search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
The Cyber Security Breaches Survey 2024 continued Risk management and supply chains


Businesses are more likely than charities to take actions to identify cyber risks. Larger businesses (defined as medium and large businesses as opposed to smaller businesses that cover micro and small business) are the most advanced in this regard.


• 31% of businesses and 26% of charities have undertaken cyber security risk assessments in the last year – rising to 63% of medium businesses and 72% of large businesses.


• A third of businesses (33%) deployed security monitoring tools, rising to 63% of medium businesses and 71% of large businesses. The proportion was lower among charities (23%).


• Around four in ten businesses (43%) and a third of charities (34%) report being insured against cyber security risks, rising to 62% of medium businesses and 54% of large businesses (i.e. cyber insurance is more common in medium businesses than large ones).


• Compared with the 2023 survey, the proportion of businesses with some form of insurance has increased from 37% to 43%, while the proportion has remained stable among charities.


• Just over one in ten businesses say they review the risks posed by their immediate suppliers (11%, vs. 9% of charities). More medium businesses (28%) and large businesses (48%) review immediate supplier risks.


The qualitative interviews suggest that organisations have an increasing awareness of the cyber security risks posed by supply chains. Despite this, organisations, particularly at the smaller end, tend to have limited formal procedures in place to manage cyber risks from wider supply chains.


Board engagement and corporate governance


Board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organisations. Levels of activity have remained stable compared with 2023.


• Three-quarters of businesses (75%) and more than six in 10 charities (63%) report that cyber security is a high priority for their senior management. This proportion is higher among larger businesses (93% of medium businesses and 98% of large businesses, vs. 75% overall). The same is true for high-income charities (93% of those with income of £500,000 or more, vs. 63% overall).


The proportion that say cyber security is a high priority has remained stable since 2023, following an apparent decrease in prioritisation in 2023. The qualitative interviews suggest that, despite economic conditions, many organisations have continued to invest either the same amount or more in cyber security over the last 12 months. This is in part a response to the perceived increase in the number of cyber attacks and their sophistication.


• Three in ten businesses and charities (both 30%) have board members or trustees explicitly responsible for cyber security as part of their job role - rising to 51% of medium businesses and 63% of large businesses. There has been no change in the overall figures since 2023.


• 22% of medium businesses and 33% of large businesses have heard of the NCSC’s Board Toolkit, rising from 11% and 22% respectively in 2020 (when it was introduced).


• 58% of medium businesses, 66% of large businesses and 47% of high-income charities have a formal cyber security strategy in place. The figures for both


5 © CITY SECURITY MAGAZINE – SUMMER 2024 www.citysecuritymagazine.com


businesses and charities are higher than in 2023 with significant changes seen for medium businesses and charities.


Qualitative data shows a similar set of issues to previous years that prevent boards from engaging more in cyber security, including a lack of knowledge, training and time. It also highlights a contrast between more structured board engagement in larger organisations, compared with more informal approaches in smaller organisations, where responsibility was often passed onto external contractors.


Cyber accreditations and following guidance


The proportion of businesses seeking external information or guidance on cyber security has fallen since 2023. In addition, a sizeable proportion of organisations, including larger organisations, continue to be unaware of government guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber Essentials standard. Linked to this, relatively few organisations at present are adhering to recognised standards or accreditations.


• Four in ten businesses (41%) and charities (39%) report seeking information or guidance on cyber security from outside their organisation in the past year, most commonly from external cyber security consultants, IT consultants or IT service providers. The figure for businesses is lower than in 2023 (49%), while there has been no change among charities.


• 13% of businesses and 18% of charities are aware of the 10 Steps guidance – rising to 37% of medium businesses and 44% of large businesses. Nevertheless, 39% of businesses and 32% of charities have taken action on five or more of the 10 Steps.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36