The latest Cyber Security Breaches Survey has been released, which is a great source of insights to help businesses address their cyber risk.

Conducted by the UK government as part of its National Cyber Strategy, it’s main use is to inform government policy on cyber security to make the UK cyberspace a secure place to do business. It also provides key insights from UK businesses, charities, and educational institutions on their cyber security policies, processes, and an overall assessment of cyber resilience and cyber-crime.

Here are some key insights from the survey and what it means for your business.

  • 69% of large organizations and 32% of smaller firms experienced a breach and/or cyber-attack.
  • 68% of victims say that they had a fraudulent loss of money resulting from a phishing attack

The harsh reality is that cyber-crime and cyber-attacks are business agnostic. Criminals typically go after the weakest link in their pursuit of making money from their victims. Phishing attacks are consistently one of the most common attack methods because they are so easy and cheap to carry out, and from anywhere in the world. It only takes a tiny % of recipients to fall for them – by inadvertently giving away their login details or opening attachments that contain malware – for it to be worth the effort by the cyber-criminals.

  • The percentage of micro businesses who consider cyber security to be a top priority has dropped from 80% in 2022 to 68% in the current year

While this may reflect the economic climate and factors like inflation and global instability trumping cyber-risk, it’s still a shocking insight. Cyber-crime is endemic and the effects on victim businesses can be devastating. Prevention is better than cure and a head-in-the-sand approach would make it open season for the attackers, who’ll laugh all the way to the bank (or at the least their crypto wallet).

  • Only 30% of businesses (and a similar proportion of charities, 31%) have board members or trustees taking explicit responsibility for cyber security as part of their job

If no one owns a problem or risk, if no one is accountable, then no one is responsible for it. And ff no one is responsible then nothing gets done to address it. Until it’s too late. Making a senior person openly accountable for cyber-risk is a great step to ensure that something will be done about it. Going a step further and measuring the risk (for example in KPIs and monthly reports) also helps drive focus on fixing the problems. What gets measure, gets managed – just make sure that you are measuring meaningful things.

  • 11% of businesses and 8% of charities have been the victim of at least one cyber-crime in the last 12 months.
  • It’s estimated that UK businesses have experienced around 2.39 million cyber-crimes of all types and 70,000 non-phishing cyber-crimes in the last 12 months.
  • The mean cost of businesses experiencing any cyber-crime other than phishing was £20,900.

This can be interpreted that about a third of businesses and charities that identified a cyber-security breach or attacks, ended up being victims of cyber-crime. Although that figures show that medium and large businesses are more likely to experience a cyber-crime than smaller ones, this is probably due to underreporting and a reluctance to report financial losses by smaller businesses.

As the frequency and severity of cyber-attacks continues to grow rapidly, making sure your cyber security is watertight will give you and your customers peace of mind that their personal information is safe. It’ll also help your business avoid unwanted downtime as well as any fines, legal penalties or bad press that comes with successfully cyber-attacks.

Three in ten businesses have undertaken cyber security risk assessments (29%, vs. 27% of charities) in the last year – rising to 51% of medium businesses and 63% of large businesses.

A similar proportion of businesses deployed security monitoring tools (30%, vs. 19% of charities) – rising to 53% of medium businesses and 72% of large businesses.

Under four in ten businesses (37%) and a third of charities (33%) report being insured against cyber security risks – rising to 63% of medium businesses and 55% of large businesses (i.e. cyber insurance is more common in medium businesses than large ones).

Over one in 10 businesses review the risks posed by their immediate suppliers. More medium businesses (27%) and large businesses (55%) review immediate supplier risks. The latter result is up from 44% of large businesses in 2022.