The 2024 Cybersecurity Breaches Survey covers prevalent cyber attacks, response strategies, and the evolving landscape of cybersecurity in the UK.
On April 9, 2024, the UK’s Department for Science, Innovation & Technology released its 2024 Cyber Security Breaches Survey. The survey was taken in the winter of 2023-2024, and the report offers information on industry-specific cyber attacks, what responses are used, and the cybersecurity policies these businesses and institutions take.
Cybersecurity breaches are fairly widespread in the UK, with 50% of businesses and 32% of charities weathering a cybersecurity breach or attack in the last year. The rate of cybercrime is higher with larger businesses and higher-income charities. A significant portion of the cybercrimes (84% for businesses and 83% for charities) are phishing attacks - which aligns with the 2023 IC3 report, which also found that phishing attempts are consistently the most common entry point for cybercrime. The cost of a breach ranged widely, with “the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830. For charities, it was approximately £460.”
While ransomware and denial of service attacks were the least commonly identified types of cybercrime, they have the potential to cost businesses a lot. According to an IBM Security Report, the average cost of a UK data breach in 2023 was £3.4 million. Though 20% of respondents to the Cyber Security Breaches Survey weren’t sure of their organization’s plan for a ransomware attack, it appears that more businesses are considering paying the ransom. Last year, 57% of UK businesses in the report said they had a rule not to pay ransom payments - but the percentage of non-payers is down to 48% this year.
With cyberattacks affecting so many businesses, it’s not surprising that cybersecurity is becoming a bigger priority. The percentage of businesses calling it a high priority hasn’t changed much since last year (36% in 2023, and 35% in 2024), but there has been a 5% increase in the proportion of companies calling cybersecurity a ‘fairly’ high priority. The top three industries that consider cyber security to be a high priority are information and communications, finance and insurance, and finally, health, social care and social work.
The top choices for finding cybersecurity risks were specific tools designed for security monitoring, risk assessment, and testing staff with cyber threat exercises, with larger businesses doing more to identify cybersecurity risks. The use of technical cybersecurity controls and rules has also improved, with 83% of businesses using up-to-date malware protection (compared to 76% before), 73% restricting admin rights (67% last year), 75% using network firewalls (compared to 66% last year), and more agreed procedures for phishing emails (from 48% to 54%).
Even with these measures in place, only a third of businesses in the survey reported having a formal cybersecurity policy. The most popular features in these policies were information on data storage (84%), permitted activities on the company’s IT devices (80%), remote working (68%), and cloud computing among other things (66%). After these baseline cybersecurity policies, even fewer businesses (22%) reported having a formal incident response plan. Again, such plans are more common in larger businesses and within the finance, insurance, and healthcare industries.
The UK’s Cyber Security Breaches Survey demonstrates that cybercrime is widespread in the UK. While people can recognize that cybersecurity should take more priority, they haven’t followed through, as only 33% of surveyed companies had a cybersecurity policy and 22% had a formal incident response plan. According to a recent Microsoft report, at least 87% of UK organizations are vulnerable to cyberattacks, with 39% of UK businesses being at high risk. Hopefully, UK businesses will improve their cybersecurity policies and cyber incident response plans in time for next year’s survey.