Every year, The Department for Science, Innovation and Technology (DSIT), in partnership with the Home Office, releases the findings from their annual Cyber Security Breaches Survey, with the results invariably informing cybersecurity discussion for the 12 months to follow.
This year, 2,000 UK businesses, 1,004 UK registered charities and 430 education institutions were consulted from 7 September 2023 to 19 January 2024. All of this is to say that when it comes to cybersecurity in the UK, there are no more authoritative sources from which to draw.
We’ve reviewed the 2024 survey numbers, pulled out some of the most notable findings, and separated them into categories for your reading pleasure. In this blog, we’ll be sharing those findings. Let’s get started.
Prevalence of cyber breaches and attacks:
- Half of businesses (50%) and around a third of charities (32%) reported experiencing some form of cyber security breach or attack in the last 12 months. This was much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).
Types of breaches and attacks:
- The most common type of breach or attack was phishing (84% of businesses and 83% of charities). To a much lesser extent, this was followed by others impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).
Costs of breaches and attacks:
- Among those identifying any breaches or attacks, the survey estimates the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830. For charities, it was approximately £460.
Cyber hygiene measures:
- There have been slight increases in the deployment of cyber hygiene measures among businesses compared to 2023, such as using up-to-date malware protection (up from 76% to 83%), restricting admin rights (up from 67% to 73%), network firewalls (up from 66% to 75%) and agreed processes for phishing emails (up from 48% to 54%).
Risk management and supply chains:
- 31% of businesses and 26% of charities had undertaken cyber security risk assessments in the last year, rising to 63% of medium businesses and 72% of large businesses.
- 33% of businesses and 23% of charities deployed security monitoring tools, rising to 63% of medium businesses and 71% of large businesses.
- 43% of businesses and 34% of charities reported being insured against cyber security risks, rising to 62% of medium businesses and 54% of large businesses.
- 11% of businesses and 9% of charities said they review the risks posed by their immediate suppliers, with this being more common for medium businesses (28%) and large businesses (48%).
Board engagement and corporate governance:
- 75% of businesses and more than six in 10 charities (63%) reported that cyber security is a high priority for their senior management. This proportion is higher among larger businesses (93% of medium businesses and 98% of large businesses, vs. 75% overall) and high-income charities (93% of those with income of £500,000 or more, vs. 63% overall).
- Three in ten businesses and charities (both 30%) have board members or trustees explicitly responsible for cyber security as part of their job role, rising to 51% of medium businesses and 63% of large businesses.
- 58% of medium businesses, 66% of large businesses, and 47% of high-income charities have a formal cyber security strategy.
Seeking external information and guidance:
- Four in ten businesses (41%) and charities (39%) reported seeking information or guidance on cyber security from outside their organisation in the past year.
- 39% of businesses and 32% of charities have taken action on 5 or more of the 10 Steps to Cyber Security, rising to 80% of medium businesses and 91% of large businesses.
- 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme, with awareness being higher among medium businesses (43%) and large businesses (59%).
Incident response:
- 22% of businesses and 14% of charities have formal incident response plans in place, rising to 55% of medium businesses and 73% of large businesses.
- 34% of businesses and 37% of charities reported their most disruptive breach outside their organisation.
Cyber crime:
- The survey estimates that 22% of businesses and 14% of charities have experienced cyber crime in the last 12 months, rising to 45% of medium businesses, 58% of large businesses and 37% of high-income charities.
- 3% of businesses and 1% of charities have been victims of fraud as a result of cybercrime, with the proportion being higher among large businesses (7%).
- The survey estimates that UK businesses have experienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes in the last 12 months. For UK charities, the estimate is approximately 924,000 cyber crimes of all types.
Sector differences in prioritisation:
- Businesses in information and communications (65% a “very” high priority), finance and insurance (61% say it is a “very” high priority), and health, social care and social work (62% a “very” high priority) sectors tend to treat cyber security as a higher priority than others.
- Unlike previous years, food and hospitality businesses now regard cyber security as a higher priority than businesses overall (72% vs. 75% of businesses overall).
- Businesses in the agriculture sector tend to regard cyber security as a lower priority than those in other sectors (59% say it is a high priority, vs. 75% of businesses overall).
Regional differences in prioritisation:
- In 2023, businesses in the South East tended to prioritise cyber security higher than the average UK business (80% said it is a high priority, vs. 71% overall).
- In 2024, the region with the highest prioritisation on cyber security compared to total businesses is the North West (83% said it is a high priority, vs. 75% overall).