Cyber Security Breaches Survey

A survey by the UK government has found that over 460,000 UK Businesses may have fallen victim to cybercrime in the last twelve months. 

The Cyber Security Breaches survey, which surveyed examined 2,263 UK businesses and 1,174 registered charities, revealed that a third of UK firms had fallen victim to cyber-attacks since September 2022, with hackers also hitting a quarter of UK charities. 

The survey also found that phishing attacks were the most common form of attack, with 79 per cent of businesses and 83 per cent of charities targeted by hackers identifying the attack. 

Of those attacked, large businesses reported the highest amount of cyber attacks of those surveyed, with 69 per cent reporting attacks compared to 32 per cent of small businesses.  

But the survey revealed that this does not necessarily mean that large businesses are more targeted than small ones, as smaller businesses are less likely to report attacks. 

“Smaller organisations are now less capable of identifying breaches or attacks than they were three years again,” the report reads.  

“This could be due to internal factors, such as the fall in logging and monitoring activity among charities this year and the lower prioritisation placed on cyber security by senior managers in smaller organisations.”

Tom Kidwell, a former British Army and UK Government intelligence specialist, and co-founder of Ecliptic Dynamics, said this underreporting may also be the result of the current economic climate in the UK. 

“In terms of preparedness, response, and investment in cybersecurity on an organisational level, the numbers haven’t changed very much at all, except for smaller businesses, who are identifying attacks, and implementing good cyber hygiene practices less,” Me Kidwell said. 

“This is likely due to the current economic climate in the UK, and because many businesses still operate with the ‘it probably won’t happen to me’ mindset, and although in the past you might have got lucky, now it’s not a case of ‘if’, but ‘when’, you get targeted.”  

“As the survey itself highlights, underreporting is a huge issue identified by the cybersecurity industry, meaning this number could be far higher in reality. Underreporting is so rife because for any organisation, especially those which handle sensitive information, admitting that you’ve been breached can have catastrophic effects.”

Phishing Attacks Surge

Like in previous government surveys, phishing attacks retained their title as the top attack vector in this year's breach survey, 

Phishing attacks were also the only form of attack to report an increase compared to previous reports, with the percentage of organisations falling victim to the attack rising to 79 per cent from 72 per cent in previous years. Mr Kidwell believes that phishing attacks will continue to rise as threat actors adopt new tools such as AI. 

“The reason phishing is such a popular attack vector is that it is low cost and low skill, meaning malicious threat actors can operate on a spray-and-pray approach, hitting as many businesses as they can and waiting to see if any users take the bait

“But I believe many vectors are overlooked in studies such as the Government’s Cyber Breaches Survey because they simply aren’t seen by the user. Infrastructure attacks such as malicious log-in attempts are extremely common, and in my experience often more common than user-based attacks like phishing.”

Cyber Hygiene 

With the common cyber threats related to relatively unsophisticated attacks like email phishing, the survey noted that an increased number of organisations were failing to maintain basic “cyber hygiene” measures to protect themselves from attacks. 

Of those surveyed, just 70 per cent of organisations were using password policies compared to 79 per cent in 2021, while the use of network firewalls had plummeted to 66 per cent from 78 per cent in 2021. 

“A majority of businesses and charities have a broad range of these measures in place. The most common are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls – each administered by two-thirds or more of businesses and half or more charities,” the report reads

“However, across the last three waves of the survey, some areas of cyber hygiene have seen consistent declines among businesses.”

The survey said that this trend reflects shifts in the small business population as well as macroeconomic pressures, which are forcing businesses to hinder cybersecurity defences to save money in the current economic climate. 

It reported that about 1 in 7 businesses surveyed perceived cybersecurity as a high priority, but small businesses fall noticeably behind, with just 68% declaring security as such compared to 80 per cent in 2022. 

That is despite the average cost of a single attack for the businesses surveyed sitting at an astounding £15,300 per victim. 

Mr Kidwell said that organisations aren’t taking unsophisticated attacks like phishing attacks seriously enough and are failing to protect themselves against the rising threat.

“Lots of businesses simply don’t know they’ve been breached. If people see some strange activity on their email account, they might think ‘Oh, someone’s hacked into my email’, and just change their password. 

“But, in reality, their entire network may be compromised, leaving all of their data vulnerable. Small issues are often the tip of the iceberg.”

Supply Chain risks are being identified – but the threat remains

For the first time, the report noted that the majority of large businesses were reviewing supply chain risks, though it is still relatively rare across organisations of all types and sizes. 

Three in ten businesses have undertaken cyber security risk assessments in the last year – rising to 51 per cent of medium businesses and 63 per cent of large businesses.

To read more about Supply Chain Attacks, read our dedicated Business Continuity Page.

A similar proportion of businesses deployed security monitoring tools – rising to 53 per cent of medium businesses and 72 per cent of large businesses.

Supply chain vulnerabilities remain the key gateways for cyber attacks. In 2022, the number of documented supply chain attacks rose to 88,000 known instances, an increase of 663 per cent from previous years.