Three-quarters of UK businesses and 79% of charities have experienced a cybersecurity incident in the past 12 months, according to new figures published by the UK government.
The survey found there was limited improvements in organizations’ cybersecurity posture between 2022 and 2023, with many of the metrics remaining consistent.
The Cyber Security Longitudinal Survey (CSLS) has tracked around 1000 UK businesses and charities since 2021, with the latest wave relating to cybersecurity in these organizations in 2023.
How UK Organizations Are Approaching Cybersecurity
Charities tended to take a less formalized approach to cybersecurity than businesses. For example, they were much more likely to allow their staff to access their systems using a personal device (56% vs. 35%).
Additionally, businesses are significantly more likely to require staff to use VPN for remote access than charities (81% vs. 69%).
Around a third of businesses (38%) and charities (36%) adhere to at least one of the three key cyber security certifications: Cyber Essentials Standard, Cyber Essentials Plus and ISO 27001.
A majority of businesses (62%) and charities (59%) have five technical controls required to attain the Cyber Essentials accreditation, which was developed by the UK government to encourage organizations to boost their baseline security.
In regard to incident response, majority of businesses and charities have a written procedure in place for responding to cybersecurity incidents (59% and 56%, respectively). Around half (46%) of businesses and a third (34%) of charities have tested their incident response policies in the past 12 months.
Only a small proportion of businesses (23%) and charities (16%) use AI or machine learning as a means to improve their cyber resilience.
Large businesses were more likely to score highly on cybersecurity compared to small and medium sized organizations. For example, they are more likely to adhere to cybersecurity accreditations and have all five technical controls in place required to attain the Cyber Essentials certification.
Email Threats Top Incident Type
Across the past three years there was a similar pattern in the types of incidents impacting these organizations.
The only significant change observed in 2023 compared to 2022 was businesses and charities experiencing an uptick in attempted hacks of their websites, social media or user accounts.
Boardroom Involvement in Cybersecurity
The report highlighted some encouraging figures around the involvement of board members in their organization’s cybersecurity posture.
It found that around half of businesses and charities (55% and 45%, respectively) have a member on their board responsible for oversight of cybersecurity, while roughly two-thirds have a staff member that is responsible for cyber security that reports to the board (66% of businesses, 61% of charities).
Board-level cybersecurity training is in place in 50% of businesses and 35% of charities.
However, the proportion of organizations reporting regular board-level cybersecurity discussions remains quite low, with just 43% of businesses and 37% of charities’ boards discuss this topic at least quarterly.
The UK government highlighted the importance of boardroom understanding and involvement in cybersecurity in boosting resilience. For example, 73% of businesses and 67% of charities with one or more board members with oversight of cybersecurity have all five technical controls required to attain Cyber Essentials.
In January 2024, the UK government published a new Code of Practice on cybersecurity governance, which aims to establish cybersecurity as a key focus for directors and other senior business leaders.
Commenting on the new findings, William Wright, CEO of Closed Door Security, said that while it is encouraging most organizations are taking steps to expand or improve their defenses, there is still a large gap in terms of cyber featuring in board and wider company decisions.
“Organizations must move away from treating cyber as an IT issue. It impacts every single business area, so it needs to feature in almost all business decisions,” he noted.
“The UK is currently under increased threat from hostile nation states and these countries possess highly advanced cyber skills that can cause real damage to businesses and societies. Organizations must prepare for these threats and prioritize their cyber resilience. Attacks are not going down, they are only getting worse, and so are their consequences,” added Wright.
The new CSLS report follows a Microsoft study on March 18, which found that just 13% of UK organizations are resilient to cyber-attacks.