Security breaches and cyberattacks remain significant threats to UK businesses, but many small businesses appear to be prioritizing non-cybersecurity issues, the UK government warns.
of 2023 Cybersecurity Breach Investigation provides a useful snapshot of cyber resilience in the nation’s businesses and charities. 2263 UK businesses, 1174 registered charities and 554 educational institutions were surveyed for the study.
Details from last year’s report: A third of UK businesses are attacked at least once a week.
A key finding for 2023 is that the percentage of medium-sized businesses (59%) and large businesses (69%) reporting a breach or cyber-attack in the last 12 months has remained largely unchanged since the last report. .
However, the overall business figure decreased from 39% to 32% during this period. This is not due to improved cyber resilience, but rather that “senior managers at smaller organizations view cybersecurity as a lower priority in the current It could be due to the fact that we don’t do a lot of recording attacks,” the report claimed.
For example, the percentage of micro businesses that say cybersecurity is a top priority has dropped from 80% in 2022 to 68% this year. The report notes that this is being driven by economic uncertainty and high inflation, but the shift to hybrid work is making it harder for smaller organizations to identify security breaches and attacks. I am adding.
One of the victims of this deprioritization of security is certain cyber hygiene best practices. Percentage of respondents claiming to have a password policy decreased from 79% to 70% with network firewalls (66%), limited admin rights (67%), and rapid software updates also decreased (31%).
“These trends mainly reflect changes in the micro-enterprise population and, to a lesser extent, small and medium-sized enterprises. The performance of large companies has not changed,” the report confirmed.
Other challenges highlighted in the report include that less than one-fifth (14%) of all companies (14%) are willing to participate in government cyber security initiatives such as the NCSC’s “10 Steps” guide or its Cyber Essentials scheme. It includes the fact that you are aware of security guidance.
Board cyber involvement is also inadequate. Only 30% of companies have a member responsible for security, and he rises to 53% in larger organizations. In fact, only 49% of medium-sized companies and 68% of large companies have a formal cybersecurity strategy in place.
Only one-fifth (21%) of companies have a formal incident response plan, compared to 47% of medium-sized companies and 64% of large companies. Additionally, third-party risks are still largely under-assessed. Only 13% review the risks posed by suppliers, compared to 55% of large companies. One positive is that the latter figure is up from his 44% in 2022.
Tom Kidwell, a former UK government intelligence specialist and co-founder of Ecliptic Dynamics, argued that profit-driven SMEs often don’t realize the value of cybersecurity until it’s too late.
“Ultimately, even if these numbers change slightly, the underlying trends are likely to change little over the next few years,” he added.
“The mindset of many organizations is that the threats posed by malicious groups have yet to be addressed, businesses are not adequately protecting themselves, and cybersecurity costs continue to rise, resulting in risks and We are constantly juggling between business affordability.”
Ilia Kolochenko, founder of ImmuniWeb, warned that small businesses can be a supply chain risk for large partners.
“Small businesses are the Achilles heel of large corporations and government agencies, entrusting large amounts of sensitive data to smaller suppliers. We will continue to shift some of our efforts to focus on vulnerable small businesses,” he argued.
Richard Staynings, Chief Security Strategist at Cylera, argued that the government’s calculation of the average cost of a security breach (£1100) is off by “at least an order of magnitude or two”, especially for large companies.
“Organizations do not accurately calculate the cost of a cyber breach. Then you lose business because data and systems are destroyed,” he explained.
“Then there are regulatory fines and punitive damages for data breaches. Taken all together, the cost of a cyberattack could be close to £1 million.”
