City Security Magazine Summer 2024

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

The Cyber Security Breaches Survey 2024

This is much more common in medium businesses (80%) and large businesses (91%). Just 3% of businesses and charities have enacted all 10 Steps, increasing to 14% of medium businesses and 27% of large businesses.

• 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme, consistent with 2023 but representing a decline over the last 2-3 years.

• Awareness is higher among medium businesses (43%) and large businesses (59%). Although only 3% of businesses and charities report adhering to Cyber Essentials, a higher proportion (22% of businesses and 14% of charities) report having technical controls in all five of the areas covered by Cyber Essentials.

Qualitative findings suggest the desire to seek external accreditation can be due to client demand, pressure from board members, a motivation to enforce a positive change in staff culture, and peace of mind for stakeholders.

Incident response

While a large majority of organisations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this. These findings are consistent with previous years.

The most common processes, mentioned by around a third of businesses and charities, are having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting.

• Formal incident response plans are not widespread (22% of businesses and 19% of charities have them). This rises to 55% of medium-sized businesses, 73% of large businesses and 50% of high-income charities.

External reporting of breaches remains uncommon. Among those identifying breaches or attacks, 34% of businesses and 37% of charities reported their most disruptive breach outside their organisation. Many of these cases simply involve organisations reporting breaches to their external cyber security or IT providers and no one else.

The qualitative interviews highlighted several challenges organisations might face when dealing with cyber incidents. In smaller organisations, there was a strong reliance on DSPs for incident response, such as IT providers and cloud storage providers. This was linked with a lack of in- house expertise or capacity. In larger organisations, the challenges were often more related to a disconnect between IT or cyber teams and wider staff, including senior managers.

Cyber crime

• An estimated 22% of businesses and 14% of charities have experienced cyber crime in the last 12 months, rising to 45% of medium businesses, 58% of large businesses and 37% of high-income charities.

• Looked at another way, among the 50% of businesses and 32% of charities identifying any cyber security breaches or attacks, just over two-fifths (44% for businesses and 42% for charities) ended up being victims of cyber crime.

• Phishing is by far the most common type of cyber crime in terms of prevalence (90% of businesses and 94% of charities who experienced at least one type of cyber crime).

• The least commonly identified types of cyber crime are ransomware and denial of service attacks (2% or less of businesses and charities who experienced cyber crime in each case).

© CITY SECURITY MAGAZINE – SUMMER 2024 www.citysecuritymagazine.com

When removing phishing-related cyber crimes, we estimate that 3% of businesses and 2% of charities have experienced at least one non-phishing cyber crime in the last 12 months.

• A total of 3% of businesses and 1% of charities have been victims of fraud as a result of cyber crime. The proportion is higher among large businesses (7%).

• We estimate that UK businesses have experienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes in the last 12 months.

• For UK charities, the estimate is approximately 924,000 cyber crimes of all types in the last 12 months. It should be noted that these estimates of scale will have a relatively wide margin of error.

• The average (mean) annual cost of cyber crime for businesses is estimated at approximately £1,120 per victim (this excludes crimes where the only activity was phishing).

Extracted from The Cyber Security Breaches Survey 2024

www.gov.uk/government/statistics/cyber -security-breaches-survey-2024/cyber- security-breaches-survey-2024

Lead analyst, Maddy Ell Responsible statistician, Saman Rizvi

Enquiries: cybersurveys@dsit.gov.uk www.gov.uk

>

6

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36