39% of UK businesses identified cyberattacks in the last year

In the last 12 months, 39% of UK businesses identified a cyberattack with phishing the most common attack vector, according to the Cyber Security Breaches Survey 2022. Published by the Department for Digital, Culture, Media and Sport (DCMS), this annual research study explores the policies, processes, and approaches to cybersecurity for UK businesses, charities, and educational institutions and is used to inform UK government cybersecurity policies. It also considers the different cyberattacks organisations face, as well as how they are impacted and respond. For this latest release, the quantitative survey of 1,243 UK businesses, 424 registered charities and 420 education institutions was carried out in winter 2021/22 and the qualitative element in early 2022.

Attack rates remain steady, less cyber mature orgs may be underreporting

The report’s key finding was that 39% of UK businesses have identified a cyberattack over the last 12 months. This is the same figure as in last year’s report, although it is down 7% compared to 2020.

Also of note is the finding that enhanced cybersecurity leads to higher identification of attacks, suggesting that less cyber mature organisations may be failing to identity and report attacks. As for attack frequency, 31% of businesses and 26% of charities that did identify attacks estimated that they were targeted at least once a week. One in five businesses (20%) and charities (19%) experienced a negative outcome as a direct consequence of a cyberattack, while 35% of businesses and 38% of charities experienced at least one negative impact, the study discovered.

An estimated average cost across all attacks in the last 12 months produced a figure of £4,200, which rose to £19,400 when considering only medium and large businesses. The research also acknowledged that the lack of framework for financial impacts of cyberattacks may result in underreporting.

As many as 83% of organizations that identified attacks cited phishing as the most common threat vector, with only 21% identifying a more sophisticated attack type such as a denial of service, malware, or ransomware. Interestingly, despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

Business size impacts cybersecurity posture, board engagement increases

Throughout the survey, larger organisations are correlated with enhanced cybersecurity compared to other businesses. This is likely a consequence of increased cybersecurity funding and expertise. For example, 80% of large companies update the board at least quarterly, whilst 63% conducted a risk assessment and 61% carried out staff training last year. In contrast, figures dropped to 50%, 33%, and 17%, respectively, for all other businesses.

With regards to board engagement around cybersecurity, 82% of boards or senior management within UK businesses now rate security as a “very high” or “fairly high” priority, an increase on 77% in 2021. However, despite increased board engagement, incident management policy is limited, the research discovered. Only 19% of businesses have a formal incident response plan, while 39% have assigned roles should an incident occur.