• United States



UK Editor

39% of UK businesses identified cyberattacks in the last year

Apr 06, 20223 mins

Phishing the most common threat vector over the last 12 months as research suggests less cyber mature UK organisations may be failing to identify and report attacks.

vulnerable breach cyberattack hacker
Credit: Thinkstock

In the last 12 months, 39% of UK businesses identified a cyberattack with phishing the most common attack vector, according to the Cyber Security Breaches Survey 2022. Published by the Department for Digital, Culture, Media and Sport (DCMS), this annual research study explores the policies, processes, and approaches to cybersecurity for UK businesses, charities, and educational institutions and is used to inform UK government cybersecurity policies. It also considers the different cyberattacks organisations face, as well as how they are impacted and respond. For this latest release, the quantitative survey of 1,243 UK businesses, 424 registered charities and 420 education institutions was carried out in winter 2021/22 and the qualitative element in early 2022.

Attack rates remain steady, less cyber mature orgs may be underreporting

The report’s key finding was that 39% of UK businesses have identified a cyberattack over the last 12 months. This is the same figure as in last year’s report, although it is down 7% compared to 2020.

Also of note is the finding that enhanced cybersecurity leads to higher identification of attacks, suggesting that less cyber mature organisations may be failing to identity and report attacks. As for attack frequency, 31% of businesses and 26% of charities that did identify attacks estimated that they were targeted at least once a week. One in five businesses (20%) and charities (19%) experienced a negative outcome as a direct consequence of a cyberattack, while 35% of businesses and 38% of charities experienced at least one negative impact, the study discovered.

An estimated average cost across all attacks in the last 12 months produced a figure of £4,200, which rose to £19,400 when considering only medium and large businesses. The research also acknowledged that the lack of framework for financial impacts of cyberattacks may result in underreporting.

As many as 83% of organizations that identified attacks cited phishing as the most common threat vector, with only 21% identifying a more sophisticated attack type such as a denial of service, malware, or ransomware. Interestingly, despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

Business size impacts cybersecurity posture, board engagement increases

Throughout the survey, larger organisations are correlated with enhanced cybersecurity compared to other businesses. This is likely a consequence of increased cybersecurity funding and expertise. For example, 80% of large companies update the board at least quarterly, whilst 63% conducted a risk assessment and 61% carried out staff training last year. In contrast, figures dropped to 50%, 33%, and 17%, respectively, for all other businesses.

With regards to board engagement around cybersecurity, 82% of boards or senior management within UK businesses now rate security as a “very high” or “fairly high” priority, an increase on 77% in 2021. However, despite increased board engagement, incident management policy is limited, the research discovered. Only 19% of businesses have a formal incident response plan, while 39% have assigned roles should an incident occur.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author