Only 30% of businesses have board members responsible for cybersecurity

In an era where cyber threats continue to plague businesses worldwide, the UK government has taken a proactive step towards mitigating these risks by publishing a comprehensive cybersecurity breach survey. The survey provides valuable insights into the current state of cybersecurity policies, processes, and dependencies across various business sectors in the country.

The survey identifies the most common cyber threats faced by businesses, revealing that they are often relatively unsophisticated. To counter these threats, the UK government recommends implementing a set of "cyber hygiene measures". Encouragingly, more than two-thirds of businesses have embraced these measures, which include malware protection, cloud backups, strong passwords, restricted administrative rights, and network firewalls.

However, the survey highlights a concerning trend, with certain areas of cyber hygiene experiencing consistent declines in recent years. Password policies, network firewalls, restriction of administrative rights, and policies for timely software security updates have all seen diminishing adoption rates. Specifically, the survey reveals decreases from 79 to 70 per cent, 78 to 66 per cent, 75 to 67 per cent and 43 to 31 per cent, respectively, between 2021 and 2023. These declines are primarily observed among smaller businesses, while larger enterprises have maintained their cybersecurity practices.

Key metrics derived from the survey shed light on the current state of cybersecurity in the UK.

The survey indicates that 69 per cent of large organisations and 32 per cent of smaller firms have experienced a breach or cyberattack, underscoring the pervasive nature of these threats.

Furthermore, a significant 68 per cent of victims reported suffering financial losses resulting from phishing attacks, emphasising the need for robust protection against email scams. Moreover, the percentage of micro businesses considering cybersecurity a top priority has dropped from 80 per cent in 2022 to 68 per cent in the present year. This decline may be attributed to rising costs and economic uncertainties faced by smaller organisations.

Alarmingly, only 30 per cent of businesses and charities have board members or trustees explicitly responsible for cybersecurity as part of their job, potentially hindering effective security management.

Over the past 12 months, 11 per cent of businesses and eight per cent of charities have fallen victim to at least one cybercrime incident, encompassing approximately 2.39 million cybercrimes of all types and 70,000 non-phishing cybercrimes across UK businesses.

The mean cost incurred by businesses experiencing any cybercrime, excluding phishing, averaged £20,900 (approximately $26,627), underscoring the significant financial implications associated with cyber incidents.

The survey also sheds light on incident response practices among businesses. While the majority of organisations express intentions to take action in the event of a cybersecurity incident, the reality reveals that only a minority have established formal processes to support such actions. Notably, the study highlights the importance of having designated roles, responsibilities, and clear guidelines for both internal and external reporting of incidents. The lack of formal policies and processes presents an area requiring ongoing improvement, with plans to monitor progress in the upcoming year.

As we delve deeper into interpreting the survey results, a few noteworthy trends come to light. Smaller organisations appear to have deprioritised cybersecurity, potentially influenced by escalating costs and the prevailing economic uncertainties. The shift in working models due to the pandemic may also account for certain trends observed. For instance, the proportion of businesses limiting access to business-owned devices has significantly decreased over the past four years. Additionally, fewer charities are engaging in user activity monitoring this year, suggesting a potential oversight in security measures.

The UK government's publication of the cybersecurity breach survey serves as a clarion call for businesses of all sizes to enhance their vigilance in safeguarding against cyber threats. While commendable progress has been made in adopting cyber hygiene measures, the declining trends in certain areas emphasise the need for continuous improvement.