UK businesses are woefully poor at tackling cyber breaches, according to a new government survey.
The government's annual report Cybersecurity Breaches Survey found that while more than half of businesses experienced a cyberattack or breach in the past 12 months, nearly four in ten said they had taken no action in response to the incident.
The study showed that seven in ten medium-sized businesses were victims of a breach, along with three-quarters of large businesses and around a third of charities.
However, the report uncovered practices among many organizations, with few implementing proactive measures to address growing security threats.
According to the study, only 22% of companies and 19% of charities have a formal incident response plan. Meanwhile, just over half (55%) of medium-sized companies have some formal response procedure.
Larger companies fared better in this regard, according to the study, with 73% revealing that they have a formal incident response plan.
Andy Kays, chief executive of threat detection and response company Socura, said the survey raises serious questions about the ability of UK businesses to cope with an increasingly dangerous threat landscape.
“Only a fraction of UK businesses have any kind of formalized incident response plan, which I find surprising,” he said.
“In the event of a breach, companies do not keep records, do not report to police and regulators, do not assess the scale and impact of the incident. They are not doing the bare minimum. It is also important to note that companies are doing very little to prevent or detect violations in the first place.”
The most common type of attack identified by the survey was phishing, which affected 84% of businesses and 83% of charities. Meanwhile, more than a third were breached thanks to others impersonating organizations in emails or online, while 17% of businesses and 14% of charities were affected by viruses or malware.
A key concern highlighted by the survey was the lack of awareness training for employees over the past year. Only 18% of respondents said they had provided security threat training.
Only a third of respondents said they employ techniques such as two-factor authentication for employees.
Mike Newman, CEO of My1Login, said that while many companies focus on password policies to protect employees, these often do not address underlying problems such as lack of awareness or the ability of sophisticated threat actors to manipulate users. users to disclose confidential information.
“Most companies seem to focus on password policies for users, believing that this will help protect them against phishing. But this is not the case,” he said.
“When users know the passwords, they can still be easily tricked into handing them over to phishing scammers, so it's not a true defense against the attack vector, especially in the era of AI-generated phishing scams.”
There is good news: companies have slightly improved their defenses since 2023.
The majority (83%) now use updated malware protection, up from 76% last year, while the number of people restricting administrator rights has increased from 67% to 73%.
Three-quarters now use network firewalls, up from 66% last year, and 54% have agreed processes for phishing emails, up from 48%.
A rather disconcerting aspect of the report is its assessment of the cost of a breach.
According to the report, the most disruptive breach in the last 12 months cost each business of any size an average of £1,205, rising to £10,830 for medium and large businesses. For charities it was around £460.
“This will raise alarm bells, not because of its importance, but because of its insignificance and possible inaccuracy,” said William Wright, CEO of Closed Door Security.
“It might also make business leaders wonder why they should invest in cybersecurity when the impact is so manageable.”
The answer appears to be that the report is based on self-reporting and is more biased toward smaller companies than reports like IBM's Cost of a Data Breach study, which found that the average breach costs organizations more than $4 million. .