7 Key takeaways from DSIT’s Cyber Security Breaches Survey 2024

Cyber Security Breaches Survey 2024

Every spring the Department for Science Innovation & Technology (DSIT) releases its Cyber Security Breaches Survey. Always hotly anticipated throughout the cybersecurity sector, it acts as a ‘temperature check’ of security and resilience within UK cyberspace. 

Although the report primarily intends to inform UK government policy, that doesn’t mean it isn’t useful to small businesses. In fact, the report is a bit of a lodestar for anyone interested in cybersecurity. It gives us an idea of the threats we face, how businesses are dealing with them, and what we can do to improve our collective security. 

With that in mind, here are our key takeaways from the Cyber Security Breaches Survey 2024.

1. Breaches remain common 

    This won’t be particularly surprising to anyone but successful cybersecurity breaches remained commonplace in the last 12 months. According to DSIT’s research, half of businesses (50%) and just under a third of charities (32%) reported experiencing some form of breach.

    These figures are highest for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%). However, this isn’t to say small (10-49 employees) and micro (1-9) businesses are immune. 47% of micro-businesses and 58% of small businesses were hit with a breach in the last year. 

    2. The cost of a breach remains low, but constant 

      This one is a mixed bag. One positive is that DSIT reports the average cost of a single breach across all businesses surveyed was £1,205. That’s considerably lower than figures released in reports like IBM’s Cost of a Data Breach 2023, even when we consider that the average rises to £10,830 for large and medium businesses.

      Unfortunately, this isn’t the whole story. Although the headline figure for the cost of a breach is low, companies are being attacked with frightening regularity. Over half of businesses (53%) and just under half of charities (45%) reported that this happens once a month or more often. Grimmer still, a third of businesses and a fifth of charities say that they were attacked at least once a week.

      This means that even if the cost of a single breach is low, many businesses are being hit multiple times a year, making the cumulative impact of attacks far higher. What’s more, while larger organisations may be able to swallow these recurring costs, their impact could be ruinous for SMEs. 

      3. Phishing scams are still the number one threat

        By this point, most of us have first-hand experience of a phishing scam. They come in many forms, from speculative email campaigns to more targeted attacks through social media platforms like Facebook Messenger and spear phishing.

        So it’s no surprise to see phishing scams at the top of DSIT’s list of most common threats. 84% of businesses and 83% of charities reported being targeted by one in the last 12 months. 

        However, more interesting is that the second most common threat was ‘others 

        impersonating organisations in emails or online’ (35% of businesses and 37% of charities). This demonstrates that cybercriminals are leaning on social engineering techniques to launch attacks, rather than more technological approaches like malware and ransomware.

        There are a couple of possible reasons for this. Firstly, social engineering attacks use our human nature against us, making them more difficult to defend against. Second, social engineering doesn’t require any specialist tools or tech knowledge, just a familiarity with the techniques, meaning the barrier to entry is lower for would-be scammers.

        4. Does Cyber Essentials certification have an awareness problem? 

          Cyber Essentials certification turns ten this June. And, although the scheme has helped thousands of businesses improve their cybersecurity, it appears to have an awareness problem. 

          Just 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. These figures are roughly consistent with 2023 but represent a decline over the last 2-3 years. This decline is also more pronounced among smaller businesses with medium businesses (43%) and large businesses (59%) more aware.

          More worrying still, only 3% of businesses and charities report adhering to Cyber Essentials. However, this does come with a caveat that a higher proportion of them (22% of businesses and 14% of charities) report having technical controls in all five areas covered by Cyber Essentials.

          5. Businesses aren’t prepared for supply chain risks

            Although the report reveals organisations have broadly improved when it comes to cyber risk management, there’s still one glaring omission – supply chain risks. Only one in ten businesses say they review supplier risk (11%, vs. 9% of charities). Given that supply chain attacks are predicted to cost the global economy $138 billion by 2031 this is an area that needs urgent attention in the coming years. 

            6. Formal incident response plans aren’t widespread

              Despite many businesses stating that they’d take action following a cyber incident, very few have anything concrete in place to establish what those steps are. Just 22% of businesses and 19% of charities have a formal incident response plan. Once again, these figures are largely being driven by SMEs; 73% of large businesses have one. 

              What this suggests is that small businesses are ill-prepared for the worst-case scenario. Creating an incident response plan or security policy can be time-consuming and tricky if you don’t know where to start. SMEs need help, through tools like templates and policy management to better prepare themselves. 

              Alongside this, when a breach does happen, external reporting of it is uncommon. Just over a third of businesses (34%) and charities (37%) reported a breach outside their organisation. Even then, this wasn’t usually to the National Cyber Security Centre (NCSC) or Information Commissioners Office (ICO), but to their managed service provider or IT supplier. This indicates that vast swathes of cybercrime are still going unreported.

              7. Basic cyber hygiene is improving 

                Finally, let’s end with a real positive. Cyber hygiene – by which we mean basic cyber controls – is on the up across all businesses. Most cyber threats are relatively unsophisticated so organisations can go a long way towards protecting themselves by simply adopting some simple measures. 

                The good news is that a majority of businesses and charities have a broad range of these measures in place. These include: 

                • using up-to-date malware protection (up from 76% to 83%)
                • restricting admin rights (up from 67% to 73%)
                • network firewalls (up from 66% to 75%)
                • agreed processes for phishing emails (up from 48% to 54%)

                And, even more promising, these trends are a reversal of the decline in cyber hygiene we’ve seen over the past few years. This shift is being driven by micro and small businesses, demonstrating that despite the worrying trends in awareness surrounding Cyber Essentials, basic security recommendations are having some cut through. 

                Want to know more about the threats facing small businesses? Download our latest report on SMEs and the cost of living crisis

                SME cost of living crisis report