Senior managers in smaller organisations may view cyber security as less of a priority in the current economic climate than in previous years, according to the government’s Cyber Security Breaches Survey. Although they are reporting fewer breaches than previous years, this suggests that they are doing less monitoring and logging of breaches or attacks, according to the report.
Of those incidents that are reported, 32% of businesses and 24% of charities overall recall experiencing breaches or attacks over the last 12 months. The rate is much higher for medium businesses (59%), large businesses (69%), and high-income charities with £500,000 or more in annual income (56%).
While this is a decrease from 39% of businesses and 30% of charities in 2022, the drop is driven by smaller organisations. Reports from medium and large businesses, as well as high-income charities, remain at similar levels to last year.
The government estimates that among those identifying breaches or attacks, the single most disruptive event from the last 12 months cost each business, of any size, an average of approximately £1,100. This increased to approximately £4,960 for medium and large businesses. For charities, it was approximately £530.
The proportion of micro businesses that considered cyber security a high priority decreased from 80% in 2022 to 68% this year, raising particular concerns about security risks in this sector.
The most common cyber threats are relatively unsophisticated, and their mitigation requires simple cyber hygiene measures. The majority of organisations surveyed had a range of hygiene measures in place, such as fully updated malware protection, cloud back-ups, passwords, firewalls and restricted admin rights. There are several declining areas that are cause for concern, however:
- use of password policies (79% in 2021; 70% in 2023)
- use of network firewalls (78% in 2021; 66% in 2023)
- restricting admin rights (75% in 2021; 67% in 2023)
- policies to apply software security updates within 14 days (43% in 2021; 31% in 2023).
Again, these downward trends mainly reflect changes in the micro business population, with some lesser decline in small and medium businesses.
More businesses take actions to identify cyber risks than charities. For the first time, the majority of large businesses are reviewing supply chain risks, although this is still relatively rare across all organisations.
Given these findings, it is unsurprising that board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organisations. However, corporate reporting of cyber risks still remains relatively uncommon across all sizes of organisation.
Three in 10 businesses (30%) and charities (31%) have board members or trustees explicitly responsible for cyber security as part of their job role – rising to 41% of medium businesses and 53% of large businesses. Just under half (49%) of medium businesses, 68% of large businesses and 36% of high-income charities have a formal cyber security strategy in place.
“The lower priority that many businesses seem to be placing on good cyber security practices is a concern, given that the prevalence and severity of cyber attacks remains steady,” says Ian Pay, ICAEW’s Head of Data Analytics and Tech. “The survey results show that it really is a case of when, not if, a business will be the victim of a cyber breach. With this in mind, it becomes all the more important to ensure that the risks and potential impacts are minimised.”
Basic cyber security hygiene costs little or nothing to implement. Pay implores all businesses and charities, regardless of size, to implement basic security measures such as those highlighted in the report: “Strong passwords, access management and keeping on top of software updates do make a real difference, as does encouraging all staff to be alert to scams and phishing emails.”