UK organisations show resilience to cyber attacks but more needs to be done to improve cyber security

The proportion of UK businesses that were hit by a cyber attack remained steady at 39 per cent in the past year, with phishing attempts accounting for the vast majority (83 per cent) of incidents.

The UK Government’s Cyber Security Breaches Survey, which has been charting the cyber resilience of UK businesses and charities since 2016, found that more serious cyber crimes, such as malware or ransomeware attacks, were significantly less prevalent than phishing, with a fifth of the 39 per cent being exposed to such breaches.

However, it noted that cyber crimes in general were happening relatively frequently and were leading to negative consequences for the organisations affected.

Among those that reported an attack, 31 per cent of businesses and 26 per cent of charities estimated that they were attacked at least once a week over the course of the year. One in five businesses (20 per cent) and charities (19 per cent) said they experienced a negative outcome as a direct consequence of a cyber attack, while a third of businesses (35 per cent) and almost four in 10 charities (38 per cent) said they experienced at least one negative impact.

Earlier this month Justice Secretary Keith Brown revealed that the number of crimes reported in Scotland rose sharply in the year to April 2021, with a total of 403 recorded by Police Scotland, up from 57 the previous year. In 1999-00 there was just one recorded case, with the total remaining below 100 in each year between then and 2020-21.

Of the total in the 2020-21 financial year, 331 incidents fell under sections one and two of the Computer Misuse Act, meaning they were the result of perpetrators gaining unauthorised access to someone else’s computer. The remaining 72 incidents fell under section three of the act, meaning whoever accessed the computers had attempted to make modifications to them.

The figures – which are anonymised - are likely to include the cyber attack that hit the Scottish Environment Protection Agency (Sepa) in December 2020, when cyber criminals encrypted, stole or deleted data held in the organisation’s computer systems on Christmas Eve and demanded a ransom to release it. The ransom was not paid and Sepa has been able to unravel much of the damage done, but has still not been able to quantify the full financial implications of the attack.

In the Cyber Security Breaches Survey, Department for Digital, Culture, Media and Sport analyst Maddy Ell said UK organisations are now placing greater importance on cyber security than in any other year the survey has been carried out.

“In the qualitative interviews it was found that this was driven by a good high-level understanding at the senior level of the risks cyber attacks pose,” she said.

“This, coupled with the use of board sponsors and cyber security experts enabled organisations to practice good cyber hygiene.”

However, she added that gaps remain, with fewer than one in five organisations having a formal incident management plan in place to deal with a breach.

There is a lack of technical know-how expertise within smaller organisations and at the senior level within larger organisations and there is also a lack of “commercial narrative to effectively negotiate a cyber security budget against other competing organisational priorities”, she said.

“The findings from this year’s survey demonstrate that there is room for improvement in many elements of organisations’ cyber hygiene,” Ell said.

“It is clear that cyber resilience is highly influenced by board behaviours. Though the high-level prioritisation of cyber security amongst boards is high, this does not translate into high expertise.

“Furthermore, cyber and IT staff are unable to justify the business case for cyber security, which impacts ability to make effective cyber security decisions.

“This means investments are often not made into key areas that enhance organisations’ cyber security. This leads to a reactive approach to cyber incidents as opposed to a proactive approach in limiting cyber risk. This is an area we will closely monitor in future years of the survey.”