The long-running Cyber Security Breaches Survey, commissioned by the UK government, is a research study on UK cyber resilience, aligning with the National Cyber Strategy. The 2023 study shows that cyber resilience in UK organizations seems to be moving backwards.
The study ‘explores the policies, processes and approach to cyber security for businesses, charities, and educational institutions. It also considers the different cyber attacks and cyber crimes these organizations face, as well as how these organizations are impacted and respond’.
Key points from the extensive report include:
Smaller organizations may be taking cyber resilience less seriously than previously
Cyber security breaches and attacks remain a common threat. However, smaller organisations are identifying them less than last year. This may reflect that senior managers in smaller organisations view cyber security as less of a priority in the current economic climate than in previous years, so are undertaking less monitoring and logging of breaches or attacks.
32 percent of businesses and 24 percent of charities overall recall any breaches or attacks from the last 12 months. This is much higher for medium businesses (59 percent), large businesses (69 percent) and high-income charities with £500,000 or more in annual income (56 percent).
This is a decrease from 39 percent of businesses and 30 percent of charities in 2022. The drop is driven by smaller organizations – the results for medium and large businesses, and high-income charities, remain at similar levels to last year.
Cyber hygiene is declining
The most common cyber threats are relatively unsophisticated, so government guidance advises businesses and charities to protect themselves using a set of cyber hygiene measures. However, across the last three waves of the survey, some areas of cyber hygiene have seen consistent declines among businesses. This includes:
- Use of password policies (79 percent in 2021, vs. 70 percent in 2023)
- Use of network firewalls (78 percent in 2021 vs. 66 percent in 2023)
- Restricting admin rights (75 percent in 2021, vs. 67 percent in 2023)
- Policies to apply software security updates within 14 days (43 percent in 2021, vs. 31 percent in 2023).
These trends mainly reflect shifts in the micro business population and, to a lesser extent, small and medium businesses – large business results have not changed.
Organizations are failing to carry out cyber security risk assessments
A larger proportion of businesses take actions to identify cyber risks than charities. Larger businesses are the most advanced in this regard. For the first time, the majority of large businesses are reviewing supply chain risks, although this is still relatively rare across organizations overall.
Three in ten businesses have undertaken cyber security risk assessments (29 percent, vs. 27 percent of charities) in the last year – rising to 51 percent of medium businesses and 63 percent of large businesses.
Corporate reporting of cyber risks remains relatively uncommon
Board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organizations, although corporate reporting of cyber risks remains relatively uncommon, even among large businesses.
Three in ten businesses (30 percent) and charities (31 percent) have board members or trustees explicitly responsible for cyber security as part of their job role – rising to 41 percent of medium businesses and 53 percent of large businesses.
Only a minority of organizations have agreed incident response strategies in place
While a large majority of organizations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this. This highlights an area for ongoing improvement for the study to continue monitoring next year.
The most common processes, mentioned by between a quarter and two-fifths of businesses and charities, are having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting.
Formal incident response plans are not widespread (21 percent of businesses and 16 percent of charities have them). This rises to 47 percent of medium-sized businesses, 64 percent of large businesses and 38 percent of high-income charities.
Qualitative findings suggest another area for potential improvement is the relative disconnect between IT or specialist cyber teams and wider staff (including management boards) when it comes to incident response. Bridging this gap was felt to require good, regular communication between IT teams and wider staff. Post-incident reviews were also seen as a way to engage wider staff in cyber security.