Brian Sims
Editor

Cyber Security Breaches Survey 2024 issued by DSIT

Posted to News on Tuesday, April 9, 2024 Share:

THE DEPARTMENT for Science, Innovation and Technology has published the 2024 Cyber Security Breaches Survey, the findings of which are primarily used to inform Government policy on cyber security. As always, the detailed study explores the policies, processes and approach to cyber security for businesses, charities and educational institutions and also considers the different cyber attacks and cyber crimes facing these organisations.

For this latest release, the quantitative survey was carried out in winter 2023-2024 and the qualitative element early this year, with the lead analyst being Maddy Ell and Saman Rizvi serving in the role of responsible statistician.

In terms of the identification of cyber security breaches and attacks, half of businesses (circa 50%) and around one-third of charities (ie 32%) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).

By far the most common type of breach or attack is phishing (for 84% of businesses and 83% of charities). This is followed, to a much lesser extent, by others impersonating organisations in e-mails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).

Among those identifying any breaches or attacks, it’s estimated that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830. For charities, it was approximately £460.

There were some changes this year to the question that seeks to capture the overall incidence of cyber attacks and breaches. Due to these changes, it’s not possible to make direct comparisons between 2023 and 2024.

Cyber hygiene

The most common cyber threats are relatively unsophisticated. As such, Government guidance advises businesses and charities alike to protect themselves using a set of ‘cyber hygiene’ measures.

A majority of businesses and charities have a broad range of these measures in place. The most common are updated malware protection, password policies, cloud back-ups, restricted admin rights and network firewalls, each administered by at least seven-in-ten businesses and around 50% of charities or more. Compared to 2023, the deployment of various controls and procedures has risen slightly among businesses:

*using up-to-date malware protection (up from 76% to 83%)

*restricting admin rights (up from 67% to 73%)

*network firewalls (up from 66% to 75%)

*agreed processes for phishing e-mails (up from 48% to 54%)

These trends represent a partial reversal of the pattern seen in the previous three years of the survey, where some areas had witnessed consistent declines among businesses. The changes mainly reflect shifts in the micro business population and, to a lesser extent, small and medium businesses.

Risk management and supply chains

Businesses are more likely than charities to take actions to identify cyber risks. Larger businesses (defined as medium and large businesses as opposed to smaller business that cover micro and small business) are the most advanced in this regard.

31% of businesses and 26% of charities have undertaken cyber security risk assessments in the last year, rising to 63% of medium businesses and 72% of large businesses.

One-third of businesses (33%) deployed security monitoring tools, rising to 63% of medium businesses and 71% of large businesses. The proportion was lower among charities (23%).

Around four-in-ten businesses (43%) and one-third of charities (34%) report being insured against cyber security risks, rising to 62% of medium businesses and 54% of large businesses (ie cyber insurance is more common in medium businesses than large ones). Compared to the 2023 survey, the proportion of businesses with some form of insurance has increased from 37% to 43%, while the proportion has remained stable among charities.

Just over one-in-ten businesses suggest that they review the risks posed by their immediate suppliers (11% versus 9% of charities). More medium businesses (28%) and large businesses (48%) review immediate supplier risks.

The qualitative interviews suggest that organisations have an increasing awareness of the cyber security risks posed by supply chains. Despite this, organisations – and particularly so at the smaller end – tend to have limited formal procedures in place to manage cyber risks from wider supply chains.

Board engagement and corporate governance

Board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organisations. Levels of activity have remained stable compared with 2023.

Three-quarters of businesses (75%) and more than six-in-ten charities (63%) report that cyber security is a high priority for their senior management. This proportion is higher among larger businesses (93% of medium businesses and 98% of large businesses versus 75% overall). The same is true for high-income charities (93% of those with income of £500,000 or more versus 63% overall).

The proportion stating that cyber security is a high priority has remained stable since 2023, following an apparent decrease in prioritisation in 2023. The qualitative interviews suggest that, despite economic conditions, many organisations have continued to invest either the same amount or more in cyber security over the last 12 months. At least in part, this is a response to the perceived increase in the number of cyber attacks and their sophistication.

Three-in-ten businesses and charities (both circa 30%) have Board members or Trustees explicitly responsible for cyber security as part of their job role, rising to 51% of medium businesses and 63% of large businesses. There has been no change in the overall figures since 2023.

Circa 22% of medium businesses and 33% of large businesses have heard of the National Cyber Security Centre’s Board Toolkit rising from 11% and 22% respectively in 2020 (when it was introduced).

Some 58% of medium businesses, 66% of large businesses and 47% of high-income charities have a formal cyber security strategy in place. The figures for both businesses and charities are higher than in 2023, with significant changes seen for medium-sized businesses and charities.

Qualitative data shows a similar set of issues to previous years that prevent boards from engaging more in cyber security, including a lack of knowledge, training and time. It also highlights a contrast between more structured Board engagement in larger organisations, compared with more informal approaches in smaller organisations where the responsibility was often passed on to external contractors.

Cyber crime

Some cyber security breaches and attacks don’t constitute cyber crimes under the Computer Misuse Act 1990 and the Home Office Counting Rules. Therefore, the statistics on prevalence and financial cost of cyber crime differ from the equivalent estimates for all cyber security breaches or attacks. They should be considered as a distinct set of figures, specifically for crimes committed against organisations, so are a subset of all breaches and attacks.

This survey includes questions on cyber crime and cyber-facilitated fraud. Changes to the questions were made in order to strengthen the reliability of the more experimental data from the 2023 survey. Due to these changes, it’s not possible to make direct comparisons between 2023 and 2024. The new 2024 data should also still be considered experimental.

An estimated 22% of businesses and 14% of charities have experienced cyber crime in the last 12 months, rising to 45% of medium businesses, 58% of large businesses and 37% of high-income charities. Looked at another way, among the 50% of businesses and 32% of charities identifying any cyber security breaches or attacks, just over two-fifths (44% for businesses and 42% for charities) ended up being the victims of cyber crime.

Phishing is by far the most common type of cyber crime in terms of prevalence (90% of businesses and 94% of charities who experienced at least one type of cyber crime). The least commonly identified types of cyber crime are ransomware and Denial of Service attacks (2% or less of businesses and charities who experienced cyber crime in each case).

When removing phishing-related cyber crimes, it’s estimated that 3% of businesses and 2% of charities have experienced at least one non-phishing cyber crime in the last 12 months.

A total of 3% of businesses and 1% of charities have been victims of fraud as a result of cyber crime. The proportion is higher among large businesses (7%).

It’s estimated that UK businesses have experienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes in the last 12 months.

For UK charities, the estimate is approximately 924,000 cyber crimes of all types in the last 12 months. It should be noted that these estimates of scale will have a relatively wide margin of error.

The average (mean) annual cost of cyber crime for businesses is estimated at approximately £1,120 per victim (this excludes crimes where the only activity was phishing).

*Read the Cyber Security Breaches Survey 2024 in full by visiting GOV.UK

Company Info

WBM

64 High Street, RH19 3DE
East Grinstead
RH19 3DE
UNITED KINGDOM

04478 18 574309

Related Topics
Corporate Governance
Cyber Crime
Cyber Hygiene
Cyber Security Breaches Survey
Government
Risk Management
Related Articles
Latest Webinars
Biometric access control: are fingerprint cards the future?
Biometric access control: are fingerprint cards the future?
Bandweaver signposts webinar on optical fiber for perimeter security
Video Surveillance: Exploring New Horizons
Perimeter Intruder Detection Solutions
Related Resources
SentriGuard Key Safe Attack Test by BRE
SentriGuard, a new-generation key management solution
Security Matters Podcast – Episode 30 now live to view
Latest News
Multi-agency law enforcement operation infiltrates ‘LabHost’ fraud platform
Secured Environments status awarded to Paternoster Square
Terrorgram added to list of proscribed terrorist organisations

Login / Sign up