Cyber Breach Survey Insight: The Need to Know for UK Businesses and Charities
As we progress through 2024, cybersecurity continues to be a pressing issue for UK businesses and charities. Findings from the latest Cyber Security Breaches Survey 2024 reveal that cyber threats are affecting organizations across the board, with 50% of businesses and 32% of charities reporting cyber incidents in the past year. Medium and large businesses, in particular, are frequent targets, facing attack rates as high as 70% and 74% respectively. With attacks becoming more sophisticated, organizations of all sizes must prioritize their cybersecurity strategies.
The Financial and Operational Cost of Cyber Breaches
For smaller organizations, cyber breaches are not just a security risk; they can be a severe financial burden. On average, a single disruptive breach costs small businesses around £1,205, whereas for medium and large organizations, the average cost rises significantly to £10,830. Charities, though affected to a lesser degree, still see an average cost of £460 per major incident. These numbers underscore the importance of investing in cybersecurity, especially as cyber threats become more sophisticated and pervasive.
Phishing Leads Cyber Threats in 2024
Phishing remains the most common type of cyber attack, affecting 84% of businesses and 83% of charities. Phishing attempts can vary widely in sophistication—from basic attempts to steal credentials to complex impersonations designed to manipulate employees into sharing sensitive data or installing malware. Other attack types, such as impersonation and traditional malware, are also prevalent, albeit to a lesser extent. Given the persistence of phishing, implementing multi-factor authentication and conducting employee training on recognizing phishing emails are critical steps to safeguard against these threats.
Not all cyber incidents fall under the legal definition of “cybercrime,” but the survey reveals that cybercrime is a significant issue nonetheless. About 22% of businesses and 14% of charities reported experiencing cybercrime, with phishing as the most common method. In fact, 90% of affected businesses and 94% of affected charities that reported cybercrime were hit by phishing attacks. More advanced threats, such as ransomware and denial-of-service attacks, were less common but still pose substantial risks, particularly for larger organizations with more to lose.
In total, UK businesses experienced an estimated 7.78 million cybercrimes of all types in the past year, demonstrating the vast scale of the issue. Organizations must invest in cybersecurity awareness training and employ robust security controls to mitigate these pervasive threats.
Prioritizing Cybersecurity: Where Do Businesses Stand?
Despite the risks, the survey reveals a varied commitment to cybersecurity across organization types and sizes. As illustrated in the chart below, larger organizations are far more likely to prioritize cybersecurity at the board level than smaller ones.
Figure 2.1: Extent to Which Cybersecurity is Seen as a Priority for Directors and Senior Management
| Organisation Type | % Very High | % Fairly High | % Fairly Low | % Very Low | % Don’t Know |
|---|---|---|---|---|---|
| Businesses Overall | 35% | 40% | 17% | 7% | 1% |
| Charities Overall | 29% | 33% | 22% | 12% | 3% |
As the data shows, businesses are generally more proactive about cybersecurity than charities, with 75% of businesses (compared to 63% of charities) rating cybersecurity as a high priority for senior management. Among medium and large businesses, this focus intensifies further, with nearly all senior leaders in these organizations acknowledging cybersecurity as a top priority.
This emphasis from leadership is critical, as it often dictates the level of funding, resources, and overall strategy allocated to security. However, smaller organizations face unique challenges, such as limited budgets and expertise, which can lead to weaker cybersecurity postures and higher reliance on third-party providers.
Supply Chain Security and Cyber Insurance
With modern business operations relying heavily on third-party suppliers, cybersecurity risks now extend beyond an organization’s immediate network. However, only 11% of businesses and 9% of charities review cybersecurity risks in their supply chains. Larger businesses are more proactive, with 48% of large businesses conducting supply chain risk reviews. This highlights a vulnerability for smaller organizations that might not have the resources to rigorously assess their vendors’ security practices.
Cyber insurance is becoming increasingly popular as a financial buffer for cyber incidents, with 43% of businesses now insured, up from 37% in 2023. Medium-sized businesses have shown the most uptake, with 62% opting for cyber insurance. This type of insurance can help organizations manage the financial impact of a cyber incident, though it is not a substitute for robust security measures.
Incident Response Preparedness
The ability to respond swiftly and effectively to a cyber incident can mean the difference between a minor disruption and a major crisis. Yet, only 22% of businesses and 19% of charities have formal incident response plans. Among medium and large organizations, these numbers rise to 55% and 73%, respectively. Smaller organizations, in particular, often rely on external providers for incident response due to limited in-house expertise. For those without a formal plan, establishing clear protocols and assigning roles and responsibilities can be a powerful first step toward building resilience.
External reporting of breaches remains limited. While organizations often inform their IT providers or external security consultants, only 34% of businesses and 37% of charities reported breaches to external parties. This lack of transparency may prevent organizations from fully understanding the broader impact of cyber incidents and contributes to the underreporting of cybercrime statistics.
Key Cybersecurity Measures: What Organizations Are Doing Right
The survey highlights some encouraging trends in cybersecurity hygiene. Many organizations have implemented essential security controls, although there is still room for improvement, particularly among smaller entities.
Figure 3.6: Cybersecurity Controls and Measures in Place
| Security Control | Businesses | Charities |
|---|---|---|
| Up-to-date malware protection | 83% | 65% |
| Password policy ensuring strong passwords | 72% | 54% |
| Cloud backups | 71% | 54% |
| Restricted admin and access rights | 73% | 65% |
| Firewalls covering the entire IT network | 75% | 48% |
| Security controls on organization-owned devices | 58% | 44% |
| Only allowing access via organization devices | 61% | 34% |
| Process for handling phishing emails | 54% | 35% |
| Rules for storing and moving personal data securely | 48% | 47% |
| Data backups via other means | 55% | 41% |
| Two-Factor Authentication (2FA) | 39% | 33% |
| Separate Wi-Fi networks for staff and visitors | 35% | 25% |
| Monitoring of user activity | 30% | 29% |
| VPN for remote staff | 32% | 18% |
| Policy for timely software security updates | 34% | 20% |
For larger organizations, the adoption of these security controls is even higher. Around 90% of large businesses, for example, use restricted admin rights, password policies, and firewalls as part of their cybersecurity framework. Meanwhile, micro and small businesses show lower rates of adoption, though the trends are improving. This year, several measures saw increased adoption, including malware protection (up from 76% in 2023) and admin rights restriction (up from 67% in 2023), reversing a declining trend seen in previous years.
Building a Resilient Cybersecurity Posture in 2024
The 2024 Cyber Security Breaches Survey underscores the need for a comprehensive approach to cybersecurity. For UK businesses and charities, establishing a robust defense strategy requires a combination of strong leadership, cyber hygiene, incident response preparedness, and a keen awareness of supply chain risks. While larger organizations lead the way, smaller businesses and charities can strengthen their cybersecurity with relatively simple yet effective measures.
At ApolloSec, we understand the challenges that come with building a resilient cybersecurity posture. From assessing current vulnerabilities to implementing proactive strategies, we’re here to help businesses of all sizes prepare for the evolving threat landscape. Contact us today to learn how we can work together to protect your organization’s future.
All figures correlate directly to those found on the security breach survey for easier correlation.
