Over the past few months we've reviewed the six chapters of this year’s Government Cyber Security Breaches Survey in order to gauge the state of UK industry and defences.

These are available here:

7th May - Cyber Breaches Survey Analysis - Awareness and Attitudes

14th May - Cyber Breaches Survey Analysis - Dealing with Cyber Breaches or Attacks

20th May - Cyber Breaches Survey Analysis - Cybercrime

28th May - Cyber Breaches Survey Analysis - Approaches to Cybersecurity

25th June - Cyber Breaches Survey Analysis: Prevalence and Impact of Cyber Breaches or Attacks

Decline in Responsibility

In the concluding chapter, it is determined that the survey “reveals a complex and evolving cybersecurity landscape” and while cybersecurity remains a high priority for the majority of businesses and charities, consistent with previous years, there is a decline of board-level responsibility among businesses since 2021.

Speaking to SC UK, Chris Pierson, CEO and founder of Blackcloak,  cited 2011 guidance on disclosing cybersecurity risks and incidents, where it was said that material cybersecurity risks are a board level item. In later versions, it stated that the board must have oversight over cybersecurity and cyber risks must be disclosed, “and as a result, what has happened is that the board has more knowledge of cybersecurity and been able to hold management responsible for ‘do you understand what the inherent risk is? Do you understand what the control framework is? Do you understand what that residual risk is, and does it match with our board's expectations?’”

Pierson says a lot of times, cybersecurity responsibility has been pushed to an enterprise risk management committee, to actually spend more time on it. “At the end of the day it’s IT risk, it’s cyber risk, it's operational risk, it's uptime risk - it's all those things,” he says. 

Overall cybersecurity needs to be a board level item, a board level topic. Whether you need persons of expertise in cybersecurity on the board, it is a fact - just like Sarbanes–Oxley Act is in the US, mandated somebody with technical proficiency, financial controls: you do need somebody with proficiency and knowledge in high technology IT cybersecurity.”

Senior management involvement appears to be a decisive factor in advancing cybersecurity initiatives, as organisations with active senior leadership demonstrated more robust security strategies and controls.

External Sources

There is a continued reliance on external consultants and IT providers, especially for information, highlighting a potential gap in organisations’ use of accessible and trusted guidance.

Also while the overall proportion of organisations seeking external information or guidance remained stable, large businesses demonstrated a decrease on this measure.

In terms of external guidance, there was a noted gap in the overall awareness and engagement with government-endorsed cyber security resources like Cyber Aware and Cyber Essentials, as awareness of government initiatives like Cyber Aware, the 10 Steps guidance, and Cyber Essentials saw a steady decline in awareness in recent years and remains fairly limited.

Sarb Sembhi, CTO of Virtually Informed, says that the concept of ‘doing the basics’ would be done if it were basic, and “it may be basic for security people, but it's not basic for non-security people: it's quite complex, that's part of the problem.”

He says the other part of the problem is that micro-organisations and SMEs have been told that they need to do something about their cybersecurity or they could be fined or attacked now, and “many of these don't know cyber other than what they read, so their mental models about cyber risk is only what they see in the news.” However they never see a  micro-organisation being fined or attacked so in their mind, “their mental model is that micro-organisations have nothing of interest that they should worry about.”

Sembhi says that perception has never been challenged by websites out there, including the NCSC, and he says what should be doing is looking at the change in the risk over a period of time, and how that risk has changed and how it now affects smaller and micro-organisations.

“That education hasn't been happening, and it means that these organisations still persist in thinking that there is nothing that they need to do, and when they get big enough, they'll do something about it,” he says.

“Many SMEs will say ‘we know we need to do something’ and the only reason that's pushed them to it is they got attacked, and it's usually the attack that forces the awareness in some aspects that they need to do something, but the urgency to do something hasn't.”

Cyber Hygiene

On the cyber hygiene front, small businesses are making progress in these practices, funding limitations are providing challenges for some businesses.

Those key cyber hygiene practices were noted as risk assessments, cyber insurance, formal cyber security policies, and business continuity plans covering cyber security. While high-income charities showed a decline in some key areas, larger organisations benefited from formal strategies and established processes, and were more likely to have formal cybersecurity strategies in place and to regularly review them.

The majority of organisations have implemented basic technical controls, but there was room for improvement in adopting more advanced technical controls such as two-factor authentication, VPNs, and user monitoring remains lower than on other measures.

Internal reporting of breaches or attacks to senior management was more common, but external reporting remains uncommon. Is the limited prevalence of external reporting suggesting a potential reluctance to disclose incidents? Or is this down to limited information as discussed above?

Additional staff training was the most common preventative measure adopted following a breach or attack, perhaps highlighting organisations’ understanding of the importance of ongoing education and awareness raising.

Cybercrime

The overall prevalence of cyber crime remains consistent with 2024, with higher prevalence among medium and large businesses and high-income charities.

While overall cyber crime prevalence was stable, there has been a significant increase in ransomware when looking at both businesses overall and businesses that experienced cyber crime, and phishing cyber crime remained the most common type of cyber crime, while other forms like hacking, ransomware, viruses, and denial of service attacks were less common.

The stable prevalence of cybercrime, despite a decrease in overall prevalence of breaches or attacks, suggests that organisations remain vulnerable to the most serious cyber breaches and attacks that ultimately end up recorded as cybercrime.

Cyber-facilitated fraud, where a breach or attack leads to fraud, affects a small proportion of organisations, but associated costs are higher than for cybercrime - as we detailed in the fourth chapter analysis.

Disparities

The final conclusion determined that while progress is being made in certain areas, evolving threats like phishing and ransomware, and disparities between different types of organisations, “highlight persistent vulnerabilities.”

However there is an observed strengthening of cyber hygiene among small businesses, and the report said there are positive steps in knowledge of official guidance and initiatives, improving incident response capabilities, encouraging transparent reporting, managing supply chain risks, and empowering boards with cyber knowledge.

It concluded that these are all crucial steps “toward building a more secure and resilient cyber landscape for the UK” and it seems that things are moving in the right direction.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.