Security breaches and cyber-attacks remain a significant threat for UK businesses, but many smaller firms appear to be prioritizing matters other than cybersecurity, the British government has warned.
The Cyber Security Breaches Survey 2023 provides a useful snapshot of cyber-resilience among the nation’s businesses and charities. Some 2263 UK businesses, 1174 registered charities and 554 education institutions were polled for the study.
The headline findings for 2023 are that the share of medium (59%) and large businesses (69%) reporting a breach or cyber-attack over the previous 12 months remains almost unchanged from the previous report.
However, the overall figure for business fell from 39% to 32% over the period. This is likely to be the result not of improved cyber-resilience but the fact that “senior managers in smaller organizations view cybersecurity as less of a priority in the current economic climate than in previous years, so are undertaking less monitoring and logging of breaches or attacks,” the report claimed.
The share of micro-businesses saying cybersecurity is a high priority fell from 80% in 2022 to 68% this year, for example. The report noted that this is being driven by economic uncertainty and high inflation, although it added that the shift to hybrid working has made it harder for smaller organizations to identify security breaches or attacks.
One casualty of this de-prioritization of security has been certain cyber-hygiene best practices. The share of respondents claiming to have password policies fell from 79% to 70%, and there were also declines in the number saying they used network firewalls (66%), restricted admin rights (67%) and had policies for rapid software updates (31%).
“These trends mainly reflect shifts in the micro business population and, to a lesser extent, small and medium businesses – large business results have not changed,” the report confirmed.
Other challenges highlighted in the report include the fact that less than a fifth (14%) of businesses overall are aware of government cybersecurity guidance like the NCSC’s “10 Steps” guide or its Cyber Essentials scheme.
Board engagement with cyber is also poor – just 30% of firms have a member responsible for security, rising to 53% of large organizations. In fact, just 49% of medium businesses and 68% of large companies even have a formal cybersecurity strategy in place.
Just a fifth (21%) of firms have a formal incident response plan, rising to 47% of medium-sized and 64% of large businesses. Additionally, third-party risk remains largely unassessed – just 13% review the risks posed by suppliers, rising to 55% of large firms. One positive is that the latter figure is up from 44% in 2022.
Tom Kidwell, former UK government intelligence specialist and co-founder of Ecliptic Dynamics, argued that smaller businesses focused on the bottom line often don’t see the value of cybersecurity until it’s too late.
“Ultimately, even if these figures change slightly the underlying trends will remain much the same in the coming years,” he added.
“The mindset of many organizations is still not aligned with the threats posed by malicious groups, with companies not adequately protecting themselves, and with the cost of cybersecurity continuing to rise, it’s a constant juggling act between risk and affordability for businesses.”
Ilia Kolochenko, founder of ImmuniWeb, warned that small firms can be a supply chain risk to their larger partners.
“SMEs are the Achilles’ heel of large corporations and government agencies that entrust huge volume of their sensitive and confidential data to smaller suppliers. Cyber-criminals will continually shift some of their efforts to focus on these vulnerable SMEs, instead of going after much better-protected corporations,” he argued.
Richard Staynings, chief security strategist at Cylera, claimed that the government’s calculations for the average cost of a security breach (£1100) are off by “an order of at least one or two magnitudes,” especially for larger firms.
“Organizations aren’t truly counting the cost of a cyber breach. Firstly, there’s the cost of the legal and security incidence response teams, the forensic consulting, the PR and any other experts you need to bring in to handle the impact of the incident. Then, you have the loss of business due to your data and system having been destroyed,” he explained.
“Then there are the regulatory fines and punitive damages for data breaches. Taking all this into account, you are looking at the cost of a cyber-attack being closer to a few million pounds.”