Here’s Everything That’s Wrong with Cybersecurity in the UK Today
Table Of Contents:
For a useful annual snapshot into the security posture of UK businesses, look no further than the government’s Cyber security breaches survey. It provides a relatively detailed insight into what’s working and, more commonly, what isn’t. Overall, three-quarters of businesses (rising to 93% of medium and 98% of large businesses) say their boards regard cybersecurity as a “high priority”. But saying is not doing.
There’s clear room for improvement across multiple areas, including incident response, supply chain security, board accountability and risk management. Perhaps most concerning is the lack of awareness of government-led security frameworks and initiatives. Alongside best practice standards like ISO 27001, these could go a long way to improving the cyber-resilience of UK PLC.
Room for Improvement
The headline stat is that half (50%) of responding businesses report having experienced some form of security breach or attack in the past 12 months – rising to 70% of medium businesses (and 74% of large businesses). This is up considerably from respective figures of 32%, 59% and 69% last year, but doesn’t necessarily mean more breaches – it could be that more are being detected. In fact, the report begins with some good news.
According to the study, which is compiled from a survey of 2,000 UK businesses and follow-up interviews with 44, cyber-hygiene is getting better. The report highlights an annual increase in the number of businesses engaged in:
- Up-to-date malware protection (from 76% in 2023 to 83% in 2024)
- Restricting admin rights (67% to 73%)
- Network firewalls (66% to 75%)
- Agreed processes for phishing emails (48% to 54%)
According to the report, this is a reversal of a pattern seen in the previous three years of the survey, where some areas had seen consistent declines. However, there are still concerns over the following:
Risk management: Less than a third (31%) of businesses ran cyber-risk assessments in the past year (rising to 63% of medium and 72% of large companies). Additionally, only a third (33%) deployed security monitoring (63%, 71%).
Supplier risk: Only 11% of businesses review supply chain risks – rising to only 28% of mid-sized and fewer than half (48%) of large businesses.
Board engagement: Just 30% of respondents have board members directly responsible for cyber as part of their role, rising to half (51%) of medium sized firms and 63% of large companies. This is unchanged since last year.
Strategy: Just 58% of medium sized firms and 66% of large businesses even have a formal cybersecurity strategy in place.
Incident response: Only a fifth (22%) have incident response plans, rising to 55% and 73% of mid- and large firms.
External help: Just 41% of respondents say they seek information or guidance on cybersecurity from outside the organisation, fewer than the 2023 figure (49%). Only 13% are aware of the National Cyber Security Centre’s 10 Steps guidance (37%, 44%) and just 12% said the same about Cyber Essentials (43%, 59%).
What the Experts Think
Marie Wilcox, security evangelist at Panaseer, argues that even improvements in cyber-hygiene can’t mask the poor security posture of many UK businesses.
“Organisations are still failing to put essential security controls in place. At best, organisations are still below 2021’s standards. Even large businesses that understand the risks often fail to implement controls properly – at least 29% don’t have controls in place for patch management or restricting access to organisation-owned devices,” she argues.
“With attackers tending to pick off the lowest hanging fruit, 98% of breaches could be prevented by focusing on security fundamentals and better cyber hygiene. Moving towards the middle of the pack by having the right controls and policies in place will help head off the vast majority of attacks.”
Cylera chief security strategist, Richard Staynings, singles out third-party risk management as a critical failing for many UK firms. He argues that vendors should never win contracts for critical infrastructure sectors like healthcare simply based on the lowest bid.
“The trouble is few businesses enforce [security best practice] within their contracts with third parties, making it a prerequisite to ensure that they have policies and procedures that meet our own standards, that they have quality assurance in place, staff training and access controls set up, and that they provide ISO/IEC 27001 certification – the world’s best-known standard for information security management systems (ISMS),” he adds.
Socura CEO, Andy Kays, is particularly dismayed about the relatively small share of businesses that have formalised incident response plans in place – a fact he describes as “astounding”.
“Businesses will always have a plan in case of a fire, but will not apply the same due care for a data breach – which is statistically much more likely. It flies in the face of common sense,” he continues.
“In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident. They are failing to do the bare minimum. It’s also important to note that businesses are doing very little to prevent or detect breaches in the first place.”
Building a More Resilient Future
One of the most disappointing findings of the report is the lack of awareness around government security initiatives like the 10 Steps and Cyber Essentials, which are designed to improve baseline security for regular businesses. The same is true of globally renowned best practice security standards like ISO 27001, despite some respondents viewing it in positive terms. Matt Thomas, head of UK markets at NCC Group, argues that it should be on the to-do list for many larger organisations.
“While ISO 27001 certification primarily paves the way for businesses to increase their cyber-resilience, the benefits go much further. From a credibility standpoint, it can assist in reputation protection. And as a globally recognised framework, it can help with audits and adapting strategies, while also ensuring businesses adhere to legislation and avoid costly fines,” he tells ISMS.online.
“If ISO 27001 is adopted more widely, we could be looking at a very different picture when future cyber-breach surveys are released. Businesses that take a proactive approach to their cyber-hygiene are undoubtedly less likely to fall victim to a cyber-attack.”
Keith Fenner, general manager EMEA and Diligent, concludes that EU legislation like NIS 2 and DORA will force many organisations to improve their risk management and reporting.
“To prepare, organisations need a robust IT compliance program, which is increasingly supported by AI and automation capabilities to enable them to map controls to multiple regulations and continuously monitor controls to reduce the likelihood of data breaches,” he tells ISMS.online.
“This program should be part of an integrated GRC platform to facilitate both internal and external audits, allow multiple stakeholders from the organisation to view and collaborate, and enable streamlined reporting up to the board, so that cyber risk is integrated into the organisation’s overall strategy. Lastly, the board and management should be leveraging training programs and certifications — as well as tapping their CISOs — to build their cyber literacy so that they can effectively govern enterprise-wide cyber risks.”