UK business falling short on cybersecurity warns government report

A staggering 78% of businesses lack a formal incident response plan

UK business falling short on cybersecurity warns government report

Image:
UK business falling short on cybersecurity warns government report

The latest Cyber Security Breaches Survey for the year 2024 released by the Department for Science, Innovation and Technology (DSIT) has revealed alarming statistics about the state of cybersecurity preparedness among UK businesses.

According to the survey, approximately 50% of businesses and 32% of charities reported experiencing some form of cybersecurity breach or attack in the last 12 months.

Medium and large businesses, along with high-income charities earning £500,000 or more annually, were identified as particularly susceptible.

Phishing was the most prevalent form of cybercrime targeting UK businesses, with large enterprises being prime targets for sophisticated attacks such as malware and ransomware.

The survey estimates that UK businesses collectively endured around 7.78 million cybercrimes of various types, with approximately 116,000 incidents categorised as non-phishing cyber-crimes within the past year.

A staggering 78% of UK businesses were found to lack a formal incident response plan, with only 22% having any such strategy in place.

Andy Kays, CEO at Socura, expressed surprise at the findings, pointing out the disparity between businesses' preparedness for physical emergencies like fires and their negligence in addressing digital threats.

"Despite years of warnings from experts, countless data breach headlines, and increased regulatory action, this issue still isn't on their radar," Kays said.

"Most businesses' experience with cyber incidents seems limited to phishing attempts, and their default response is to conduct security awareness training if they do anything at all. In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident. They are failing to do the bare minimum. It's also important to note that businesses are doing very little to prevent or detect breaches detect breaches in the first place."

Low rate of reporting

One of the most concerning facts uncovered by the report is the low rate of reporting security breaches to external authorities.

Only 10% of businesses notify law enforcement upon detecting a breach, while reporting rates to critical entities like the National Cyber Security Centre (NCSC) are even lower.

The report also highlights a lack of transparency in informing clients and customers about breaches, with alerts being issued in only 5% of cases.

Many organisations cited reasons such as uncertainty about where to report incidents and skepticism about the effectiveness of reporting as barriers to taking action.

In terms of response measures, the report revealed that a significant portion of businesses (39%) opted to take no action following a breach. While some invested in staff training and minor technological adjustments, a substantial number failed to implement any meaningful changes to bolster their cybersecurity defences.

Small and micro businesses emerged as particularly vulnerable, owing to their lack of resources and expertise.

However, medium and large enterprises were not immune, with 74% and 86,% respectively, taking some form of action to prevent future breaches.

Financial implications

The financial implications of cybersecurity breaches were also highlighted in the report. While the average cost of a breach stood at £1,206 ($1,529) for businesses, the figure rose significantly for incidents resulting in data theft, reaching an average of £6,940 ($8,799).

Medium and large businesses bore the brunt of these costs, with long-term expenses including legal fees and talent acquisition exacerbating the financial strain.

"It is concerning to see how many organisations are failing to review the security risks posed by their immediate suppliers, particularly in the wake of several high-profile breaches at third party providers of solutions and services," said Del Heppenstall, partner and head of cyber at KPMG in the UK.

"Almost every organisation relies on a complex web of suppliers, vendors, and partners to provide services to their business and customers. Therefore, they should prioritise monitoring and assessing the performance and security posture of third parties and address any security issues or gaps as a matter of urgency."

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.