Ipsos MORI and its partner, the Institute of Criminal Justice Studies (ICJS) at the University of Portsmouth, were commissioned by the Department for Culture, Media and Sport (DCMS) to carry out the latest Cyber Security Breaches Survey, as part of the UK Government’s National Cyber Security Programme. It follows an earlier survey in the same series carried out in 2016.
The 2017 survey again highlights that virtually all UK businesses covered by the survey are exposed to cyber security risks. Since 2016, the proportion with websites (85%) or social media pages (59%) has risen (by 8 and 9 percentage points respectively), as has the use of cloud services (from 49% to 59%). Three-fifths (61%) hold personal data on their customers electronically.
In this context, three-quarters (74%) of UK businesses say that cyber security is a high priority for their senior management, with three in ten (31%) saying it is a very high priority.
However, as in 2016, a sizable proportion of businesses still do not have basic protections or have not formalised their approaches to cyber security:
- Under two-fifths have segregated wireless networks, or any rules around encryption of personal data (37% in each case).
- A third have a formal policy that covers cyber security risks (33%), or document these risks in business continuity plans, internal audits or risk registers (32%).
- A third (29%) have made specific board members responsible for cyber security.
- A fifth (20%) of businesses have had staff attend any form of cyber security training in the last 12 months, with non-specialist staff being particularly unlikely to have attended.
- One-fifth (19%) are worried about their suppliers’ cyber security, but only 13 per cent require suppliers to adhere to specific cyber security standards or good practice.
- The Cyber Security Breaches Survey is an Official Statistic and has been produced to the standards set out in the Code of Practice for Official Statistics.
- Ipsos MORI surveyed 1,523 UK businesses (including 171 large businesses employing 250 or more staff) by telephone from 24 October 2016 to 11 January 2017.
- Sole traders and public sector organisations were outside the scope of the survey, so were excluded. In addition, businesses with no IT capacity or online presence were deemed ineligible, which meant that a small number of specific sectors (agriculture, forestry, fishing, mining and quarrying) were excluded.
- The data is weighted to be representative of all UK businesses (who were in scope).
- A total of 30 in-depth interviews were undertaken in January and February 2017 to follow up businesses that participated in the survey.