Cyber security moves up the agenda, but one in three businesses suffer weekly cyber attacks according to new UK government report

Cyber security is now seen as a high priority for more businesses than ever before, according to new research from the Department for Culture, Media and Sport (DCMS) in the UK.

Yet, the Cyber Security Breaches Survey 2022 also found one in three businesses (31%) now experience breaches or attacks at least once a week.

This increase comes as many of the metrics by which DCMS measure cyber resilience have either flatlined or declined over the past two years – and businesses’ overall ability to mitigate against the effects of attacks has actually levelled off.

Businesses are now less capable of identifying breaches than they were two years ago, and also tend to take a more informal approach to incident management, with fewer than one in five businesses having a formal incident management plan, for example.

What’s more, only 6% of businesses have the Cyber Essential certification, and fewer than one in ten organisations actively monitor risks within their supply chain.

This dip comes alongside a growing trend of organisations not publicly discussing their cyber security profile. This could be due to reputational concerns or being negatively compared with peers, and it’s led to cyber security being limited – or even omitted entirely - in annual reporting, according to the survey.

The survey also showed a large disparity between organisations that have the skills and capability to respond to a cyber attack, and those that don’t. It identified a lack of technical know-how both within smaller organisations, and at a senior level in larger organisations. This – alongside a clear lack of commercial narrative to effectively negotiate a cyber security budget – is resulting in businesses taking a more reactive approach to cyber security.

Disparities also continue to be noticeable across different sectors of the economy. While finance and insurance and information and communications are shown to have the most advanced cyber security practices, others – such as hospitality and construction – still have some way to go.

Ollie Whitehouse, Global Chief Technology Officer at NCC Group, commented:

“Although the report has really highlighted the widening gap between those who have the skills and capabilities to sure up their cyber resilience and those that don’t, it’s important to note that lack of cyber expertise occurs not only in smaller organisations but in larger ones as well. As the UK looks to embed a whole-of-society approach to cyber security, it provides further evidence that there is an urgent need to improve cyber literacy at every level – all the way from FTSE 100 boards down to small businesses and charities.

“Moreover, the report serves as a reminder that we should be treating cyber as a science. We must transition to a world where evidence is provided of efficacy in real-world operating conditions, against realistic threat scenarios, in ways that don’t require you to be an expert in the subject to understand. When armed with this knowledge, businesses can not only increase their own resilience, but make better strategic decisions.”