The Government's Cyber Security Breaches Survey has been published. It’s a research study for UK cyber resilience, aligning with the National Cyber Strategy... and it makes for some interesting reading.

The survey is primarily used to inform government policy on cyber security, making the UK cyberspace a secure place to do business.

The study explores the policies, processes and approach to cyber security for businesses, charities, and educational institutions. It also considers the different cyber attacks and cyber crimes these organisations face, as well as how these organisations are impacted and respond.

For this latest release, the quantitative survey was carried out in winter 2022/23 and the qualitative element in early 2023.

The entire survey is available to read here. It’s a hefty document, but if you have the cyber security of your business at heart, we really do suggest you read it in full. This blog is just the tip of the iceberg, in which we highlight some salient points.

What are the key takeaways from the survey?

In short, cyber security breaches and attacks remain a common threat. Which is hardly breaking news. However, smaller organisations are identifying them less than last year. This may reflect that senior managers in smaller organisations view cyber security as less of a priority in the current economic climate than in previous years, so are undertaking less monitoring and logging of breaches or attacks.

• 32% of businesses and 24% of charities overall recall any breaches or attacks from the last 12 months. This is much higher for medium businesses (59%), large businesses (69%) and high-income charities with £500,000 or more in annual income (56%).
• This is a decrease from 39% of businesses and 30% of charities in 2022. The drop is driven by smaller organisations - the results for medium and large businesses, and high-income charities, remain at similar levels to last year.
• Among those identifying any breaches or attacks, it’s estimated that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. For medium and large businesses, this was approximately £4,960. For charities, it was approximately £530.
• The proportion of micro businesses saying cyber security is a high priority has decreased from 80% in 2022 to 68% this year. Qualitative evidence suggests that cyber security has dropped down the priority lists for these smaller organisations, relative to wider economic concerns like inflation and uncertainty.

What is a cyber crime?

Some cyber security breaches and attacks do not constitute cyber crimes under the Computer Misuse Act 1990 and the Home Office Counting Rules.

The below list are classed as cyber crimes:

• ransomware that breached an organisation’s defences (i.e. it was not stopped by software)
• other computer viruses or malware that breached an organisation’s defences
• denial of service attacks that breached an organisation’s defences and were carried out intentionally, including attacks that led to extortion
• hacking – unauthorised access of files or data, as well as online takeovers (e.g. of websites, social media accounts or email accounts) – that was carried out intentionally, including attacks that led to extortion
• phishing attacks that individuals responded to (e.g. by opening an attachment) or that contained personal data about the recipient, and did not lead to any further crimes being committed

The findings of the survey show that cyber crime is more prevalent among larger organisations, although this may be a sign of underreporting among smaller organisations.

A total of 11% of businesses and 8% of charities have experienced cyber crime in the last 12 months, rising to 26% of medium businesses, 37% of large businesses and 25% of high-income charities. Looked at another way, among the 32% of businesses and 24% of charities identifying any cyber security breaches or attacks, around a third (34% for businesses and 32% for charities) ended up being victims of cyber crime.

It is estimated that, across all UK businesses, there were approximately 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months. Across charities, there were approximately 785,000 cyber crimes over this period.

The average (mean) annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim.

Who’s at risk, and what are the most common types of cyber crime?

Across all organisations (i.e. not just those identifying breaches or attacks), medium and large businesses are more likely to experience a cyber crime than smaller ones – although that does not mean small or micro traders are exempt.

Similarly, high-income charities (25% of those with an income of £500,000 or more, vs. 8% of all charities) are also significantly more likely to have experienced a cyber crime. This reflects the pattern for all cyber security breaches and attacks more generally.

In terms of sector, professional, scientific and technical businesses are more likely than others to have identified cyber crimes.

Phishing…again with this?

It’s worth noting that most of the 11% of businesses and 8% of charities that identify any cyber crime are referring to phishing-related cyber crimes – where individuals responded to a phishing email (e.g. by opening an attachment) or where the phishing email contained personal data about the recipient.

When removing these phishing-related cyber crimes from the calculation, it is estimated that a total of 2% of businesses and 1% of charities have experienced at least one non-phishing cyber crime in the last 12 months. This amounts to 33,000 businesses and 3,000 registered charities.

Using the results from this Cyber Security Breaches Survey, it is estimated that:

• UK businesses have experienced approximately 2.39 million cyber crimes of all types and approximately 70,000 non-phishing cyber crimes in the last 12 months.
• UK charities have experienced approximately 785,000 cyber crimes of all types in the last 12 months. It is not possible to estimate the number of non-phishing cyber crimes for this group, due to low sample sizes.

For context, the report estimated approximately 690,000 computer misuse offences experienced by the general public (in England and Wales) in the 12 months up to the end of September 2022.

The CRC network

The CRC network was mentioned in the survey. It read ‘In 2019, nine regional Cyber Resilience Centres (CRCs) were opened across England and Wales, specifically in order to help smaller organisations make their cyber operations safer. It is worth noting that these are most often mentioned as an information source by large businesses (7%) and very high-income charities (5% of those with £5 million or more in annual income).’

• Read the full report here.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).