Each year, the Department for Culture, Media and Sport releases its Cybersecurity Breaches Survey. It’s fast become one of the most influential cybersecurity reports around, driving government policy and the National Cyber Strategy.
The Cybersecurity Breaches Survey covers everything from threats to the processes businesses use to protect themselves and takes in everything from schools to start-ups. However, it’s also a very long report, with lots of tables, graphs and references – not something that’s easily digestible during your lunch hour.
So, to save you the trouble, we’ve pulled together the key takeaways for SMEs.
1. The number of cyberattacks stays stable
It’s no secret that during the first year of the COVID-19 pandemic the number of attacks on UK businesses skyrocketed. DCMS figures from 2020 show that 46% of UK businesses reported a cyberattack, up from 32% the previous year.
However, the number declined in 2021 to 39% and it’s stayed stable at the same figure this year. That might sound like great news, but there are some caveats. First of all, 39% is still too many; that’s more than a third of all UK businesses being attacked in any given year.
On top of this, there’s a chance that the figures, while accurate, don’t tell the whole story. As the report states, the better your cyber defences, the more likely you are to detect and report an attack. This suggests that smaller organisations and those with less sophisticated defences might be underreporting attacks.
2. Phishing remains the most common type of attack
One of the most important findings of the Cybersecurity Breaches Survey is just how common social engineering attacks, particularly phishing scams, have become. 83% of all organisations surveyed said they’d experienced some form of phishing attack in the last 12 months. And this was followed, some way behind, by impersonation-style social engineering attacks with 67%.
What does this tell us?
Well, it tells us that cybercriminals have hit upon a formula that works for targeting businesses big and small. But that’s not all. It also teaches us that security training for staff has never been more important. With most cybercriminals using some form of social engineering attack, your people need to be able to spot the signs and recognise threats when they see them.
3. Few businesses are taking the supply-chain threat seriously
We’ve covered the risk posed by supply chains at length (if you haven’t already, read this). According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself.
Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it.
Despite this, only 13% of businesses assessed the risks posed by their immediate suppliers. In fact, few considered cybersecurity an important factor in the procurement process.
4. Getting hacked costs a lot
This might not come as surprise but a successful cyber breach can really hit your business in the pocket. The average cost of a breach across businesses of all sizes is £4,200, with a figure of £3,080 for SMEs. The news is even worse if you’re a medium or large-sized business. The average figure for firms of this size stands at an eye-watering £19,400.
It’s worth noting that only one in five businesses suffer any negative consequences as a result of a breach. But, with 31% of businesses reporting that they’re attacked at least once a week, the chances of being part of that one in five is high.
5. Most small businesses don’t have a cybersecurity strategy
To be clear, the lack of a formal cybersecurity policy isn’t just a problem for small businesses; just 23% of all businesses have one. Nevertheless, the trend is much more severe among smaller businesses. While 57% of large firms have a formal strategy, just 20% of micro firms and 37% of small firms have one.
And it’s not just an overarching strategy that’s missing. Most businesses don’t have a clear plan in place for what to do if the worst happens. Just 19% of businesses surveyed said they had a formal incident response plan.
This makes for worrying reading. It suggests that, in those crucial first few minutes and hours after an incident, too many businesses aren’t dealing with the threat in an organised way, handing a huge advantage to the bad guys.
6. Ransomware confusion reigns
One of the worst questions any business has to answer is what to do in the event of a successful ransomware attack. Do you pay out? Or do you play hardball with the ransomers?
Although it’s a tricky question, it’s crucial to have a policy one way or another. However, one in five businesses (19%) stated they weren’t sure what they would do. On top of this, many small businesses still believe that ransomware isn’t a threat, either because they are ‘too small’ or have ‘nothing of value’ to steal.
7. Cyber Essentials uptake is still low
Unless this is your first CyberSmart blog, you’ll know we talk about Cyber Essentials certification constantly. It’s the single most important thing a small business can do to improve its cybersecurity.
But, unfortunately, the uptake of Cyber Essentials is still very low. Only 6% of businesses have the Cyber Essentials certification and just 1% have Cyber Essentials Plus. Unfortunately, this is likely a problem of awareness. Although every business could benefit from taking the certification, too few are aware of its existence. This needs to change, and fast.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity.