Nearly 40 per cent of UK businesses hit by cyber attacks

The 'Cyber Security Breaches Survey 2022' revealed that the most common threat vector was phishing attempts, reported by 83 per cent of businesses.

The annual survey is intended to be a useful research study for UK cyber resilience, aligning with the National Cyber Strategy. It is primarily used to inform government policy on cyber security, making the UK cyber space a secure place to do business.

The study explores the policies, processes and approaches to cyber security for businesses, charities and educational institutions. It also considers the different cyber attacks these organisations face, as well as how these organisations are impacted and respond.

While the 39 per cent of UK businesses which identified a cyber attack is a consistent figure with recent years, the survey also noted that enhanced cyber security leads to higher identification of attacks, suggesting that less cyber-mature organisations may be underreporting.

With phishing the most common threat vector by a country mile, around one in five (21 per cent) also identified more sophisticated attack types, such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56 per cent of businesses having a policy not to pay ransoms.

Within the group of organisations reporting cyber attacks, 31 per cent of businesses and 26 per cent of charities estimate they were attacked at least once a week. One in five businesses (20 per cent) and charities (19 per cent) say they experienced a negative outcome as a direct consequence of a cyber attack, while one-third of businesses (35 per cent) and almost four in ten charities (38 per cent) experienced at least one negative impact.

The average estimated cost of all cyber attacks in the last 12 months was £4,200, taking into account the organisations that reported a material outcome, such as loss of money or data. Focusing on only medium and large businesses, this figure rises to £19,400. Larger organisations also typically demonstrated enhanced cyber security, most likely due to increased funding and expertise being available. For large businesses’ cyber security, 80 per cent said they updated their boards at least quarterly, 63 per cent conducted a risk assessment, and 61 per cent carried out staff training; compared with 50 per cent, 33 per cent and 17 per cent respectively for all sizes of business.

The government guidance – ‘10 Steps to Cyber Security’ – was designed to break down the task of protecting an organisation into 10 key components. The survey found that 49 per cent of businesses and 40 per cent of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

The survey also showed that over half of businesses (54 per cent) have acted in the past 12 months to identify cyber-security risks, although limited board understanding of the situation meant the risk was often passed on to outsourced cyber providers, insurance companies or an internal cyber colleague.

Small, medium and large businesses are outsourcing their IT and cyber security to an external supplier 58 per cent, 55 per cent, and 60 per cent of the time respectively, with organisations citing access to greater expertise, resources and standards for cyber security as the primary drivers behind this approach.

The 2022 survey concludes that there remains a lack of both will and skill around organisational cyber security, resulting in gaps in "some more fundamental areas of cyber hygiene".

Fewer than one in five businesses have a formal incident management plan; there is a lack of technical knowhow expertise within smaller organisations and at senior level within larger organisations, despite cyber security being seen as a high priority area, and investment in cyber security is still largely viewed as a cost rather than an investment. Thus, many organisations remain in a reactive approach to cyber security instead of proactively driving improvements.

Commenting on the findings of the report, John Davis, director UK and Ireland, SANS Institute, said: “With nearly four in ten UK businesses identifying a cyber attack over the last 12 months, basic digital hygiene is still going a long way in providing a crucial barrier of protection. Of those identifying a cyber attack, a staggering 83 per cent outlined that phishing was the most common threat vector. However, only 8 per cent of organisations have set up multifactor authentication [MFA] and forced employees to change passwords since their most disruptive breach or attack of the last 12 months, in cases where breaches had material outcomes.

“Keeping on top of cyber security with tools like MFA and education around password maintenance needs to be the new status quo. Consistently reinforcing the importance of foundational cyber-security training and creating a knowledge-based defence against any kind of phishing attack will help block bad actors at the door. When it comes to cyber hygiene, nearly half (49 per cent) of businesses have enacted at least five steps from government guidance. This is a good start, but doubling cyber hygiene should be a goal for leaders across all shapes and sizes of company, to reduce the likelihood of cyber attacks happening and minimise the detrimental impact.

“We’re seeing that acknowledgement of growing cyber threats at a board level is increasing, with 82 per cent of boards or senior management teams rating cyber security as a high priority. Awareness of cyber-security stakes needs to permeate all levels of a company and training initiatives need to be translated across teams. It's impossible for everyone to be a cyber-security guru, but with the right education and interactive training even technophobes can get a starting grasp of the new threat landscape and the ways to safeguard data.”

Data for the government's cyber-security report was gathered in a quantitative survey carried out in winter 2021/22 and a qualitative element in early 2022.