Cyber attacks have become more evolved and frequent

The Cyber Security Breaches Survey 2020 has revealed that the extent of cyber security threats in the UK has not diminished, but the threat is actually found to have evolved and become more frequent.

The survey, released by the Department for Digital, Culture, Media & Sport, found that 46 per cent of businesses and 26 per cent of charities report having cyber security breaches or attacks in the last 12 months. This is higher among medium businesses (68 per cent), large businesses (75 per cent) and high-income charities (57 per cent).

The business findings are in line with those in 2017 (when the question was first asked). The charity findings show a rising incidence, from 19 per cent in 2018, when charities were first surveyed, and 22 per cent in 2019, to 26 per cent in 2020. This may mean that more charities are being targeted but could also mean that they are better at identifying breaches than before.

Among this 46 per cent of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 (a rise of 10 per cent in the last two years). There is a similar pattern over time for charities, although the changes across years are not statistically significant. In 2020, a fifth of these charities say they experience breaches at least once a week.

The nature of cyber attacks has also changed since 2017. Over this period, there has been a rise in businesses experiencing phishing attacks (from 72 per cent to 86 per cent), and a fall in viruses or other malware (from 33 per cent to 16 per cent). Organisations have become more resilient to breaches and attacks over time and are now less likely to report negative outcomes or impacts from breaches, and more likely to make a faster recovery.

However, breaches that do result in negative outcomes still incur substantial costs. Among the 46 per cent of businesses that identify breaches or attacks, 19 per cent have experienced a material outcome, losing money or data. A further 39 per cent were negatively impacted, for example requiring new measures, having staff time diverted or causing wider business disruption. Similarly, among the 26 per cent of charities reporting breaches or attacks, 25 per cent had material outcomes and 56 per cent were negatively impacted.

Over the last five years, there has been greater board engagement in cyber security and increased action to identify and manage cyber risks. These improvements may underpin the fact that organisations have become more resilient. Board engagement has increased over time among both businesses and charities: 80 per cent of businesses say that cyber security is a high priority for their senior management boards (up from 69 per cent in 2016); 74 per cent of charities say this about their senior management (up from 53 per cent in 2018); 51 per cent of businesses and 38 per cent of charities update their senior management on cyber security at least quarterly; and 37 per cent of businesses have board members with a cyber security brief.

However, there is still more that organisations might do on a range of diverse topics such as audits, cyber insurance, supplier risks and breach reporting.