In the UK, the Cyber Security Breaches Survey is designed to report on the state of cyber resilience and to inform future government policy. The survey covers business, charity, and educational organisations to provide an holistic view of the challenges, and impact, of emerging cyber-threats.
In April 2023, the UK Government issued a summary report of the findings from research conducted throughout the winter of 2022/23. You can access the report in full on the UK Government website.
The report highlights some interesting trends over the preceding 12 months. As businesses get back to “normal” post COVID, there are indications that cybersecurity is fluctuating in terms of its importance across the UK. Smaller businesses seem to have less of a focus on breach prevention and data protection, which may have a knock-on effect on supply chain security for larger enterprises.
The report claims that, among microbusinesses, cyber security is only seen as a priority for 68% of businesses – down from 80% the previous year. There was also a decrease in the number of small businesses and charities recalling a cyber-attack or data breach last year – just 32% and 24% respectively. The rate is much higher outside of the small business sector, with 59% of medium and 69% of large businesses suffering.
Supply chain vulnerabilities
Whilst it may be tempting to think that cyber criminals aren’t interested in smaller businesses, they often take advantage of supply chain vulnerabilities to gain access to larger enterprises. Globally, there has been an increase in supply chain attacks in recent months, with the MOVEit, 3CX and Applied Materials incidents making headlines.
A lack of best practice
Some of the fundamentals of cybersecurity that larger enterprises take for granted do not seem to be front of mind for smaller businesses. There is a worrying trend among SMBs that has seen four key cybersecurity best practices in decline. The use of password policies, network firewalls, the restriction of admin rights and the timely application of software patches all show a reduction over last year.
According to the survey, only 29% of smaller businesses have undertaken a cybersecurity risk assessment in the past year, only 13% review the cyber resilience of their immediate suppliers and Just 30% claim to have security monitoring in place. It is perhaps surprising then that only 37% are insured against cyber security risks.
In a recent article, we asked “What does the board know about cyber security”. The UK Government report shows that board representation for cybersecurity is lower than expected. Just 30% of smaller businesses and 33% of charities have a board member explicitly responsible for cybersecurity. Perhaps most worrying of all is that less than half have a formal cybersecurity strategy in place.
When pressed to explain why the board doesn’t engage in cybersecurity more often, they claim a lack of knowledge, training, or time. Interestingly, it also points to the need for people with cybersecurity experience to be able to “write a persuasive business case for cybersecurity spending”.
Guidance and legislation
The revised Data Protection Act of 2018 implemented much of the data governance introduced by the EU’s GDPR in the same year. Despite several high-profile incidents, and some eye-watering fines, there still seems to be a lack of awareness or understanding of national cybersecurity guidance or legislation. The UK’s Cyber Essentials program, for example, was introduced back in 2014 and outlined the bare minimum standards expected in terms of cybersecurity. Despite being in place for almost ten years, the recent survey showed only 14% of smaller businesses and 15% of charities were aware of the scheme.
This lack of awareness of relatively high profile, government backed messaging is concerning as it points to a deeper level of unpreparedness. In a digitally enabled society, businesses of all sizes should be aware of their obligations when it comes to privacy, data protection and cybersecurity.
If the never-ending list of breach incidents isn’t enough to make the board sit up and pay attention, we don’t know what will. Smaller businesses may think they are not a target for financially motivated cyber criminals, but they could unwittingly create a vulnerability that can be exploited to gain access to a customer, supplier, or partner organisation.
If you need help building a business case for investment in encryption technology, secure file sharing or proactive anti-malware, contact one of our cybersecurity professionals today.