Over the past month, we’ve taken a look at some of the main subjects in cybersecurity via the government’s cybersecurity breaches survey. With its multiple chapters, we were able to take a deeper look at:

* Tools, Guidance and Responsibility 

* Awareness and Attitudes 

* Identifying, Surviving, and Recovering from Cyber-Attacks

* Dealing with Breaches or Attacks  

As I said at the start of the month, the idea of looking at these chapters of the survey was to mark Cybersecurity Awareness Month, and in the subjects above we’ve covered some of the primary drivers and current talking points in the industry. 

So for our final article, I’ll be looking at the final chapter and the generic subject of ‘cybercrime’, and as the survey stated, “the frauds that occur as a result of cybercrime.”

When we think of cybercrime, I think of it as an overarching term for all bad things that happen online, or via ‘cyber’ means. That can be a divisive term though, as the survey states that “examples of cybercrime include hacking or unauthorised access into online accounts (e.g. banking, email or social media accounts), denial of service attacks, or devices being infected by a virus or other malicious software (including ransomware).” That all sounds like general cybercriminal tactics. 

Are we looking at the concept of someone having physical access to a device, or even a vault or server, does that constitute a cybercrime? Consider the recent stories around pagers being weaponised, does doing that make it a cybercrime, or just a digital interception? Is that even the same thing?

Who’s a Victim?

Looking at some of the statistics from this final chapter, there was an estimation that 22 percent of businesses and 14 percent of charities have been the victim of at least one cybercrime in the last 12 months; accounting for approximately 312,000 businesses and 27,000 registered charities.

Statistics also determined that medium and large businesses are significantly more likely to experience a cybercrime than smaller ones, while high-income charities (37 percent of those with an income of £500,000 or more, versus 14 percent of all charities) are significantly more likely to have experienced a cybercrime. Well, cyber-criminals do go where the money is after all, but as we found in our look at persistent attacks on schools, there are some targets that apparently experience attacks over and over.

The survey also stated that it can “only measure cybercrimes or fraud that organisations can identify and recall” and there are likely to be ‘hidden’ and forgotten crime incidents, so the reported findings may have a tendency to underestimate prevalence and scale.

So with that, I considered if there is a problem of businesses not reporting cybercrimes, and what should we be doing to better encourage all cybercrime to be informed to the police? Luke Dash, CEO of ISMS.online, said that data from Action Fraud showed 60,978 cybercrimes were reported to them between Jan 2023 and June 2024. Yet, the UK Government's Cyber Security Breaches Survey 2023 estimates that, across all UK businesses, there were approximately 2.39 million instances of cybercrime in that year alone. 

“So, the data suggests many businesses still do not report cybercrimes to law enforcement,” Dash said. “This underreporting is likely driven by several factors, including fear of reputational damage, concerns over the complexity and time required to report incidents, uncertainty about the benefits of involving law enforcement, and a lack of confidence in the police's ability to address the crime effectively.”

I guess the other consideration is the impact on the brand’s reputation: do you want the wider world knowing your defences were not up to standard, and that you need to admit that you’ve been the victim of a scam?

Dash recommended improving awareness and education about the importance of reporting cybercrime and how it benefits both them and the broader community. “Creating clear, easy-to-follow guides on reporting incidents and what happens afterwards can demystify the process,” he said.

“Governments could introduce incentives such as reduced fines for companies that report incidents early or provide tax breaks for businesses that actively collaborate with law enforcement and implement robust cybersecurity measures.”

Sounds Phishy

Particularly prevalent in this section of the survey were statistics on phishing. The survey found that those businesses and charities that identified any cybercrimes were often phishing-related, such as where individuals responded to a phishing email, or where the phishing email was targeted towards a specific organisation/recipient.

Also, phishing attacks are by far the most common type of cybercrime, experienced by 90 percent of business and 94 percent of charities.

Patrick Wragg, head of incident response at Integrity360, said what it is seeing in the wild is that phishing is more often than not used for financial-based ‘quick-win’ crime, such as invoice manipulation and adversary-in-the-middle attacks, rather than malware delivery that results in ransomware.

Maybe that is the point of why phishing attacks remain such a popular vector - they are cheap and easy to send, and often can enable results.

Dash said that continuous improvement is a core tenet of ISO 27001 and can provide organisations with a robust, structured approach to managing information security risks. “Businesses can better protect themselves from sophisticated phishing attacks and other cyber threats by fostering continuous improvement, awareness, and vigilance and embedding strong controls within their operations.”

Are You Experienced?

We see the problem of where the cybercrime begins, and where it is not reported, but what about the overall scale of cybercrime? Among the 22 percent who said they experienced cybercrime, 28 percent identified one cybercrime over this period, 13 percent identified two cybercrimes, and 59 percent experienced three or more.

Taking the mean estimates, these businesses experienced 25 cybercrimes of any kind in the last 12 months on average, and UK businesses had experienced approximately 7.78 million cybercrimes of all types, and approximately 116,000 non-phishing cyber crimes in the last 12 months.

What does this all teach us? As we are at the end of Cybersecurity Awareness Month, cybercrimes are as prominent and persistent as ever and we can see that two factors stand out - the same problems cannot be overcome, and not enough cybercrime is reported.

On the second point, I believe this is a cultural thing, and we need to report losses to cybercrime not just to banks and financial institutions, but also to law enforcement. Cybercrime may seem like something that happens to others, but if UK businesses had experienced approximately 7.78 million cybercrimes of all types, this needs to be addressed properly and in a collaborative manner.

With that, it’s time to draw a curtain over Cybersecurity Awareness Month once again. We didn’t really uncover anything that hadn’t really been covered elsewhere, but it substantiates how we need to keep cybersecurity at the top of the agenda - for governments, law enforcement, boards and regulators. We’ll keep reporting on cybersecurity issues, and remaining aware all year round.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.