The annual government Cyber Security Breaches Survey was published at the start of the month, and provides one of the most concise quantities of statistics on the state of cybersecurity available.

In a year when Cyber Resilience is expected to dominate the headlines, due to the proposed Cyber Security and Resilience Bill, this level of analysis really does shine a light on the reality of UK cyber preparedness, readiness and of course, resilience.

Over the next couple of months, we will look at the five main chapters of the study. For this first part, we will look at the section on ‘awareness and attitudes.’ Naturally, there is a statement in the concluding section which begins with the statement that “cybersecurity remains a high priority for the majority of businesses and charities, consistent with previous years” which is not a surprise: cybersecurity remains in the headlines and often the minds of company leaders, and it’s become a common theme for business growth.

For example, recent research from Gartner determined that 85 percent of CEOs consider cybersecurity essential for business growth.

High Priority

The breaches survey found that 72 percent of businesses, and 68 percent of charities reported that cybersecurity was a high priority for their senior management, and it was more common for larger businesses to say that cybersecurity was a high priority - 96 percent of large businesses and 92 percent of medium businesses, compared with 72 percent of businesses overall.

Looking at the verticals, 97 percent of finance and insurance businesses deemed cybersecurity as a higher priority, compared with businesses overall:

• 89 percent of utilities or production businesses

• 89 percent of professional, scientific or technical businesses

• 83 percent administration or real estate businesses

• 44 percent of retail or wholesale sector businesses

What about those businesses who have someone taking responsibility? Just under three in ten businesses (27 percent) and 30 percent of charities had board members or trustees taking explicit responsibility for cybersecurity as part of their job.

Board Responsibility

As might be expected, board-level responsibility was much more common in larger businesses, where two-thirds of large businesses (66 percent) had a board member responsible for cyber security compared with 27 percent of businesses overall.

Reversec executive vice president Scott Reininga, says: “Attitudes towards cybersecurity are definitely changing; there is growing recognition among senior executives of its importance, but there's still room for improvement. Many boards are starting to see cybersecurity as a critical business risk that requires their direct oversight, rather than something to be delegated solely to IT departments.”

As this section covered the concept of awareness, the statistics were plentiful. The survey asked organisations, in a later set of prompted questions, whether they had heard of specific government initiatives or communications campaigns before. These included:

• The national Cyber Aware communications campaign, which offers tips and advice to protect individuals and small businesses against cyber crime

• The 10 Steps to Cyber Security guidance, which summarises how organisations can protect themselves by managing cyber risk

• The government-endorsed Cyber Essentials scheme, which enables organisations to be certified independently for having implemented technical good-practice in cyber security

Cyber Aware was the most commonly recognised of these, with 24 percent of businesses and 26 percent of charities aware, while just over one in ten businesses were aware of each of the 10 Steps to Cyber Security (12 percent) and Cyber Essentials (12 percent).

Cyber Essentials

Possibly the most notable of these is Cyber Essentials, which marked its tenth anniversary last October. The statistics show that 51 percent of large businesses, 43 of percent medium businesses and 23 percent of small businesses were aware of Cyber Essentials, whilst 40 percent of high-income charities were aware of Cyber Essentials, compared to 15 percent of charities overall.

Reininga says that it is surprising that awareness of Cyber Essentials isn't higher, given it has been ten years. “I would expect these numbers to be higher considering the scheme's importance in safeguarding against common cyber threats,” he says.

"One reason could be that I only ever see Cyber Essentials promoted in security-focused forums. To improve awareness, the government could broaden its promotional efforts to include industry events across various sectors, which would help reach a wider audience."

In addition to Cyber Essentials, Reininga says that new regulations in the industry are playing a significant role in raising cyber awareness: DORA and NIS2, for example, are pushing organisations to prioritise cybersecurity, and this is something we’re seeing reflected in the various conversations we’re having.

He says: These regulations are crucial in driving organisations to implement robust cybersecurity measures and ensure they are prepared to handle cyber threats effectively.

“Overall, it's promising to see these positive changes, but continuous effort and vigilance are needed to keep up with the rapidly changing cyber threat landscape.”

In last year’s survey, it was determined that three-quarters of businesses (75 percent) and more than six out of 10 charities (63 percent) report that cybersecurity is a high priority for their senior management. So compared to this year’s findings of 72 percent and 68 percent respectively, there is some slight change. Maybe it’s good that it remains high overall, but it could also be considered that it is not high enough?

As for awareness, we live in a society dominated by technology and with ever-increasing digital footprints. With increased usage of new social networks and AI adoption, perhaps this time next year the awareness of the cybersecurity considerations should be higher?

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.