In the second article for Cybersecurity Awareness Month covering the government’s cybersecurity breaches survey, SC UK is looking at Chapter Two: Awareness and Attitudes.

Specifically, this covers areas including prioritisation of cybersecurity within organisations; receiving and reacting to information and guidance; and qualitative data on how organisations make decisions on cybersecurity.

How much cybersecurity is seen as a high or low priority

In an age of increasingly high-profile cyber-attacks, awareness of the importance of cybersecurity is growing. This is reflected in the survey’s results. Three-quarters of businesses (75 percent) and more than six out of 10 charities (63 percent) report that cybersecurity is a high priority for their senior management

Unsurprisingly, it is more common for larger businesses to say that cybersecurity is a high priority: 93 percent of medium businesses and 98 percent of large businesses, vs. 75 percent overall, according to the results.

In smaller firms, it can be a challenge to raise awareness, says Steven Furnell IEEE senior member and professor of cybersecurity at the University of Nottingham. “Smaller organisations are less likely to have in-house specialists to champion these issues at a senior level.”

The importance of security also varies across industries. Industries prioritising the area include information and communications, finance and insurance, health, and social care and social work, according to the survey.

These sectors are responsible for sensitive or highly-regulated data, so they’re well aware of the benefits of taking security seriously.

How much is spent on cybersecurity?

Cybersecurity spend is a sensitive topic, especially when times are hard. Despite this, according to the survey, many organisations have continued to invest either the same amount or more in cybersecurity over the last 12 months. The interviews suggest that cybersecurity remains a priority, the survey says, which has meant spend has been maintained.

Yet there were exceptions due to budget cuts. As a result, these organisations tended to take a reactive approach: “They would look at individual cybersecurity problems as and when they arose,” the survey explains.

It goes without saying that this is a major risk. Cutting cybersecurity budgets “makes a breach inevitable”, says Damian Garcia, head of GRC consultancy at IT Governance. “The cost of breaches – including fines and reputational damage – far outweighs any savings.”

How involved are senior management, who takes responsibility

Communication is key in cybersecurity and according to the survey, many firms are realising this. Nearly two-thirds of medium businesses (63 percent) and almost eight out of 10 large businesses (78 percent) update their senior team at least quarterly, as do nearly two-thirds of high-income charities (63 percent).

As you’d expect, board-level responsibility is much more common in larger businesses, where the management board is probably bigger. Around two-thirds of large businesses (63 percent) have a board member responsible for cybersecurity, vs. 30 percent of businesses overall.

Information and communications (60 percent), finance and insurance (52 percent) and professional, scientific and technical businesses (42 percent) are more likely than average to have board members taking responsibility for cybersecurity. 

As mentioned previously, sectors such as finance and insurance are more likely to handle sensitive data. Consequently, they face a more significant cyber threat, making it unsurprising that security is at the top of the business agenda, says Ian Reynolds, a cybersecurity expert and representative of SecureTeam. “Here, the potential impact of a threat could be devastating, making it imperative for senior management to prioritise cybersecurity.”

CISOs value engagement, but the survey’s qualitative interviews suggest that some of the top brass are failing to do so. This is often due to a lack of understanding or interest in cybersecurity relative to the day-to-day operations of the organisation, and a lack of training or time.

“I was supposed to be attending a board meeting to talk about cybersecurity, but the meeting filled up with lots of things and funnily enough, the thing that got pushed off the agenda was the cybersecurity piece,” laments one data and insight manager at a high income charity.

This attitude needs to change: Cybersecurity shouldn’t be viewed as someone else’s problem, says Lord Brian Mackenzie, of Framwellgate OBE, a British life peer and former police officer. “Senior management can't delegate this one down the line. They need to champion cybersecurity, embedding it into the corporate culture so that every employee becomes a vigilant sentinel.”

Everyone needs to get involved, adds Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec) tells SC UK. “Security teams themselves also need to take a strategic view and also act as supporters and educators – guiding the rest of the business on how to reduce and manage risk.” 

Who seeks, and where to get advice and guidance

Where does cybersecurity guidance come from? There are plenty, including resources such as the National Cyber Security Centre (NCSC), as well as trade bodies and even the internet, yet many firms don’t take advantage of it.

Only four out of 10 businesses (41 percent) and charities (39 percent) report actively seeking information or guidance on cybersecurity from outside their organisation in the past year.

For charities, this result mirrors the previous iterations of the study in 2023 and 2022. However, for businesses, this result represents a significant decrease from 2023, when 49 percent of businesses sought information or guidance on cybersecurity from outside their organisation.

The sectors where businesses are most likely to seek out external information are finance and insurance (61 percent), admin and real estate (58 percent) and the professional, scientific and technical sector (54 percent).

As might be expected, internal information seeking is higher within large businesses (17 percent), which are more likely to employ cybersecurity specialists. This is higher than in both medium businesses (12 percent) and high-income charities (11 percent).

Many small businesses rely on external consultants but often miss out on affordable government resources such as Cyber Essentials and other cybersecurity frameworks, says Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group.

“These certifications aren’t just about meeting compliance standards; they’re a way to show your customers and partners that security is integrated into your business.”

Kate O'Flaherty Cybersecurity and privacy journalist