Experts react to UK Government’s cybersecurity breach survey

Experts react to UK Government’s cybersecurity breach survey

The UK Government has released its latest Cyber Security Breaches Survey 2024, revealing that UK businesses faced approximately £7.78 million worth of cybercrimes in the last 12 months.

Notably, half of businesses (50%) experienced some form of cybersecurity breach or attack in 2023 – with the numbers even higher for medium sized businesses (70%) and large businesses (74%).

For background, the annual study examines cybersecurity practices across businesses, charities and educational institutions – looking at the different attacks and cybercrimes these organisations face, as well as how these organisations are impacted and respond. It is primarily used to inform government policy on cybersecurity, aiming to make the UK cyberspace a secure place to do business.

Marie Wilcox, Security Evangelist at Panaseer, said: “Organisations are still failing to put essential security controls in place. At best, organisations are still below 2021’s standards. Even large businesses that understand the risks often fail to implement controls properly – at least 29% don’t have controls in place for patch management or restricting access to organisation-owned devices. With attackers tending to pick off the lowest hanging fruit, 98% of breaches could be prevented by focusing on security fundamentals and better cyberhygiene. Moving towards the middle of the pack by having the right controls and policies in place will help head off the vast majority of attacks.

“Yet having policies and controls is only half the battle. The shifting, evolving IT landscape makes security a moving target. Organisations need total and continuous visibility over where and how controls have been implemented, to identify whether they are working as they should be, and close potential coverage gaps.

“Too often organisations are relying on incomplete, siloed and even contradictory information. Security tools can often be unreliable witnesses, as they only report on what they alone can see, not the whole picture. This leads to conflicting reports, allowing undiscovered vulnerabilities and threats to hide in the fog of war. Overworked and stressed security teams are drowning in data but lacking insights that can drive change.

“Overcoming these problems is a big data challenge. CISOs need a validated system of record they can trust that gives total visibility over coverage gaps and their true control status. Trusted data allows businesses to assess risk in the context of their business, so they can identify and action high risk issues and mitigate them instead of their teams focusing on the wrong things (reporting, fixing yesterday’s problems) or just dealing with indicators of compromise instead of solving the root causes.

“The survey also lays bare why it’s so important for CISOs to seize and demonstrate control. The CISO is increasingly a crucial linchpin of organisations’ risk management strategy. More businesses than ever before have to cover cyber-risk in their annual reports and this focus will increase with additional regulatory scrutiny. And almost half (46%) of large businesses still lack cyberinsurance. To adapt to their new role, CISOs need to understand the risks they face, and communicate these to all potential stakeholders in the language of the business. Showing that security controls are in place, and constantly monitored, will go a long way to reassuring the board, investors, insurers and regulators.”

Richard Staynings, Chief Security Strategist for Cylera, said: “The latest Government’s Cyber Breaches Survey 2024 shows that an alarming 18% more businesses have experienced some form of cybersecurity breach or attack in the last 12 months compared to last year’s findings. This spike in attacks is likely behind the increase in the number of businesses implementing some form of insurance, rising from 37% to 43% between 2023 and 2024.

“Yet, despite this upward trend in attacks, it’s worrying to read that the percentage of organisations taking actions to identify cyber-risks within their organisation and supply chain has largely unchanged compared to the year before.

“Still only around three in 10 businesses have undertaken cybersecurity risk assessments in the last year with again only around a third of businesses deploying security monitoring tools. While the number of companies reviewing the risks posed by their immediate suppliers hasn’t changed in 12 months, remaining at just over one in 10.

“It is concerning how rare it is still for organisations to be reviewing supply chain risk. This is an accident waiting to happen.

“Organisations in the public and private sector need to do a much better job of managing third parties and in assessing third party risk. They must understand what exactly is connected to their networks and what risk each of these systems presents. This is especially a concern given the significant growth in IoT devices, which often lack cybersecurity and are rarely patched.

“Most industries tend to do a terrible job of managing the security of their supply chain. Any third party vendors, whether those supplying goods in your café or your external accountant, they all need to be held to the same security standards and policies as your own organisation.

“The trouble is few businesses enforce this within their contracts with third parties, making it a prerequisite to ensure that they have policies and procedures that meet our own standards, that they have quality assurance in place, staff training and access controls set up, and that they provide ISO/IEC 27001 certification – the world’s best-known standard for information security management systems (ISMS).

“We can’t have third party vendors winning contracts for critical industry sectors such as healthcare and hospitals based simply on the lowest bid.”

Tom Kidwell, a former British Army and UK Government intelligence specialist, and co-founder of Ecliptic Dynamics, an internet infrastructure security specialist, said: “It’s promising to see a rise in the number of UK businesses now undertaking basic cyberhygiene practices from malware protection and restricting admin rights, to implementing network firewalls and standard processes for dealing with phishing emails.

“These measures are especially important when you consider the number of attacks companies are reporting, up by 18% compared to last year. With unsophisticated techniques such as phishing remaining the most common form of attack, this basic cyber-hygiene can be the difference between businesses being breached or not. It’s good news that the adoption of these practices and products has increased for the first time in the last three years.

“This spike in cyberhygiene coupled with the rise in businesses buying cyberinsurance, up from 37% to 43%, indicates an increase in cyberawareness and investment. However, there are several concerning findings which suggest that this may not be the case on the ground.

“Only 11% of businesses are reviewing the risks posed by their immediate suppliers, despite supply chain attacks accounting for a huge proportion of breaches across all sectors. Three quarters of businesses stated that cybersecurity is a high priority for their senior management and although this is a large proportion, this also means that 25% of board-level leaders in the UK aren’t placing enough importance on security, reinforced by the fact that just three in 10 businesses have senior management explicitly responsible for cybersecurity. This figure has stagnated since 2023.

“There has been an increase in the number of businesses which have a formal cyberstrategy in place, to 58% for medium and 66% for large businesses. Again though, this means that almost half of medium sized businesses and a third of large businesses are still operating without a plan for their cybersecurity, and with attacks becoming increasingly prevalent and indiscriminate, every business with a digital footprint should have at least a basic cybersecurity strategy.

“Within the channel, it seems that the government-backed Cyber Essentials is being ignored by a vast number of IT and Managed Service Providers. The report found that despite 41% of businesses seeking advice from the channel, only 12% are aware of Cyber Essentials, which is a decline since 2021.

“The increase in basic cyberhygiene is a step in the right direction, however, there remain underlying figures within the Cyber Breaches Survey which suggest mindsets and action from businesses is still lagging behind today’s threats. In 2024 it is critical that organisations are aware of their risk and have proportionate response to that risk, through formalised plans, increased knowledge and board-level buy in.”

Tom Henson, Managing Director at Emerge Digital, said: “The Cyber Breaches Survey raises some interesting questions about the investment and understanding of cybersecurity from UK businesses.

“There has been a marked increase in the number of businesses undertaking basic cyberhygiene processes in the last 12 months, including using up-to-date malware protection, up from 76% to 83%, restricting admin rights, up from 67% to 73%, implementing network firewalls, up from 66% to 75%, and having agreed processes for phishing emails, up from 48% to 54%.

“However, on the flip side of these findings, it is deeply concerning that nearly two fifths of businesses don’t have up-to-date malware protection, which in today’s world should really be 100%. There simply isn’t an excuse for businesses not to have these types of protections, so although these figures highlight steps in the right direction, it isn’t enough.

“It is also worrying to see such a small percentage of businesses with oversight of their supply chain. Just 11% review the risks posed by their immediate suppliers, and only 6% look at their wider supply chain. A vast number of breaches which occur are caused by supply chain attacks, and gaining visibility of supplier risk should be a top priority for all businesses.

“For large businesses, which are investing more in cybersecurity, there has been a dip in both immediate and wider supply chain risk analysis. This is likely because, following a spike in 2023, businesses felt comfortable that they’d taken action and could now relax slightly.

“However, when it comes to cybersecurity, this simply isn’t the case. Cybercriminals are working overtime to try and find new ways to breach businesses, and senior leaders must do the same. By not constantly evolving and improving your defenses, you give attackers the chance to catch up.

“It’s also surprising that such a large number of businesses remain unaware of the government-backed Cyber Essentials scheme, with just 12% stating they were aware of it. This figure has decreased year-on-year from 16% in 2022. The scheme gives businesses a solid, base-level of protection, and as the government’s flagship cyber certification, it is staggering that so many are still unaware of it. There is no reason that all businesses shouldn’t know about the scheme, even at a base level.

“The report found that just 41% of businesses had sought out external cybersecurity advice this year. This number should be much higher. Seeking advice is the first step in improving cybersecurity, and the fact that more than half of UK businesses are yet to take this step is concerning.”

Chris Roeckl, CPO at Appdome, said: “The report indicates a clear surge in social engineering attacks, a consequence of Generative AI’s expanding accessibility, highlights a pressing security concern. Social engineering, employing deceitful strategies such as phishing, vishing, baiting and smishing, lies at the heart of nearly 98% of cyberattacks. This alarming statistic underscores the urgent need for heightened vigilance, especially regarding mobile applications. Given their extensive use and the significant private personal and corporate data they contain, mobile apps have emerged as particularly attractive targets for cybercriminals. 

“The brand damage and financial repercussions of these attacks on businesses are staggering, costing billions in investigations, remediation, refunds, and potential regulatory penalties. The personal emotional pain and financial loss to victims can be tremendous. It’s imperative for brands to counteract these social engineering tactics decisively. Employing real-time behavioural analysis techniques to thwart manipulative strategies can protect consumers from falling victim to scams. 

“As AI-powered attacks become more sophisticated, including tactics like vishing, the urgency to act intensifies. The reality we face is stark: continuous growth in attacks is inevitable. The focus must now shift more than ever to constantly safeguarding mobile apps from the manipulative grips of social engineering, to not only protect financial assets but to preserve the trust and security of consumers worldwide.” 

Browse our latest issue

Intelligent CISO

View Magazine Archive