The UK Government’s Department of Science, Innovation and Technology just released its UK Cyber Security Breaches Survey 2023 report. The report contains some interesting and some worrying insights into how businesses across the UK are managing their cyber security posture.
As part of our ongoing educational endeavours for the InfoSec community at Cyber Management Alliance, we have captured some of the key findings from the survey in this blog.
It also contains some basic recommendations from our experts on how to improve business cyber resilience across the UK inspired by the trends mentioned in the survey.
Key findings of the UK Cyber Security Breaches Survey 2023 covered in this blog:
1. The State of UK's Cyber Security Industry
2. Prioritisation of Cyber Security
3. Cost of Cyber Breaches
The UK Cyber Security Breaches Survey 2023 brought out some positive findings on the state of the Cybersecurity Sector in the UK. One thing that’s obvious is that the industry is growing. It is employing a higher number of people and generating more revenue than last year.
Here are some important aspects of the industry’s growth as mapped by the survey:
The UK now has 1,979 cybersecurity firms as opposed to 1,838 last year.
The sector employs 58,005 people which is a significant increase of 10% from 2022.
The overall revenue of the industry has reached £10.5 billion (3% increase from 2022).
The Gross Value Added or GVA now stands at £6.2 billion (17% rise from 2022).
The cybersecurity sector in the UK raised £302 million in investment across 76 deals.
It becomes apparent from the statistics that the Cybersecurity industry in the UK is growing rapidly. It is creating several opportunities for businesses and individuals alike.
This growth is buoyed, of course, by the rise in cyber crime across the world. This is leading to constant demand for skilled cybersecurity professionals who are experienced at dealing with attacks and protecting sensitive information.
As per the Survey, nearly half of the businesses (49%) and just under half of charities (44%) actively sought information or guidance on cyber security from outside their organisation. This is most commonly from external cyber security consultants, IT consultants or IT service providers.
At Cyber Management Alliance, we’ve seen the rise in this trend first-hand. Our Virtual Cyber Assistant service - a flexible, cost-effective and remote-only service has experienced the ripple effect of this growth.
There has been a clear rise in demand for highly skilled and deeply experienced external cybersecurity practitioners who can help organisations achieve their cybersecurity goals.
Interestingly, the cybersecurity industry has shown a significant growth in 2023. However, there has been a decline in identification of cyber breaches and attacks over the past year. 32% of businesses identified cyber attacks and breaches in 2023 as opposed to 46% in 2020.
The report, however, states that this decline is driven primarily by micro and small businesses. The results for medium and large businesses remain consistent with last year’s.
Even in the case of UK-based charities, there was a decline in identifying cyber attacks at 24% from 30% as per the breaches survey 2022.
The most common threat vector or security risk for organisations that did identify breaches was phishing attempts at 79%.
As might be obvious, the decline in identification of cyber attacks and data breaches goes hand in hand with the decrease in prioritisation of cyber security for UK-based organisations.
Here’s a look at how the organisations surveyed prioritised cybersecurity:
Very high or Fairly High: 71% (Down from 82% in 2022)
Priority for Charities: 62% (Down from 72% in 2022)
Priority for Micro Businesses: 68% (Down from 80% in 2022)
This decline in prioritisation of cyber security reflects in other areas of the survey too.
For example, the report suggests that there has been a significant decrease in the use of cyber security measures by several UK organisations in the last three years.
Amongst the most often-recommended measures that have seen a decline in usage are:
Password policies (79% in 2021, vs. 70% in 2023)
Network firewalls (78% in 2021 vs. 66% in 2023)
Restricted admin rights (75% in 2021, vs. 67% in 2023)
Policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023)
Even the awareness of government cyber security schemes turned out to be pretty low. Only 14% of businesses and 19% of charities stated that they’re aware of the 10 Steps Guidance. 14% of businesses and 15% of charities were aware of the Cyber Essentials scheme.
On the positive side, however, it looks like for the first time a bulk of large businesses (55%) are reviewing supply chain risks.
At Cyber Management Alliance, we always advise our clients to look closely at their supply chain and third-party security. No matter how strong your own cyber defences are, a gap in the security of your partners can bring you down just as quickly. This has been very apparent in recent attacks like SolarWinds and Fortra’s GoAnywhere zero-day exploits.
These attacks have made it amply clear that organisations need to keep tabs on the security of their software partners, vendors, supply chain etc. and also ramp up their cyber resilience strategies. Being prepared with Ransomware Mitigation Checklists and Cyber Incident Response Plans are critical but not enough.
It is also important to rehearse these cybersecurity policies and procedures through regular Cyber Attack Tabletop Exercises. They can really show you how your business will withstand a real attack.
The cost of cyber-attacks and data breaches remains a favourite topic of conversation for InfoSec professionals and business owners alike.
The Cyber Security Breaches Survey, obviously, had some interesting results to share:
The average cost of the single most disruptive breach in the last 12 months, for businesses that identify material outcomes is estimated to be £3,770.
For medium and large businesses, the average cost is higher at £15,800.
For charities the average cost was £2,310.
The average (mean) annual cost of cyber crime for businesses is estimated at £15,300 per victim.
The writing on the wall, as they say, is clear. The cost of cyber crime remains consistently high. The only way to mitigate the damage is through better preparedness and response.
While some smaller businesses may have reduced the priority they have accorded to cyber security, it can be a recipe for disaster if they’re attacked.
Not only do you end up losing money on recovering from the data breach or attack, you could also end up paying huge sums in penalties and regulatory fines if you don’t handle the breach correctly.
Further, the loss of customer trust and reputational damage that a data breach or ransomware attack can have are often irreparable for smaller and medium businesses.
The smart thing to do in today's complex threat landscape is to acknowledge the fact that cybersecurity is indispensable and you will in all likelihood be attacked.
It’s wise to start preparing for the worst with a good Cyber Incident Response Plan and effective Cyber Incident Planning and Response training for your key decision-makers.
You can also use these free resources created by our experts at Cyber Management Alliance which can help you get your cybersecurity artefacts in order and get started on your cyber resilience journey:
Cybersecurity Policy Template
Cyber Essentials Checklist
Ransomware Response Checklist
Ransomware Response Workflow
Cyber Crisis Tabletop Exercise Checklist
The Cyber Security Breaches Survey 2023 is a research study of UK cyber resilience, and provides key evidence to inform policy making to contribute towards the current National Cyber Strategy. The study explores the policies, processes, and approach to cyber security by businesses, charities, and education institutions (state primary and secondary, further education institutions and universities). It also considers the different cyber breaches and attacks these organisations face, as well as how they are impacted and respond. This year the survey also incorporates new questions on cyber crime and cyber-facilitated fraud, that were developed in partnership with the Home Office. The fieldwork for the survey was conducted from September 2022 to January 2023.