Each year, the Department for Digital, Culture, Media & Sport (DCMS) releases its hotly anticipated Cyber Security Breaches Survey. It’s a key source of data on how businesses across the UK approach cybersecurity, the threats they face, and issues that need to be addressed in the coming year.
But for all its usefulness, the report is also very long – usually stretching to thousands of words in length. So, to save you from reading the whole thing, we’ve put together a handy list of the key takeaways from the report. Here’s the stuff you need to know.
1. Assessing supply chain risk is rare for small businesses
We’ve talked about the danger supply chains pose to businesses a lot. Happily, it appears that larger businesses have begun to wake up to the risk. 63% of large businesses undertook a cybersecurity risk assessment in the last year, alongside 51% of medium-sized firms.
However, the practice remains rare among smaller businesses. When the sample size is broadened to include businesses of every size, just 3 in 10 have undergone a risk assessment.
Why is this happening? Well, it’s possible many businesses don’t have the resources to sanction regular risk assessments but, just as likely, is that many SMEs are simply unaware of the need.
Worried about rising IT costs? Check out our guide to protecting your business on a budget.
2. A small number of businesses are taking cyber accreditations
The good news is that the proportion of UK organisations seeking extra guidance or information on cybersecurity is stable at 49% for businesses and 44% for charities. But, this does mean that a large proportion of organisations either aren’t aware of or aren’t using guidance like the NCSC’s 10 Steps to Cyber Security or the government-backed Cyber Essentials accreditation.
According to the DCMS’s findings, just 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses. And it’s a similar story with ISO 27001 certification with just 9% of businesses and 5% of charities adhering to the standard. Again, this is higher among large businesses (27%).
Although these figures might look alarming, there are a couple of caveats to bear in mind. First of all, the Cyber Essentials scheme was always going to take some time to bear fruit, it’s worth remembering the extremely limited cyber awareness across UK businesses before its launch. What’s more, the number of certified businesses is still growing steadily, up from 500 per month in January 2017 to just under 3500 in January 2023.
Added to this, the scheme was always likely to need to evolve to meet the needs of businesses. Given recent calls from UK companies for a new and improved Cyber Essentials certification, perhaps the time has come for the scheme to take the next step in its evolution.
3. Formal incident response plans aren’t widespread
The survey reveals that most organisations agree that they’d take several actions following a breach or cyber incident. However, the reality appears somewhat different. Only a minority of businesses (21%) have a formal incident response plan in place. This figure does rise amongst medium (47%) and large businesses (64%), indicating that it’s SMEs who are going without.
Perhaps this isn’t surprising, SMEs are often time and resource-poor and creating a thorough incident response plan isn’t a small undertaking. Nevertheless, it represents an area that both government bodies and companies like CyberSmart need to focus on in the coming year.
4. The number of identified breaches has declined
At the risk of stating the obvious, cybercrime hasn’t decreased in the last year. But the number of breaches being reported by smaller businesses has declined. Just 32% of businesses and 24% of charities reported a breach or attack in the last 12 months – down from 39% of businesses and 30% of charities in the 2022 edition of the survey.
What’s going on? Are SMEs simply being attacked less? Unfortunately, no. 54% of SMEs in the UK experienced some form of cyber-attack in 2022. And, if we look at the figures for large businesses (69%) and high-income charities (56%) the numbers have remained stable from the 2022 report.
This seems to indicate that the drop is being driven by SMEs, which also suggests that they are undertaking less monitoring and logging of breaches than in previous years. Why? That brings us to our next key takeaway.
5. Cybersecurity is less of a priority for smaller businesses
It’s no secret that it’s a tricky time to be a small business. Economic uncertainty and a cost of living crisis have left many SMEs looking to reduce expenditure, particularly in areas like cybersecurity. This is borne out by the DCMS’s survey, with 68% of micro-businesses (10 employees or less) saying cyber security is a high priority, down from 80% last year.
In practice, this can mean less tracking and reporting of breaches, weaker defences, and greater reluctance to update tools, putting small businesses at a real disadvantage. But it doesn’t have to be this way. There are methods for budget-conscious businesses to reduce costs responsibly – we’ve outlined a few here.
6. Is cyber hygiene going backwards?
Finally, cyber hygiene has long been a useful concept in helping businesses think about their security. The rationale behind it is simple. Most cyberattacks are pretty unsophisticated – think your common-or-garden phishing attack or a breach due to an unpatched vulnerability.
This means businesses can avoid falling foul of most of them by using a set of basic “cyber hygiene” measures.
The most common of these hygiene measures are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. However, all of these measures have seen a gradual decline over the last few editions of the DCMS report. For example:
- use of password policies (79% in 2021, vs. 70% in 2023)
- use of network firewalls (78% in 2021 vs. 66% in 2023)
- restricting admin rights (75% in 2021, vs. 67% in 2023)
- policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).
DCMS analysis suggests that these trends appear to reflect shifts in the SME population, as figures across larger organisations have remained stable. As we mentioned earlier, it’s possible that, as many smaller businesses feel the pinch and place less importance on cybersecurity, cyber hygiene has begun to fall by the wayside. Whatever the reason, it’s a worrying development that could make some SMEs extremely vulnerable.
What have we learned from the DCMS Cyber Security Breaches Survey 2023?
Time to draw some broad-brush conclusions from the DCMS’s findings. First of all, the common theme running throughout the report is that the cost of living crisis is having a real impact on SMEs’ ability to protect themselves. Whether it’s the decline in breach reporting, so many businesses lacking incident response plans, or the fall in cyber hygiene standards, it’s clear SMEs need real assistance to bolster their defences.
Second, Cyber Essentials could be due for a revamp. The number of organisations who are aware of the accreditation, let alone completing it, remains too low.
Finally, although this piece may have made for a fairly grim read, there is an upside. These findings provide everyone within the UK cybersecurity industry a clear picture of where the problems lie and what we all need to do over the next 12 months to tackle them.
Want to know more about how to reduce cybersecurity costs responsibly? Check out our free guide to cybersecurity on a budget.