Six Surprising Results from the UK Government 2023 Cyber Security Breaches Report
You may already be aware that the UK Government has a National Cyber Strategy. The second incarnation of this is dated 2022 and it sets out how the UK will address the risks, and capitalise on the opportunities, of “cyber”. It describes the five pillars of the strategy which are:
1.??????UK Cyber Ecosystem
2.??????Cyber Resilience
3.??????Technology Advantage
4.??????Global Leadership
5.??????Countering Threats
In order to get an idea of how it’s going, the UK Government also sponsors an annual survey of UK organisations called the Cyber Security Breaches Survey and the latest report from this has just been published (April 2023).
How Was the Survey Carried Out?
The survey, which was carried out by the research company Ipsos, gathered responses from nearly four thousand businesses, charities and education institutions and then talked to forty-four of these in more detail to get some insight into what’s behind the figures. It’s notable that public sector organisations and sole traders were not included. The survey started in 2016 so comparisons can be drawn over a roughly seven-year period.
What Does the Survey Say?
Let’s be honest, many of the surveys we see on the subject of cybersecurity are conducted by commercial companies with a vested interest in making the situation sound worse every year, because that’s good for sales. You could say that this survey might be slanted towards making the situation sound better so that the UK Government can feel good about its strategy, but I’d like to think that’s not the case (but I’d have to admit I don’t know for sure).
But the results of this survey are surprising in a number of ways, and I’d like to pick out just a few of these to show you what I mean by that.
1.??????Cybersecurity is Less of a Priority Than Last Year
In businesses overall, the number regarding cybersecurity as a high priority has fallen from a relatively healthy 82% last year to 71% this time. This is particularly true at the smaller end of the scale where the feedback suggests that cost pressures are overwhelming other priorities in the battle to stay afloat.
2.??????Awareness of Schemes Such as Cyber Essentials Has Dropped
Over the last two to three years, awareness of UK Government schemes such as Cyber Aware, Cyber Essentials and Ten Steps to Cyber Security has fallen. In the case of Cyber Essentials, it is the first such drop, from 16% last year to 14% this year.
3.??????Fewer Controls Are in Place Than Last Year
The deployment of the basic controls of cybersecurity has reduced compared to last year, with less emphasis on areas such as:
·????????Malware protection
·????????Password policies
领英推荐
·????????Patch management
·????????Admin rights
·????????Network firewalls
This is mainly true within smaller organisations, but it means that not only is awareness and priority lower, but concrete action is also suffering.
?
4.??????Less Than a Third of Businesses Have Cyber Security Policies in Place
Only 29% of businesses and 35% of charities have formal cybersecurity policies in place, and still fewer have a plan for what they will do if they suffer a breach or business disruption due to a cybersecurity issue.
5.??????Only Five Percent of Businesses Adhere to Cyber Essentials
Cyber Essentials has been around for a while now, and there have been changes to make the scheme simpler and easier to adopt over time. However, the number of businesses that follow the standard is one in twenty, and even lower within charities. The Plus version of Cyber Essentials is adopted by around two percent of businesses.
?
6.??????Fewer Breaches Are Being Reported
The number of businesses identifying breaches or attacks has fallen consistently over the last four years to 32% this year, which on the face of it could be seen as a measure of success. This is mainly true within smaller businesses, with larger ones not seeing such a reduction.
Some figures that stand out since the start of the survey in 2017 are the fall in viruses (from 33% to 11%) and the drop in ransomware (from 17% to 4%).
So What’s Going On?
The overall flavour of this survey is quite different from the traditional results which usually paint a picture of a steadily worsening battle in cyberspace, with more attacks and necessarily higher awareness and action in defence. The picture presented here is one of the eye being taken off the ball to some extent, particularly among smaller organisations, but no corresponding increase in breaches as a result. Surveys are very difficult to interpret and we may never know the real reasons for many of the figures, but the suspicion is that the cost of living crisis, following directly on from the COVID-19 pandemic, has had a significant effect on financial priorities and on the IT landscape, with a more widespread workforce than before. As a result, the appetite for cybersecurity has lessened and even the basic controls have been relaxed.
And yet so far this hasn’t seen an increase in breaches or attacks to take advantage of the reduced defences presented. Maybe this is because organisations simply can’t tell if they have been breached (although a ransomware demand is an obvious sign) or is it a side effect of the war in Ukraine that has reduced the resources dedicated to cybercrime?
On the face of it, this could be seen as a positive survey in that the impact of cyber attacks is lessening (at least at the smaller business end of the scale) and the reduced emphasis on defences is a reasonable reaction to that. But we live in a very volatile world and advances such as artificial intelligence may start to have a significant impact in the near future. It will be interesting to see what happens next year with this survey – will it be a blip or a lasting trend?
-------------------------------------------------------------------------------------------------------
Written by Ken Holmes CISSP CIPP(E) Managing Director of CertiKit Ltd. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career