still below the high of 46% in 2020 at the height of the Covid pandemic. A breakdown of the official statistics is shown below, suggesting that larger businesses are a prime target for cyber criminals. However, small and medium sized businesses are still at risk.
Percentage of organisations that have experienced a cyberattack or breach in the last 12 months:
48% of small businesses
59% of mid-sized businesses
72% of large businesses
Large businesses scoring highly on cyberattack reporting has been a consistent pattern each year on the survey. However, the study suggests that there may be underreported numbers, particularly for SMB’s, who may be less ‘cyber mature’ organisations. This means they may lack the knowledge, resources or technology to identify an attack.
Therefore, although it seems larger businesses are a prime target, smaller businesses are still an attractive objective for cyber criminals, as they have less budget or in house capabilities to implement effective cyber security measures.
Cyberattacks: Type of attack
From the 39% of UK businesses who identified a cyberattack, the most common threat vector by far was phishing attempts (83%). Phishing attacks involve malicious emails being sent to staff to withdraw sensitive information or direct recipients to fraudulent websites. This type of attack has been continuing to rise.
This was followed by social engineering attacks (27%), which is where cyber criminals pose as a trusted source in an attempt to gain access to the targets networks. Around one in five (21%) identified a more sophisticated attack type, such as malware or a ransomware attack.
A crucial takeaway from these findings is the importance of staff vigilance and embedding cyber security awareness into business culture. Human error remains the biggest cyber security risk to all businesses – 95% of security breaches are caused by human error.
Cyber security impact: Frequency, cost and aftermath of cyberattacks
Frequency of attacks
Among the UK businesses that identified some form of cyberattack or data breach, almost half of the businesses (49%) said they occurred an attack once a month, while 31% said they experienced an attack or breach at least once a week.
Looking at the organisations reporting financial loss due to a cyberattack, the average estimated cost was £4,200. When specifically looking at only medium and large businesses, the average cost rose to almost £20,000. The study does however acknowledge that these figures may be lower than actual figures due to underreporting.
A successful breach or attack can affect the entire business, causing potential financial and reputational damage, and resulting in lost data, time and resources. One in five businesses stated that a cyberattack resulted in a negative outcome, such as financial loss, data exposure, network and website disruptions. Corrupted or damaged systems were the most commonly reported outcome.
Despite the risks and impacts of cyberattacks, cyber security trends over the past few years remain consistent. This suggests that many businesses remain in a reactive approach to cyber security instead of proactively driving improvements to risk management.
The response: UK businesses are turning to outsourced cyber security
In this section, we explore how businesses deal with breaches or attacks. This includes identification, response, reporting, and adjustments to cyber security approaches to prevent future attacks.
Businesses lack knowledge and understanding of cyber security
While 82% of board or senior management within UK businesses rate cyber security as ‘high priority’, only 19% of businesses have a formal incident response plan in place. 50% of businesses say they update the board on cyber security matters at least quarterly however, only 33% conducted a risk assessment and only 17% carried out security awareness staff training in the last 12 months.
Many businesses seem to recognise the importance of cyber security. However, they are struggling to enforce the right protective measures. Further qualitative research conducted by the DCMS suggested a range of barriers to building robust cyber secure landscapes within UK businesses. This included a lack of expertise and board engagement, low technical knowledge and budget constraints. In smaller businesses, competing priorities was also identified as a barrier.
Outsourcing cyber security
Many businesses have opted to outsource cyber security and IT systems monitoring to external providers. This is a consistent choice across business sizes (as shown below). Qualitative research further showed that organisations outsourced for a number of reasons, including to gain access to expertise, resources, and standard for cyber security that aren’t available in house.
Percentage of UK businesses that outsource their IT and cybersecurity to an external supplier:
58% of small businesses
55% of mid-sized businesses
60% of large businesses
Use of Managed Service Providers (MSPs) across UK businesses
For 2022, the survey asked organisations if they used a Managed Service Provider (MSP) for their IT services and cyber security.
An MSP is an external supplier that delivers a variety of IT services to businesses, from managing IT infrastructure and end-user systems, to designing and implementing bespoke IT strategies.
The use of an MSP was most common in larger businesses.
Percentage of UK businesses that use a Managed Service Provider:
57% of small businesses
65% of mid-sized businesses
72% of large businesses
Interestingly, the survey found that when businesses were asked about sourcing a MSP, they prioritised the price and quality of service they’d receive over cyber security. Instead, many organisations assumed IT providers would have excellent cyber security embedded within all of their services.
The key outcome here is that businesses should be prioritising, verifying and measuring cyber security – not just during the procurement process – but throughout the relationship with their IT provider.
The 2022 survey concludes that there remains a lack of both will and skill around organisational cyber security, resulting in gaps in fundamental areas of security and risk management.
It is clear that cyber resilience is highly influenced by board behaviours. Though the acknowledgement of the importance of cyber security amongst boards is high, this does not translate into proactive behaviour and risk management. This lowers the strength of an organisation’s online security for a number of reasons.
There is a tendency for many organisations to adopt a reactive approach. While a reactive approach should never be overlooked, it should be used to support a proactive approach. A reactive cyber security approach aims to deal with the aftermath of an attack or breach, while a proactive approach aims to prevent an attack from reoccurring. Other reasons include viewing cyber security as a cost rather than an investment, and lacking awareness of strategic risks posed to an organisation.
There is a theme of organisations opting to outsource their IT services to a third party supplier, so that they can access specialist technical skills and cyber security expertise. However, supply chains themselves pose an entry point for attackers, and so organisations become only as resilient as the weakest point in the supply chain.
The UK Cyber Security Breaches Survey
The Cyber Security Breaches Survey is an influential research study guiding and informing businesses on the UK’s current cyber security and threat landscape. The survey is part of the government’s National Cyber Strategy, and is conducted on an annual basis.
The study details the cost and impact of cyber breaches and attacks on UK businesses, non-profit organisations and educational institutions. It aims to inform government policy and organisations on cyber security with intent to make the UK a resilient and secure place to do business in a digital-first world.