Cyber security breaches are a common and growing threat globally across all sectors. Since 2018, the UK Government has published its cyber security survey detailing cyber security policies, processes, and resilience by sector, which separately splits out specific sectors such as charities. While the survey primarily informs government policy on cyber security, it provides useful insight by sector on the policies, processes, and approach to cyber security.
Common cyber threats and protections
The Government advises the use of a set of “cyber hygiene measures” to combat the most common cyber threats – which are relatively unsophisticated chance attacks. Over two thirds of organisations in all sectors have a range of these measures in place. These include malware protection, cloud backups, passwords, restricted administrative rights, and network firewalls.
Less encouragingly, the survey indicated that certain areas of cyber protection have consistently declined. These include:
- Use of password policies (79% in 2021 vs. 70% in 2023),
- Use of network firewalls (78% in 2021 vs. 66% in 2023),
- Restricting administrator rights (75% in 2021 vs. 67% in 2023) and
- Policies to apply security updates within 14 days (43% in 2021 vs. 31% in 2023).
The results of the survey show that in larger organisations these percentages remain unchanged. So the decreases mainly reflect downward shifts in smaller organisations.
Key qualitative results from the survey
The survey provides a valuable insight into the cyber security landscape. Key points include:
- Sixty-nine percent of large organisations and 32% of smaller organisations (24% of charities) experienced a breach and/or cyber attack in the year.
- Sixty-eight percent of the victims of a successful phishing attack said that they had loss of funds as a result.
- The number of microbusinesses who consider cyber security to be a top priority has declined from 80% in 2022 to 68% in 2023.
- Only 30% of businesses (and 31% of charities) have a board member or trustee who takes explicit responsibility for cyber security in their organisation.
- Eleven percent of businesses and 8% of charities have fallen victim to at least one cyber crime in the last 12 months.
- UK businesses have experienced around 2.39 million cybercrimes of all types and 70,000 non-phishing cyber crimes in the last 12 months.
- The mean cost of a non-phishing cyber crime was £20,900.
- The average cost of a cyber crime to a charity was lower at £500, but the reputational cost is considered a much higher risk and carries greater cost.
Trends
The cyber security breaches survey shows that smaller organisations have not prioritised cyber security, which is perhaps due to rising costs and the overall economic outlook presenting competing priorities.
Some of the trends identified may also reflect shifts in working models since the pandemic. More home and remote working has changed how access is granted and how users are monitored. The survey shows that the proportion of organisations restricting access to work devices has fallen significantly over the last four years. And that considerably fewer are undertaking any monitoring of user activity this year.
Cyber security is a genuine risk to all organisations. Adopting the basic hygiene measures and designating responsibility at Board level is an absolute must to ensure that the issue gets priority on the agenda.
