The use of technology in daily operations continues to grow within organisations across sectors. The vast majority of businesses and charities already depend on at least one type of digital service—such as an online bank account, email, social media or electronic data storage—and the use of these solutions continues to increase. Furthermore, the rising popularity of remote and hybrid work arrangements has spurred even greater dependence on technology for everyday operations.
While workplace technology can provide a wide range of benefits to organisations, the risks that come with wider implementation are significant. In the past year, 39% of businesses and 30% of charities have experienced a cyber-security breach or cyber-attack. Of those organisations, 31% of businesses and 26% of charities estimated they were attacked at least once per week during that period. Furthermore, the consequences of these attacks are generally severe—lost or stolen data, business interruptions, costly non-compliance fines under the General Data Protection Regulation (GDPR) and reputational damages often accompany a data breach.
There are many different types of cyber-attack methods that hackers may utilise; last year, the most common method by far was phishing. Among the businesses and charities that experienced a cyber-attack within the past 12 months, 83% and 87%, respectively, reported being targeted by phishing attacks. The second most common type of cyber-incident was impersonation, which 27% of businesses and 26% of charities experienced. These patterns generally remained consistent with trends from previous years. Following a slight dip in 2021 in the rate of organisations that prioritised cyber-security, both businesses and charities rebounded in 2022. Last year’s survey found that 77% of businesses and 68% of charities rated cyber-security as a high priority, representing a slight decrease for both groups compared with respective percentages of 80 and 74 in 2020. However, in 2022, those figures climbed back up to 82% for businesses and 72% among charities.
Another positive sign shows that 93% of businesses and 89% of charities now have at least some degree of cyber-incident response procedures in place—a sizeable increase over last year’s survey results of 66% and 59%, respectively. However, the degree of cyber-incident readiness varies greatly depending on organisation size. For example, only 12% and 4% of microbusinesses (one to nine employees) and charities take action to address supply chain cyber-risks, giving cause for concern; smaller organisations compose a high proportion of the UK population and are often more reliant on outsourced IT providers.
It’s also worth noting that the coronavirus pandemic has had an impact on cyber-security. COVID-19 forced many organisations to improvise and expand their use of technology in order to accommodate remote work arrangements. Even though the conditions surrounding COVID-19 may now make it possible for workers to return to a traditional work environment, remote and hybrid work environments have continued to be common. Remote workers may be seen as easy targets for cyber-criminals, as many organisations remain exposed to cyber-threat risks among these employees.
Additionally, in the past 12 months, 54% of businesses have acted to identify cyber-security risks. The most common action (taken by 35% of businesses) was using security monitoring tools. This figure remains the same as last year’s survey but continues to represent a decrease from 40% in 2020. Slightly more charities utilised such tools, with the percentage having increased from 25% in 2021 to 27% this year.
In addition, while phishing remained the most common type of cyber-attack, only 19% of businesses and 15% of charities tested staff with mock phishing exercises—indicating potential cyber-security vulnerabilities. However, most businesses (96%) and charities (87%) are utilising at least some cyber-security protections. For businesses and charities, respectively, the most common security solutions include malware protections (83% and 68%), password policies (75% and 57%) and network firewalls (74% and 56%).
These cyber-security measures are critical for helping organisations mitigate cyber-risks, but there is still more that can be done as threats become more creative. For instance, two-factor authentication (requiring multiple steps to log into a system) is currently only utilised by approximately a third of businesses (37%) and charities (31%). Even then, two-factor authentication usage skews more toward large and medium-sized businesses, particularly in the information and communications sector (63%). Comparatively, only 18% of businesses in the food and hospitality sector use two-factor authentication. Among utilities, production and manufacturing businesses, only 28% use it.
Ultimately, these and other figures from the survey illuminate potential areas where organisations can build out their cyber-security efforts. With that in mind, here is our summary of the 2022 Cyber Security Breaches Survey, commissioned by the Department for Digital, Culture, Media & Sport as part of the National Cyber Security Programme.
As you read through these statistics, consider what you can do to bolster your organisation’s cyber-security practices and GDPR compliance efforts. Don’t miss out on the expansive digital service opportunities or resign your organisation to cyber-attacks because of a lack of cyber-security. Protect your operations and ensure digital success with cyber-risk management guidance and insurance solutions, available by contacting us today.
INCIDENCE AND IMPACT OF BREACHES
Experience of Cyber-incidents
39% of businesses and 30% of charities identified a cyber-breach or attack in the past 12 months. Of these incidents:
- 25% of businesses and 25% of charities needed new measures to prevent a future attack.
- 22% of businesses and 23% of charities needed additional staff time dealing with the breach or attack.
- 13% of businesses and 11% of charities had to stop staff from carrying out their daily work.
Frequency of breaches in the last 12 months broken down:
- Among businesses that experienced a breach, 21% experienced just one, 27% experienced fewer than one per month,18% experienced one per month and 15% experienced one per week.
- Among charities that experienced a breach, 21% experienced just one, 31% experienced fewer than one per month,18% experienced one per month and 13% experienced one per week.
- 16% of businesses and 13% of charities experienced breaches at least once per day.
The most disruptive cyber incidents
Most disruptive forms of cyber-attack among organisations that reported more than one kind of attack in the past 12 months:
- Phishing attacks (25% of businesses and 36% of charities)
- Others impersonating the organisation in emails or online (25% of businesses and 20% of charities)
- Viruses, spyware, malware or ransomware (9% and businesses and 11% of charities)
Impact of Breaches
20% of businesses and 19% of charities that experienced a breach or attack reported suffering negative outcomes, such as:
- Website or online services taken down or made slower (7% of businesses and 5% of charities)
- Temporary loss of access to files or networks
- Software or systems corrupted or damaged (5% of businesses and 5% of charities)
- Compromised accounts or systems used for illicit purposes (5% of businesses and 4% of charities)
DEALING WITH CYBER INCIDENTS
Time Taken to Recover From a Cyber-incident
The average amount of time organisations spent dealing with their most disruptive breach in the last 12 months:
- No time at all (70% of businesses and 72% of charities)
- Within a day (19% of businesses and 15% of charities)
- Within a week (8% of businesses and 9% of charities)
Financial Costs of Cyber-incidents
The average cost of all breaches or cyber-attacks in the past 12 months:
- Businesses overall: £1,200
- Microbusinesses* and small* businesses: £861
- Medium* and large* businesses: £8,040
- Charities overall: £300
* Microbusinesses (one to nine employees) Small business (10-49 employees) Medium business (50-249 employees) Large business (250+ employees
The cost breakdown of organisations’ most disruptive breaches in the past 12 months:
- Average short-term direct cost: £479 for businesses and £35 for charities
- Average long-term direct cost: £240 for businesses and £36 for charities
- Average staff time cost: £261 for businesses and £86 for charities
Understanding and Responding to the Cyber-incident
93% of businesses and 89% of charities have at least some degree of cyber incident response procedures in place. The most common procedures include:
- Informing directors/ trustees/governors of the incident
- Assessing the scale and impact of the incident
- Keeping an internal record of the incident
- Informing a regulator of the incident (when required
- Debriefing to record lessons learnt from the incident
- Attempting to identify the source of the incident
Only 40% of businesses and 25% of charities reported their most disruptive breach outside their organisation, and even then, it’s often only to their cyber-security providers. This indicates that cyber-threats may be underreported and more common than currently known.
In response to experiencing a breach, only 62% of businesses and 57% of charities have taken steps to protect their organisation from future attacks. These efforts include:
- Additional staff training or communications
- Installed, changed or updated antivirus or anti-malware software
- Changed or updated firewall or system configurations
APPROACHING CYBER-SECURITY
Cyber-security controls and policies
The most common controls organisations have implemented to bolster their cyber-security include:
- Having up-to-date malware protection
- Using firewalls that cover the entire IT network, as well as individual devices
- Restricting IT admin and access rights to specific users
- Enforcing a password policy that ensures that users select strong passwords
- Backing up data securely using a cloud service
36% of businesses and 35% of charities have a formal policy or policies covering cyber-security risks. Common concerns cyber-security policies address include:
- The process by which data is supposed to be stored
- The staff who are permitted to do on their organisation’s IT devices
- The ways in which remote or mobile working affects cyber-security
- The items that can be stored on removable devices, such as USB sticks
- Use of cloud computing
- Use of network-connected devices
- Use of personally owned devices for business activities
Of the organisations that have formal policies covering cyber-security:
- 44% of businesses and 47% of charities have not reviewed their cyber-security policies within the last six months.
- 22% of businesses and 17% of charities have not reviewed their policies in the last year.
Recognising supplier risks
Only 13% of businesses and 9% of charities have formally reviewed the potential cyber-security risks presented by their immediate supply chains. Only 7% of businesses and 5% of charities have included their wider supply chains in such a review.
Understanding government initiatives
49% of businesses and 40% of charities have implemented at least five of the government’s ‘10 Steps to Cyber-security.’ This represents a 1% drop for businesses and a 5% drop for charities compared with last year’s responses, but a total decrease of 20% for businesses and 23% for charities since the 2020 survey. It’s worth noting that these steps were updated by the National Cyber Security Centre between the 2021 and 2022 surveys. Only a combined 4% of businesses and charities have implemented all 10 steps. This is identical to 2021 findings but down from 12% and 14%, respectively, in the 2020 survey.
Cyber-insurance
43% of businesses and 27% of charities are insured against cyber-risks in some way.
Cyber-insurance cover is more prevalent in certain industries, such as:
- 60% of organisations in the finance and insurance sector have cover.
- 55% of businesses in the professional, scientific and technical sector have cover.
- 38% of businesses and 22% of charities have cyber-security cover as part of a wide insurance policy.
- Only 5% of businesses and 5% of charities have a specific cyber-insurance policy in place.
Documenting Cyber-security
54% of businesses and 41% of charities have taken action to identify and document cyber-security risks in the past 12 months. Compared with the 2021 figures, this represents a slight increase for businesses (+2%) and a decrease for charities (-6%). Top actions include:
- Using specific tools designed for security monitoring
- Conducting risk assessments related to cyber-security threats
- Testing staff, such as with mock phishing exercises
- Carrying out a cyber-security vulnerability audit
THE IMPORTANCE OF CYBER-SECURITY
Top reasons to invest in cyber-security
- Protect customer and consumer data
- Protect trade secrets, intellectual property and other assets
- Prevent fraud or theft
- Promote business continuity
- Protect the organisation’s reputation
- Comply with data protection laws
- Protect against computer viruses
- Protect remote employees
Why do you need cyber-insurance
Government research suggests that cyber-insurance provides solutions for the following range of cyber-risks:
- Privacy events
- Network security liability
- Cyber crime
- Network business interruption
- Physical asset damage
- Reputational damage
If you would like to understand more about how we can help you, contact info@kennetts.co.uk
To find out more about our Services please contact our Hull office on +44 (0) 148 257 9500 or our Leeds office on +44 (0) 113 244 2288, or fill out the form below: