Cyber Security Breaches 2024
The Department for Science, Innovation and Technology (DSIT), in partnership with the Home Office, commissioned Ipsos to undertake research to explore the UK’s cyber resilience, aligning with the National Cyber Security Programme.
The Cyber Security Breaches Survey is primarily used to inform government policy on cyber security, making the UK cyber space a secure place to do business. The study explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different cyber attacks these organisations face, as well as how these organisations are impacted and respond. For this latest release, both the quantitative survey and qualitative interviews were carried out in winter 2023/24.
Methodology
As in previous years, there were two strands to the Cyber Security Breaches Survey:
We undertook a random probability telephone survey of 2,000 UK businesses, 1,004 UK registered charities and 430 education institutions from 7 September 2023 to 19 January 2024. The data for businesses and charities have been weighted to be statistically representative of these two populations.
Random Iterative Method (RIM) weighting has been applied to the survey raw data so as to ensure it is proportionate to the profile of UK organisations, with respect specifically to size and sector. All figures quoted in this report are from the weighted outputs. It should be noted that as DBT business populations show; the composition of UK businesses is mostly micro and small, which is reflected in any overall figures in this report.
We carried out 44 in-depth interviews between December 2023 and January 2024, to gain further qualitative insights from some of the organisations that answered the survey. Sole traders and public-sector organisations were outside the scope of the survey. In addition, businesses with no IT capacity or online presence were deemed ineligible. These exclusions are consistent with previous years, and the survey is considered comparable across years. The educational institutions, covered in the separate Education Annex, comprise 185 primary schools, 171 secondary schools, 43 further education colleges and 31 higher education institutions.
Key findings
Cyber attacks
Cyber attacks remain a common threat, with half of businesses and around a third of charities experiencing some kind of attack in the last year. Larger businesses are more likely to identify breaches or attacks than smaller ones. High-income charities are more likely to record any breaches or attacks than the average for all charities.
Attack type
Phishing is the most common type of cyber attack, reported by 84% of attacked businesses and 83% of attacked charities. The next most common is impersonation of the organisation or staff (35% of businesses and 37% of charities). This is followed by targeting with other malware like viruses or spyware (17% of businesses and 14% of charities).
Frequency and impact
Over half of attacked businesses and just under half of attacked charities experienced cyber attacks at least once a month or more frequently. Despite this frequency, only a minority experience negative outcomes resulting in financial or informational losses, indicating that large proportion of attacks are unsuccessful.
Cost of attacks
The average cost incurred from the most disruptive attack is £6,940 for a business of any size, around £40,400 for medium and large businesses, and approximately £1,850 for charities (excluding attacks without an outcome). For most breaches or attacks, organisations do not identify any material outcome and so no loss of assets or data.
Cyber crime
An estimated 22% of businesses and 14% of charities were victims of at least one cyber crime, as defined by the Computer Misuse Act, in the last 12 months. Similar to cyber attacks, this was higher in larger businesses and high-income charities. It is estimated that UK businesses experienced a total of around 7.78 million cyber crimes of all types and 116,000 non-phishing cyber crimes in the last 12 months.
Cyber hygiene
A broad range of basic hygiene measures like malware protections, password policies and network firewalls are in place at a majority of businesses and charities, slightly reversing a 3-year decline in adoption of such measures. But cyber accreditations like Cyber Essentials see much lower uptake, with only around 1 in 10 businesses and charities aware of this scheme.
Board engagement
Three-quarters of businesses and over 60% of charities say cyber security is a high priority for senior management, while 30% of both have board members responsible for cyber security. This responsibility is more common in larger businesses. Qualitative data show boards often lack skills, training and time to engage more in cyber security.
Size differential
Larger businesses have more advanced practices across risk management, strategies, incident response plans and other areas. Higher proportions experience attacks, but also report each measure to respond to the risks they face.
Risk management
31% of businesses and 26% of charities have done cyber risk assessments in the last year, rising to 63% of medium and 72% of large businesses. 33% of businesses use security monitoring tools (63% of medium and 71% of large businesses), compared with 23% of charities.
Outsourcing and supply chains
43% of businesses have an external cyber provider, and these are mostly small (56%) or medium (66%) businesses. Only just over 1 in ten businesses review risks posed by their immediate suppliers. Qualitative data show informal management of supplier risks.
Incident management
One-fifth of businesses (22%) and charities (19%) have incident response plans, rising to 55% of medium, 73% large businesses and half of high-income charities. Challenges include smaller organisations' lack of expertise and disconnects between technical teams and wider staff, including senior management.
External engagement
Around 40% of businesses and charities have sought cyber information externally, most commonly from IT providers rather than official guidance. But this figure has declined, as has awareness of government campaigns like Cyber Aware (now 25% for businesses) and guidance like Cyber Essentials (12% for businesses).
Business Contact - [email protected]
More insights about Public Sector