Key Findings of the Cyber Security Breaches Survey 2022
The UK Government has released a survey dissecting cyber security breaches. The primary object of this report is to provide insight and inform guidance on cyber security within the UK, creating a secure environment for businesses.
The survey was carried out in winter of 2021-2022 and the qualitative element in early 2022.
In the last 12 months, 39% of UK businesses reported a cyber attack. Businesses that are more cybersecurity mature by having a more developed security posture were found to have an increased ability to identify attacks. On the other hand, less cyber mature businesses may be underreporting cyber attacks, meaning the actual percentage may be larger.
From the businesses who did identify attacks, the most common attack vector was phishing at 83%. Besides phishing, around one in five businesses (21%) identified more advanced vectors such as denial of service, malware and ransomware attacks. Despite ransomware’s low frequency, businesses regard it as a major threat with 56% of organisations implementing policies to not pay ransoms.
Frequency & Impact
Before talking about “impact” and “outcome” it’s important we note the clear distinction between the two terms. Outcome refers to a “negative outcome of an attack [involving] a material loss from an organisation, such as a loss of money or data” whilst impact refers to a “negative impact on organisations [that did not result in] a material loss. This could be issues relating to staff disruption or implementing new measures in the organisation”.
Of the 39%, 31% of businesses and 26% of charities estimated that they suffered an attack at least once a week and as a direct result of these cyber attacks, one in five businesses and charities say they experienced a negative outcome, such as financial or data loss. 35% of businesses and 38% of charities experienced negative impacts such as new measures/policies, added staff time to deal with breaches or additional repair and recovery costs.
Cost of attacks
In the average estimated material loss (from the categories in the table below) of a cyber attack came out to be £4,200. When only analysing medium and large businesses, the average figure rises to £19,400.
The UK Government’s ‘10 Steps to Cyber Security’ is a 10 step guidance for organisations to follow for protection. The Cyber Security Breaches survey has indicated that 49% of businesses and 40% of charities follow at least 5 of the 10 areas, with access management most favoured and supply chain security was least favoured.
As reported on our latest Positive Security blog, the survey concluded that eight in ten businesses (82%) report that cyber security is a ‘very high’ or ‘fairly high’ priority for boards or senior management, up 5% from the previous year. Furthermore, seven in ten charities (72%) say their trustees view cyber security as a ‘very high’ or ‘fairly high’ priority. It was identified that this change in the importance of cyber risks was driven by greater understanding at the senior level.
The survey also found this perception of cyber risk is seen as a higher priority across large and medium businesses, in comparison to small businesses (95% large, 92% medium, vs. 82% overall).
Larger organisations are seen to have enhanced cyber security, likely due to increased investment and expertise. Within these large organisations, 80% update the board at least quarterly on Cyber Security matters, 63% conduct a risk assessment and 61% incorporate staff training. This is compared to 50%, 33% and 17% across all businesses, regardless of size.
Just barely over the threshold of being in the majority, 54% of organisations acted to identify security risks through a range of actions with security monitoring tools (35%) being the most common. Interviews with these businesses revealed that lack of understanding caused the risk to be often passed on to third party cyber providers, insurance companies or internal cyber colleagues.
Outsourcing & Supply Chain
Small, medium and large businesses outsource their IT and Cyber Security externally at 58%, 55% and 60%. This allows businesses to have access to greater expertise to manage their Cyber Security.
However, one area of concern is that only 13% of businesses carry out due diligence on their immediate suppliers, as this is not seen as an important factor during the procurement process. This is an alarming concern amid rising supply chain attacks, businesses should definitely place greater emphasis on assessing the risks posed by immediate suppliers. As a simple example, if an organisation is sharing sensitive or personal data with 5 of its suppliers, there is roughly a 500% higher chance one of the suppliers will be breached and that data compromised, rather than the organisation suffering the breach itself.
Only 19% of businesses claim to have an established formal incident response plan, while 39% have assigned roles should an incident occur. This is staggeringly low and more businesses should rectify this and devise a formal incident response plan for a clear direction in wake of a cyber attack. The NCSC has some guidance on this, although last updated in 2019, this could help businesses build a response plan.
On the other hand, businesses show that they would adopt a clear reactive approach in the event of a breach, with 84% saying they would inform the board and 73% would make assessment of an attack.
Besides working with outsourced cybersecurity providers, businesses commonly engage with insurers, with 43% of organisations having an insurance policy covering cyber risks.
Want more insight on cyber insurance? Well, we actually covered this recently, find out more here.
Even with these precautions, only 6% of businesses are Cyber Essential certified and just 1% are Cyber Essential Plus certified - primarily due to lack of awareness on cyber security.
What do we think?
We think the survey offers some great insight, providing us critical statistics and room for improvement. However…There is still a lot of work to be done.
As highlighted in our latest edition Positive Security News, 77% of businesses and charities view Cyber Security as a ‘fairly high’ or ‘very high’ priority for boards and senior management. At first glance, it’s a very reinforcing figure because, naturally, having the understanding of how important cyber risk allows senior members within organisations to prioritise appropriately to manage and improve their organisation's Cyber Hygiene.
However, it appears the board level awareness is not yet delivering the goods. For example, 54% of organisations showed their concern over risk management and methods to address such gaps yet only 19% of businesses claimed to have an established incident response plan.
Acknowledgement is a good first step, but more action is needed.
It may be the case that the importance of cyber security is being answered without sincerity, doing it for good PR, instead of genuine acknowledgement and action. It’s more likely businesses have other priorities or lack the required insight to act accordingly.
Our number one recommendation
We’re a true believer of risk management. When organisations identify their risks, they can make informed decisions on how and where to improve. Without such data, they often misspend budget, time and talent on areas which don’t address the key risks and causes of breaches.
Our number one recommendation is for organisations to complete a cyber risk assessment. Once the key risks are identified, they should make a pragmatic security plan to address risks in line with their risk appetite.
If outside expertise is needed to drive or validate the risk assessment process, get in touch with us to chat over a virtual coffee.