?? Identification of Cyber Security Breaches and Attacks ??
We, at Onyx, had seen that the government had released an article about the UK's current cyber threat with a business viewpoint and thought it may be useful for our partners to be able to view this in a more concise manner. Let's all stay better informed without having to read endless pages which we've managed to shorten to give you a quicker insight into the real-world issues we all face.
Cyber security breaches and attacks continue to pose a significant threat, but recent data reveals a concerning trend among smaller organizations. Compared to last year, smaller organizations are identifying cyber incidents less frequently. This may be attributed to senior managers in these organizations prioritizing other economic concerns over cyber security in the current climate, resulting in reduced monitoring and logging of breaches or attacks.
Overall, 32% of businesses and 24% of charities experienced cyber breaches or attacks in the past 12 months. However, medium businesses (59%), large businesses (69%), and high-income charities with annual income of £500,000 or more (56%) reported higher incident rates.
This represents a decline from 2022, where 39% of businesses and 30% of charities faced such incidents. Notably, this decrease is primarily observed in smaller organizations, while medium and large businesses, along with high-income charities, maintained similar levels as the previous year.
?? Cost Implications ??
For organizations experiencing breaches or attacks, the average cost was approximately £1,100 for businesses of any size. Medium and large businesses faced higher costs, averaging around £4,960, and for charities, it was approximately £530.
?? Cyber Hygiene ??
To combat common cyber threats, the government advises businesses and charities to adopt a set of "cyber hygiene" measures. A majority of organizations have implemented these practices, including updated malware protection, cloud backups, strong passwords, restricted admin rights, and network firewalls. However, some businesses have experienced declines in certain cyber hygiene areas over the last three waves of the survey, particularly:
1?? Use of password policies (79% in 2021, vs. 70% in 2023)
2?? Use of network firewalls (78% in 2021 vs. 66% in 2023)
3?? Restricting admin rights (75% in 2021, vs. 67% in 2023)
4?? Policies for applying software security updates within 14 days (43% in 2021, vs. 31% in 2023)
These trends mainly reflect shifts in micro and small business populations, while large businesses have not experienced significant changes.
??? Risk Management and Supply Chains ???
Compared to charities, a larger proportion of businesses actively identify and address cyber risks, with larger businesses being the most advanced. Medium businesses lead in cyber security risk assessments (51%), followed by large businesses (63%).
领英推荐
While 30% of businesses use security monitoring tools, only 19% of charities do. Cyber insurance adoption is more common among medium (63%) than large businesses (55%).
More medium (27%) and large businesses (55%) now review immediate supplier risks, up from 44% of large businesses in 2022. Engaging with supply chain risks, through guidance from bodies like the National Cyber Security Centre, motivates organizations to take action in this area.
?? Board Engagement and Corporate Governance ??
Larger organizations tend to have more sophisticated board engagement and corporate governance practices regarding cyber security. Around 30% of businesses and charities have board members or trustees explicitly responsible for cyber security. Additionally, 49% of medium businesses, 68% of large businesses, and 36% of high-income charities have a formal cyber security strategy.
However, corporate reporting of cyber risks remains relatively uncommon, with only 16% of medium business annual reports covering cyber risks and 33% of large business reports doing so. Bridging the gap between IT teams and wider staff, and writing persuasive business cases for cyber security spending, were cited as challenges in board engagement.
?? Cyber Accreditations and Following Guidance ??
Around half of organizations seek external information or guidance on cyber security. However, many remain unaware of government guidance like the 10 Steps to Cyber Security and Cyber Essentials. Only 14% of businesses and 15% of charities know about the Cyber Essentials scheme.
Some organizations adhere to recognized standards or accreditations, such as Cyber Essentials or ISO 27001. Larger businesses lead in this regard, with 27% adhering to ISO 27001.
?? Incident Response ??
While most organizations claim to have incident response plans in place, formal plans are not widespread. Only 21% of businesses and 16% of charities have them. Bridging the gap between IT teams and wider staff is essential for effective incident response.
?? Cyber Crime ??
Cyber crime is more prevalent among larger organizations. Approximately 11% of businesses and 8% of charities experienced cyber crime in the last year, with medium businesses (26%) and large businesses (37%) facing higher rates. Cyber crime victimization is reported by around 34% of organizations experiencing cyber breaches or attacks.
It's important to note that the study includes new questions on cyber crime this year, so caution is advised when interpreting statistics.
?? Conclusion ??
As the cyber landscape evolves, organizations of all sizes must prioritize cyber security. Implementing robust cyber hygiene practices, addressing supply chain risks, and fostering board engagement are vital steps to safeguard against cyber threats. Seeking external guidance and adhering to recognized standards can further fortify defences and incident response capabilities.