May 2, 2018

The 2018 Survey shows that over four in ten (43%) of businesses and two in ten charities (19%) suffered a cyber breach or attack in the past 12 months.

This figure rises to more than two thirds for large businesses, 72% of which identified a breach or attack. For the average large business the financial cost of all attacks over the past 12 months was £9,260, and some attacks cost significantly more.

The most common breaches or attacks were via fraudulent emails, for example attempting to coax staff into revealing passwords or financial information, or opening dangerous attachments, followed by instances of cyber criminals impersonating the organisation online, and then malware and viruses.

As part of the Government’s Data Protection Bill, the Information Commissioner’s Office (ICO) will be given more power to defend consumer interests and issue higher fines to organisations, of up to £17 million or 4% of global turnover for the most serious data breaches. The new Bill requires organisations to have appropriate cyber security measures in place to protect personal data.

The Government has also introduced the Network and Information Systems Regulations (see item above) to improve cyber security in the UK’s critical service providers.

The 2018 Survey also shows that, among those experiencing breaches, large firms identify an average of 12 attacks a year and medium-sized firms an average of six attacks a year. Smaller firms are still experiencing a significant number of cyber attacks, with two in five micro and small businesses (42%) identifying at least one breach or attack in the past 12 months, which could impact profits and reduce consumer confidence.

However, the survey shows more businesses are now using the Government-backed, industry-supported Cyber Essentials scheme, a source of expert guidance showing how to protect against cyber threats.

It shows three quarters of businesses (74%) and more than half of all charities (53%) say cyber security is a high priority for their organisation’s senior management.

The survey also revealed that:

• larger businesses and charities are more likely than the average to identify cyber attacks. Breaches are more likely to be found in organisations that hold personal data and where employees use their own personal devices for work;
• a huge proportion of all organisations are still failing to get the basics right. A quarter (25%) of charities are not updating software or malware protections and a third of businesses (33%) do not provide staff with guidance on passwords; and
• more than one in 10 (11%) of large firms are still not taking any action to identify cyber risks, such as health checks, risk assessments, audits or investing in threat intelligence.

To access the 2018 Survey, click here.