Ipsos MORI and its partner, the Institute of Criminal Justice Studies (ICJS) at the University of Portsmouth, were commissioned by the Department for Digital, Culture, Media and Sport (DCMS) to carry out the latest Cyber Security Breaches Survey, as part of the UK Government’s National Cyber Security Programme. It follows earlier surveys in the same series carried out in 2018, 2017 and 2016.
The 2019 survey highlights the persistent threat of cyber-attacks facing businesses and charities with around a third of businesses (32%) and a fifth of charities (22%) having suffered a cyber breach or attack in the past 12 months. This represented a significant fall in the number of businesses identifying breaches (down from 43% in 2018, and 46% in 2017). The charities result was similar to 2018.
Among organisations identifying breaches or attacks, the most common types identified are phishing attacks, identified by 80% of businesses and 81% of charities, followed by instances of others impersonating an organisation in emails or online (28% of businesses and 20% of charities) and viruses or other, spyware or malware, including ransomware attacks (identified by 27% of businesses and 20% of charities).
This year’s survey shows that cyber security is a growing priority for senior management, with over three-quarters of UK businesses (78%) and charities (75%) saying that cyber security is a high priority for their senior management. This is a significant increase since 2018 when these proportions were 74% for businesses and 53% of charities.
Reflecting this change in attitudes, there have also been shifts in action taken in this latest survey:
- More businesses (57%, vs. 51% in 2018) and charities (43%, vs. 27% in 2018) update their senior management on actions taken around cyber security at least once a quarter.
- Both businesses (27%, vs. 20% in 2018) and charities (29%, vs. 15% in 2018) are more likely to have had staff attend any kind of cyber security training in the last 12 months.
- Written cyber security policies are more common both among businesses (33%, vs. 27% in 2018) and charities (36%, vs. 21% in 2018).
Insights from the qualitative interviews suggests that GDPR has encouraged many organisations over the past year to engage formally with cyber security for the first time, and others to strengthen their existing policies and processes. However, the survey also shows that there is more that organisations can do to protect themselves from cyber risks. This includes important actions which are still relatively uncommon, such as board-level involvement in cyber security, monitoring suppliers and planning incident response.
- The Cyber Security Breaches Survey is an Official Statistic and has been produced to the standards set out in the Code of Practice for Official Statistics.
- Ipsos MORI surveyed 1,566 UK businesses (including 488 large businesses employing 250 or more staff) and 514 UK registered charities by telephone from 10 October to 20 December 2018.
- Sole traders and public sector organisations were outside the scope of the survey, so were excluded. In addition, businesses with no IT capacity or online presence were deemed ineligible, which meant that a small number of specific sectors (agriculture, forestry and fishing) were excluded.
- Both the businesses and charities data have been weighted to be statistically representative of these two populations.
- A total of 52 in-depth interviews were undertaken in January and February 2019 to follow up businesses and charities that participated in the survey.