Skip to content Skip to bottom

2024 UK Cyber Security Breaches Survey: The Good, Bad, and The Ugly.

It’s that time of year again when we find out if the UK is taking cyber security seriously or not… The annual UK Cyber Security Breaches Survey has been released by the Department for Science, Innovation and Technology (DSIT), in partnership with the Home Office. This survey uncovers the cybercrime landscape in the UK in 2024.

It revealed that UK organisations faced approximately £7.78 million worth of cybercrime in the last 12 months – and a staggering 78% of businesses still lack a formal incident response plan!

Not a good start, I know.

A Snapshot of UK Cybercrime – and Resilience

The 2024 UK Cyber Security Breaches Survey paints a portrait of cyber resilience amongst businesses and charities operating in the UK. The findings are also used to inform and shape future policies surrounding cyber security.

This article outlines the key (scary) takeaways from the 2024 survey, including the biggest cyber risks and responses to cyber security breaches, to provide organisations with insights to strengthen their security strategy.

The Cyber Threat Landscape – Understanding the Scale and Cost

The survey indicates that cyber threats remain a significant concern, with 50% of businesses and 32% of charities reporting cyber security breaches or attacks in the last 12 months. Notably, the frequency of these incidents increases with the size of the organisation – 58% of small businesses, 70% of medium businesses and 74% of large businesses reported a cyber incident.

However, it is important to note that larger businesses are more likely to identify breaches or attacks than smaller ones due to the increased resources and expertise. So, the number of incidents in small and medium-sized businesses (SMBs) is most likely underrepresented.

Phishing Attacks Come Out on Top Yet Again

Like last year and the year before, phishing attacks have once again been identified as the most prevalent form of cyber threat, affecting 84% of businesses and 83% of charities that reported incidents. Other types of attacks, such as impersonation, malicious use of AI, and malware, also pose significant risks.

This trend highlights how threat actors are using new and emerging technologies to deliver phishing attacks, a type of social engineering tactic that exploits human vulnerabilities. The data further highlights the critical need for ongoing cyber security education and robust protective measures to safeguard against this type of attack.

Cyber Security Breaches and the Financial Impact

Cyber security breaches don’t come cheap, with the average cost of a breach estimated to be around £1,200 for businesses on the whole, increasing to £10,830 for medium and large businesses. Incidents resulting in data theft cost an average of £6,940.

Medium and large businesses bore the brunt of these costs, with long-term expenses including legal fees and talent acquisition further increasing the financial strain. Charities faced an average cost of £460, highlighting the economic consequences of cyber incidents on organisations of all shapes and sizes.

A Promising Increase in Cyber Hygiene Practices

On a more positive note, the 2024 UK Cyber Security Breaches Survey indicates an upward trend in the adoption of cyber hygiene practices, with notable increases in the implementation of malware protection, restricted admin rights, and network firewalls.

In comparison to 2023:

  • Adoption of up-to-date malware protection has improved from 76% to 83%.
  • Enforcement of restricted administrative rights has risen from 67% to 73%.
  • Usage of network firewalls has increased from 66% to 75%.
  • Clear processes for handling phishing emails have grown from 48% to 54%.

These developments show a reverse in trends over the previous three years, during which some areas experienced consistent declines among businesses. The changes are primarily from adjustments within the micro business sector and, to a lesser degree, small and medium-sized businesses.

With techniques such as phishing remaining the most common form of attack, this basic cyber hygiene can be the difference between businesses experiencing a successful cyber security breach and not. It’s positive news that simple cyber hygiene has increased for the first time in the last three years.

This increase in cyber hygiene coupled with the rise in businesses investing in cyber insurance, up from 37% to 43%, indicates an overall increase in cyber awareness and budget allocated for cyber security.

However, there are several other concerning statistics and findings which suggest that this may not be the case after all.

Where’s Your Incident Response Plan?

Despite years of warnings from specialists and experts, countless data breach headlines, and increased regulatory action, the following issues still aren’t being addressed by organisations.

  • Only 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. This is consistent with 2023 but shows a decline over the past 2-3 years.
  • Only 3% of businesses and charities report adhering to Cyber Essentials.
  • Almost half of SMBs and a third of large businesses are still operating without a cyber strategy.
  • Only 11% of businesses are reviewing the risks posed by their immediate suppliers, despite supply chain attacks accounting for a huge proportion of cyber security breaches across all sectors.
  • 25% of board-level leaders in the UK still don’t see cyber security as a high priority.
  • Only 22% of businesses and 19% have a formal incident response plan.

It seems that far too many businesses are viewing cyber security training, defence processes, and monitoring as a tick-box exercise. Cybercriminals are working overtime to try and find new ways to access critical business data. By not constantly evolving and improving defences, organisations are giving attackers the chance to catch up.

It’s also surprising that so many businesses remain unaware of the government-backed Cyber Essentials scheme, with just 12% reporting awareness. This figure has decreased year-on-year from 16% in 2022. The Cyber Essentials scheme gives businesses a solid, base-level of protection, and as the government’s promoted cyber certification, it is quite concerning that such a large amount of organisations are still unaware of it. Learn more about Cyber Essentials here.

The readiness to respond to cyber incidents seems to remain more of an aspiration than a reality for many. Although plans are in place for some, only 22% of businesses and 19% of charities have formalised their incident response strategies. This gap between intention and action highlights the need for more robust preparation.

An incident response plan can help a business mitigate risks and potential damage during a security breach and help an organisation restore business operations as quickly as possible. This plan is not just a critical element of an organisation’s cyber security strategy, but it can also enhance the company’s ability to secure insurance coverage.

A Big Concern – Low Rate of Reporting

One of the most alarming facts uncovered by the 2024 UK Cyber Security Breaches Survey is the low rate of reporting cyber security breaches to external authorities.

A mere 10% of businesses engaged law enforcement after detecting a breach, and even fewer approached specific cyber security bodies like the National Cyber Security Centre (NCSC) for assistance. Additionally, the reluctance to inform affected clients and customers is stark, with notifications made in just 5% of incidents. Many organisations cited reasons such as uncertainty about where to report incidents and scepticism about the effectiveness of reporting as barriers to taking action.

In terms of response measures, the report exposes a notable inaction among affected businesses; 39% chose not to respond in any way after a breach. While a few opted for measures like employee training or minor tech upgrades, the majority did not undertake any significant steps to strengthen their cyber defences post-attack.

Small and micro businesses emerged as particularly vulnerable, owing to their lack of resources and expertise. However, medium and large enterprises were not immune, with 74% and 86% respectively, taking some form of action to prevent future breaches.

Moving in a More Secure Direction

So, how can organisations respond to these alarming statistics and findings?

Well, there are a few things to consider here:

  • Firstly, it’s imperative that businesses of all sizes invest in some level of cyber security awareness training for their employees. Given that phishing attacks are the most prevalent threat, educating your workforce on identifying and responding to phishing attempts is crucial.
  • Secondly, developing and implementing a robust incident response plan should be a priority. This plan should outline clear steps to be taken in the event of a cyber security breach, including how to contain the breach, assess the damage, communicate with stakeholders, and learn from the incident to prevent future breaches.
  • Also, considering the low awareness and adoption of the Cyber Essentials scheme, organisations should actively seek to understand and implement these standards. Cyber Essentials offers a foundation for cyber security best practices that can significantly reduce the risk of the most common cyber threats.
  • Ask yourself – have you thoroughly assessed your cyber risk profile recently? Regular risk assessments can help identify vulnerabilities and guide strategic investments in cyber security. This includes evaluating third-party vendors and supply chains.

A security risk assessment is a good place to start if you want to develop or refine your cyber security strategy. A security risk assessment as highlighted in the 2024 survey, will uncover your weak points and vulnerabilities so you know where to start patching up. Seeking advice from a security-focused Managed Service Provider (MSP) is often more effective and more affordable than attempting to build a cyber security team from scratch in-house. An MSP will have the expertise to assess your environment, develop your strategy, and deploy solutions to keep your business secure.

In Conclusion…

The 2024 UK Cyber Security Breaches Survey paints a mixed picture of the current cyber security landscape. While the increased adoption of cyber hygiene practices offers a glimmer of hope, the sophistication of cyber security breaches and the lack of preparedness among many organisations highlights the need for more proactive measures.

Cyber security is not a one-time effort but a continuous process of learning, adapting, and implementing. The survey’s findings should serve as a wake-up call for businesses, charities, and educational institutions to reassess their cyber security stance, prioritise their efforts to close vulnerability gaps, and foster a culture of cyber security awareness across their organisations.

Moreover, the survey highlights the importance of collaboration between businesses, cyber security experts, and governing bodies. By sharing knowledge, best practices, and experiences, the UK can strengthen its collective security posture.

Message Us