The Cyber Security Breaches Survey is a long-running research study looking at UK cyber resilience and published by the UK government. The study explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different cyber attacks these organizations face, as well as how these organizations are impacted and respond.
Survey results show that in the last 12 months, 39 percent of UK businesses identified a cyber attack, remaining consistent with previous years of the survey. However, the survey also shows that enhanced cyber security leads to higher identification of attacks, suggesting that less cyber mature organizations may be underreporting.
Of the UK businesses that identified an attack, the most common threat vector was phishing attempts (83 percent). Around one in five (21 percent) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its lower prevalence, organizations cited ransomware as a major threat, with 56 percent of businesses having a policy not to pay ransoms.
Frequency and impact
Within the group of organizations reporting cyber attacks, 31 percent of businesses and 26 percent of charities estimate they were attacked at least once a week. One in five businesses (20 percent) and charities (19 percent) say they experienced a negative outcome as a direct consequence of a cyber attack, while one third of businesses (35 percent) and almost four in ten charities (38 percent) experienced at least one negative impact.
Around four in five (82 percent) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77 percent in 2021. 72 percent in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50 percent of businesses and 42 percent of charities say they update the board on cyber security matters at least quarterly.
Larger organizations are correlated throughout the survey with enhanced cyber security, probably as a consequence of increased funding and expertise. For large businesses 80 percent update the board on cyber resilience at least quarterly, 63 percent conducted a risk assessment, and 61 percent carried out staff training; compared with 50 percent, 33 percent and 17 percent respectively for all businesses.
Just over half of businesses (54 percent) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35 percent) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to outsourced cyber providers, insurance companies, or an internal cyber colleague.
Incident management policy is limited with only 19 percent of businesses having a formal incident response plan, while 39 percent have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84 percent of businesses saying they would inform the board, while 73 percent would make an assessment of the attack.
Pete Connolly, Senior Sales Engineer, Gigamon
The Cyber Security Breaches Survey 2022 highlights the continued focus on – and fear around – ransomware within the business community, as many still view it as a major threat. While only a small proportion of organizations have reported identifying this type of cyber attack in the last year, this may well be due to a lack of visibility of ransomware on their corporate network.
For years, reports have cited adversary dwell time as far beyond what should be acceptable (280 days is the latest worrying number). While security teams try to remedy this by digging into their SIEM or log aggregator, they are often unable to unearth the presence of cybercriminals due to a lack of depth and richness to their data. To reduce this dwell time and mitigate risk, deep observability that provides actionable insights for SecOps professionals has to be prioritised. To do so, organizations of all sizes must eradicate the blind spots within their network that often exist due to a lack of visibility from legacy systems into cloud infrastructure.
It is also particularly interesting that the organizations that do not see ransomware as a threat believe so partly because their data is backed up or stored in the cloud. As many companies now embrace the cloud, ransomware operators have started targeting this infrastructure more acutely and the lack of cloud-specific industry expertise has only exacerbated the problem. It is therefore even more critical for businesses to understand how to secure their data in a virtual environment and recognise the importance of deep observability across all data in motion – from the core to the cloud and back again.
Steve Cottrell, EMEA CTO at Vectra
A mere 39 percent of UK organizations have spotted a cyber attack in the last 12 months, which shows most firms are just scratching the surface in understanding their cyber risk exposure. It’s highly likely most organizations simply aren’t spotting the attacks that are happening on an almost daily basis. Looking at the results, and seeing the high proportion of phishing attacks, there appears to be a serious lack of cyber security awareness across the UK organizations surveyed too. It’s crystal clear that not enough organizations are carrying out meaningful user education, which is an invaluable first line of defence when protecting against cyber threats.
Board level understanding appears to be suffering from a major disconnect too. Despite directors, trustees and senior managers rating security as a ‘very high’ or ‘fairly high’ priority, a lack of expertise is contributing to the belief cyber security risk can simply be outsourced to third parties or providers, insurance companies, or internal colleagues. The reality is every element of how a business operates – from the suppliers they choose to how products are designed, and even how they interact with customers – all influence the magnitude of cyber security risk faced. As such, the Board must retain ultimate ownership of security risk and manage it just as they would for any other high priority business risk.
To truly address cyber security risk, organizations must take a holistic approach which considers people, processes, and technology. This means being mindful of the specific cyber threats your organization faces, ensuring that you have a firm foundation in place aligned to an established industry security standard (e.g. CIS Critical Security Controls), and having cyber threat detection capabilities that span across your entire organization to stop attacks before they become breaches.