top of page
Search
Writer's pictureFarzan Mirza

Unpacking the 2024 UK Cyber Security Breaches Survey

Updated: Jul 29

The Department for Science, Innovation & Technology (DSIT) have recently released their 2024 edition of the Cyber Security Breaches survey. This report is jam packed with useful information for all UK businesses to help align their cyber security roadmap with the latest insights. It only makes sense that we dive into some of the highlights from this year’s edition and help identify what UK businesses should focus on! 


Key Findings 


The main finding that stands out straight away is that exactly 50% of UK businesses had experienced some form of cyber security breach within the last 12 months. Worryingly, in comparison to our breakdown of the 2022 cyber breaches survey, this has increased by 11%. 


Small businesses are not overlooked by cyber criminals, 58% of them had identified a breach or attack within the last 12 months. 


Charities also are seeing cyber security breaches at an alarming rate, with around a third of charities surveyed saying they had experienced a cyber breach or attack in the last 12 months. 

  • We recently helped secure a UK charity, Parathyroid UK. You can read about the case study here.

*Figure 4.1: Percentage of organisations that have identified breaches or attacks in the last 12 months


Phishing is the most common type of breach or attack, seen by 84% of businesses and 83% of charities, usually in the form of illegitimate emails. Actionable steps to reduce the likelihood of a successful phishing attack would include adopting a security training and awareness program, alongside bolstering your email security settings. 


Regarding financial costs, the mean cost of a breach that leads to an outcome (such as loss of assets or data) is £6,940 - up from £3,770 in 2023. This costing can be broken down to the following: 


  • Micro/small businesses - £4,590 (up from £2,950 in 2023)

  • Medium/large businesses - £40,400 (up from £15,800 in 2023)

  • All charities - £1,850 (down from £2,310 in 2023) 


These costs are a combination of direct costs, such as paying legal fees, PR costs, fines and indirect costs, such as the cost of staff not being able to do their jobs. As we can see, there is a huge increase in the financial costs of a breach leading to an outcome for all businesses. However, one positive is that charities have seen a decrease in the financial costs of a breach that led to an outcome. 


Cyber Hygiene improvements? 


In terms of cyber security controls utilised by UK businesses, we are seeing greater adoption compared to 2023. For example: 


  • Up-to-date malware protection has increased from 76% to 83% 

  • Restricting admin access has increased from 67% to 73% 

  • Network firewall adoption has increased from 66% to 75%

  • Agreed processes for phishing emails has increased from 48% to 54%


The trends here have been a reversal of previous years, where there were consistent declines amongst businesses. 


So this is really promising stuff? Then why the dissonance between the adoption of security measures but an increase in reported cyber attacks? We’re taking the right steps to put the fire out, but the fire seems to just keep increasing. 


For a full breakdown of technical cyber security controls, this year’s cyber security breaches survey showcases the following: 

*Figure 3.6: Percentage of organisations that have the following rules or controls in place


As highlighted above, there seems to be an increase in some of these controls, such as malware protection and restricting admin access. However, many of these controls will need to be adopted more widely to create a baseline foundation. 


For example, applying software security updates should be done in a more timely manner within a 14 day window, to ensure that any security vulnerabilities are quickly addressed. Exploiting vulnerabilities tends to always be a high ranking cause of cyber breaches, as seen in Verizon’s latest data breach investigation report (DBIR). A good way of reducing the likelihood of these vulnerabilities even existing in the first place is to simply update our devices and applications. Only 34% of businesses and 20% of charities applying these software security updates within 14 days will need a significant increase. 


Password policies that ensure users are setting strong passwords scores at 72% for businesses, pretty solid. However, medium and large businesses massively inflate this number, as adoption is around 96% when solely focusing on them. Poor password hygiene leaves us susceptible to a cyber breach, as hackers are able to simply utilise common passwords to log in. 


A simple way to fix this would be to utilise a password manager. They’re cheap, secure and give you the option to set strong and unique passwords for your accounts. Passwords are something that Practical Infosec feels very strong about securing, you can read up our guidance on how to set a password manager up here


Security training and awareness for employees is also considerably low. As highlighted in this survey, phishing is the most common type of breach or attack, seen in 84% of businesses and 83% of charities overall. 

*Figure 3.7 Percentage of organisations that have had training or awareness raising sessions on cyber security in the last 12 months 


Employees should be made aware of what a phishing email looks like, alongside the relevant reporting mechanisms and communication they should take when identifying one. This will help reduce the likelihood of a successful phishing attack. 


Training and awareness programs typically cover phishing as a topic, however, these usually incur a cost that simply is not feasible for charities and small/micro businesses, hence the massive differences seen in Figure 3.7. 


There are some quick wins a small/micro business and charity can take to bolster their phishing knowledge. Google’s phishing quiz provides a quick way of helping staff identify common phishing techniques. This is a good starting point, however, for businesses aiming to bolster their security, we recommend undertaking some form of security training and awareness. 


Practical Infosec offers live training sessions with our consultants, however, there are many options available depending on what you feel best fits your business or charity. 


Low levels of Risk Management and Supply Chain Management - Especially for small businesses and charities


An increase in cyber attacks might correlate to the low volume of businesses that have identified their cyber risks as part of their risk management process. Only 31% of businesses and 26% of charities have undertaken a cyber security risk assessment in the previous year. When looking at just medium and large businesses, this jumps up massively to 63% and 72% respectively. 


This indicates that a huge number of small businesses are not identifying their cyber risk, however 58% of them are identifying a cyber attack. You could put this down to many different factors, maybe the costs of a risk assessment or potential lack of awareness that they need to identify cyber risk in the first place. Either way, there has to be a conscious effort to improve this number. Small businesses and charities should be made aware of the cyber risk they potentially face.  

  • A good place to start with identifying your cyber risk is taking our free 5 minute quiz to find out your baseline score. You can take it by following this link


In terms of supply chain risk management, just over one in ten businesses say they review the risks posed by their immediate suppliers (11%, vs. 9% of charities). This increases across medium businesses (28%) and large businesses (48%). This is not too much of a surprise as typically medium and larger businesses are subject to following compliance frameworks, such as ISO 27001. However, small businesses and charities should still take some form of due diligence process on their suppliers to ensure that some foundational security measures are in place. 


An example of how an external issue with a supplier can impact your business was seen in the CrowdStrike-Microsoft incident of July 2024. A software update containing a vulnerability was deployed, resulting in global IT outages for millions of Windows devices, displaying the infamous blue screen of death.


This incident showcases the extreme side of an external supplier issue. Moreover, supply chain issues are increasing overall, not just the ones that make the headlines. Verizon’s latest data breach investigations report (DBIR) indicates that supply chain issues have increased by 68% from 2023 to 2024, being prominent in 15% of all breaches globally.


The board does engage - Depending on the size 


Cyber security is a discussion point that is given high priority across all businesses, with 75% of all businesses and 63% of charities making it a topic of discussion. This is very skewed by the larger side of businesses and charities as seen by the figures: 

  • 93% of medium businesses and 98% of large businesses see cyber security as a high priority 

  • 93% of charities with an income of £500,000 and more see cyber security as a high priority 


Again, not shaping well for the smaller side of businesses and charities, possibly related to a lack of resource and allocation. Larger businesses and larger charities simply will have more resources to make cyber security a topical discussion. However, there are steps that can be taken by small businesses and small charities. 


For example, the NCSC’s Board Toolkit provides guidance on how you can embed cyber security as a discussion point within your board/senior management. They also provide a 10 steps to cyber security guide, focusing on some key areas to cover. Furthermore, on the more technical side, you can download IASME’s Cyber Essentials question set and see if there is anything that you can do to further bolster cyber resilience. 


If your board or management haven’t spoken about cyber security before, here’s 5 questions to get you started:


  1. Do we know what our most critical assets are and how they could be impacted by a security incident? E.g. our website, client data or any other critical business activities which rely heavily on technology 

  2. Do we know the biggest digital threats to those assets? (e.g. ransomware, accidental errors, phishing attacks, unauthorised access to systems)

  3. Have we estimated what financial impact we could absorb if one of those threats were to unfold? (e.g. costs as a result of downtime/loss of clients, reputation damage, third party costs for incident investigation and response)

  4. Do we have a strategy or plan for how we’ll continuously protect against those threats? If not, do we feel confident we’re doing enough?

  5. Have we assigned a budget for security? (think about Cyber Essentials, anti virus, password managers, consultants etc. a typical business spends 1% of revenue, or 10% of IT costs on cyber security but this should be used only as a guideline - we wrote about budgeting for cybersecurity in 2023


So what should you do? 


The main point to highlight within this survey is the contrasting adoption of cyber security measures between small/micro businesses and charities vs larger businesses and charities. Many factors such as budget, resource, regulatory requirements will influence this. However, this survey also identifies that small/micro businesses and charities do still face the threat of a cyber attack. As a result, there are some key recommendations we would recommend you undertake: 


Know where you stand: 


  • Regular Risk Assessments: Conduct regular cyber security risk assessments to identify potential threats and vulnerabilities. Even a basic assessment can highlight critical areas needing attention.

  • Take our free 5 minute quiz, this will provide you with a baseline score of where you stand against common cyber threats 


Basic Cyber Hygiene:


  • Use Strong Passwords: Ensure that all employees use strong, unique passwords (ideally through a password manager) and enable two-factor authentication where possible. This can prevent unauthorised access to systems. For guidance on how to set up a password manager, read our article here


  • Update Software Regularly: Regularly update your software with the latest security updates and aim to conduct this within 14 days. This ranges from operating system updates to updating your browser.


  • Backup Data: Regularly backup your important data and store it offline or in a secure cloud service. This can help recover data in case of ransomware attacks.


Phishing Awareness:


  • Training: Conduct regular, short training sessions to educate employees and other stakeholders on how to recognise phishing emails and other common cyber threats. Free resources (such as the Google phishing quiz) and guides are often available online. Alternatively, invest in a security training and awareness program. You can read about our Security Champion Training service here.


Access Control:


  • Limit Access: Only give employees and other users access to the data and systems they need to do their job and have a formal process before giving someone administrator privileges. 


  • Monitor Access: Regularly review access rights and monitor for unusual activity.


Incident Response Plan:


  • Develop a Plan: Create a simple incident response plan outlining steps to take in the event of a cyber attack. This should include contact information for key personnel and external support.


  • Regular Testing: Communicate this plan and conduct regular testing to ensure all employees know their roles and responsibilities during a cyber incident.


Use Free or Low-Cost Tools:


  • Open Source Software: Make use of open-source security tools for tasks such as network monitoring and vulnerability scanning.



Engage with the Community:


  • Attend Cyber Security Events: Participate in local or industry-specific cyber security networks to share information and learn from others. You can find local Cyber Security clusters over at the UKC3, helping you find local events and a pool of cyber security knowledge at your disposal.  For those of you in software development, we recommend looking at OWASP. They provide guidance on security for web applications, and also host in-person events. You can find your local chapter here


  • Collaborate: Work with other small businesses or charities to share resources and knowledge.


You can read the 2024 Cyber Security Breaches Survey here


If small business cyber security is an area you wish to focus on or anything else, you can book a free call here or get in touch.

ความคิดเห็น


bottom of page