New figures from the UK government show that three quarters of businesses – and 79% of charities – experienced a cybersecurity incident over the past 12 months.
These figures come from the Department for Science, Innovation and Technology’s latest Cyber Security Longitudinal Survey (CSLS) – its third iteration. The survey monitors the same medium and large businesses (as well as high-income charities) year-on-year to discover the threats they face and how these evolve over time.
In its latest survey the government found that 38% of businesses (36% for charities) adhere to one or more of the three key cybersecurity certifications: Cyber Essentials Standard, Cyber Essentials Plus and ISO 27001.
More reassuringly, over half of those surveyed (59% for business, 56% for charities) have written procedures in place for responding to cybercrime incidents. That said, just 46% of businesses had tested their incident response in the past 12 months, a figure that dropped to 34% among charities.
Around a fifth of those surveyed used AI or machine learning to improve their cyber resilience efforts.
Perhaps the most alarming finding was that, despite continued high-profile attacks, many organisations and charities hadn’t improved upon or developed their cybersecurity position over the past 12 months.
As is typical for these surveys, the largest businesses did best, having more accreditations and better control measures than their SMB counterparts. Of course, these larger businesses often have more to invest in cybercrime resilience – not to mention more to lose if things were to go awry.
When considering the types of cyber crime reported there was little change at the top – with fraudulent emails again topping the bill for most common. However, there was a notable uptick in criminals attempting to hack into websites, social media channels or user accounts. In the last survey this was reported by 11% of respondents, but in this iteration was identified by 15% of businesses and 18% of charities.
William Wright, CEO of Closed Door Security, told Infosecurity Magazine that there still appeared to be a large gap in terms of cyber featuring in board and wider company decisions.
“Organizations must move away from treating cyber as an IT issue,” he argued. “It impacts every single business area, so it needs to feature in almost all business decisions.”