cybersecurity advances have stalled among uk companies here’s how to fix it banner

Cybersecurity Advances Have Stalled Among UK Companies: Here’s How to Fix It

Every day, we read about the damage and destruction caused by cyber-attacks. Just this month, research revealed that half of UK firms were forced to halt or disrupt digital transformation projects due to state-sponsored threats. In an ideal world, stories like this would filter through to senior leadership, with efforts redoubled to improve cybersecurity posture. Yet the latest findings from the government tell a different story.

Unfortunately, progress has stalled on several fronts, according to the latest Cyber security breaches survey. One of the few positives to take away from the annual report is a growing awareness of ISO 27001.

Larger Firms in the Crosshairs

Published since 2016, the government’s study is based on a survey of 2,180 UK businesses. But there’s a world of difference between a micro-business with up to nine employees and a medium (50-249 staff) or large (250+ employees) enterprise.

That’s why we can’t read too much into the headline figure: an annual fall in the share of businesses overall reporting a cyber-attack or breach in the past year (from 50% to 43%). Even the government admits that the fall is most likely due to fewer micro and small businesses identifying phishing attacks. It may simply be that they’re getting harder to spot, thanks to the malicious use of generative AI (GenAI).

In fact, the share of medium (67%) and large-sized (74%) businesses reporting security incidents remains elevated. And large (29%) and medium (20%) businesses are also more likely than businesses overall (16%) to experience a negative outcome. This could include anything from loss of access to files and third-party services to corrupted systems, slower apps, and theft of personal data and funds. Additionally, large firms are most likely to report business disruption such as:

  • Requiring extra staff time to deal with breaches/attacks (32% vs 17% overall)
  • Putting new security measures in place (26% vs 18%)
  • Interruption of employees’ day-to-day work (19% vs 9%)
  • Disruption of service/goods delivery (8% vs 3%)
  • Receiving customer complaints (6% vs 2%)

Additionally, while 20% of businesses overall are assessed to have been the victim of at least one cybercrime in the past 12 months, the figure rises to 43% of medium businesses and 52% of large businesses.

The Good and the Bad

The good news is that most medium and large businesses have taken key actions in each of the NCSC’s best practice 10-step guide to improving cybersecurity posture. And the percentage that has undertaken action in five or more areas has nudged up over the past year, from 80% to 82% for medium and 91% to 95% for larger firms. Additionally, around 95-100% of these organisations have at least three best practice technical rules or controls in place, such as up-to-date malware protection, network firewalls, restricted IT admin/access rights, device security, and VPNs.

Yet this hides an arguably more concerning bigger picture. For example:

Staff training programmes were in place in 54% of medium and 76% of large businesses – similar to last year’s stats.

Third-party supplier risk reviews were conducted by only 32% of medium and 45% of large firms – versus 28% and 48% last year.

Incident response plans were in place in just 53% of medium-sized businesses and 75% of large businesses (versus 55% and 73%).

There also appears to be a lack of strategic direction and accountability from senior leadership. Just 70% of large businesses (up from 66%) and 57% of mid-sized firms (down from 58%) even have a cybersecurity strategy. In too many large companies, cybersecurity is being managed by the IT director (19%) or an IT manager, technician or administrator (20%).

“Businesses should always have a proportionate response to their risk; an independent baker in a small village probably doesn’t need to carry out regular pen tests, for example. However, they should work to understand their risk, and for 30% of large corporates to not be proactive in at least learning about their risk is damning,” argues Ecliptic Dynamics co-founder Tom Kidwell.

“There are always steps businesses can take though to lessen the impact of breaches and halt attacks in their infancy. The first of these is understanding your risk and taking appropriate action.”

Yet only half (51%) of boards in mid-sized firms have someone responsible for cyber, rising to 66% for larger firms. These figures have remained virtually unchanged for three years. And just 39% of business leaders at medium-sized firms get monthly updates on cyber, rising to half (55%) of large firms. Given the speed and dynamism of today’s threat landscape, that figure is too low.

Where Do We Go from Here?

An obvious way to improve cybersecurity maturity would be to embrace compliance with best practice standards like ISO 27001. On this front, there are mixed signals from the report. On the one hand, it has this to say:

“There seemed to be a growing awareness of accreditations such as Cyber Essentials and ISO 27001 and on the whole, they were viewed positively.”

Client and board member pressure and “peace of mind for stakeholders” are said to be driving demand for such approaches, while respondents rightly judge ISO 27001 to be “more robust” than Cyber Essentials.

However, awareness of 10 Steps and Cyber Essentials is falling. And far fewer large businesses are seeking external guidance on cybersecurity than last year (51% versus 67%).

Ed Russell, CISO business manager of Google Cloud at Qodea, claims that economic instability may be a factor.

“In times of uncertainty, external services are often the first areas to face budget cuts – even though reducing spend on cybersecurity guidance is a risky move,” he tells ISMS.online.

Russell argues that standards like ISO 27001 greatly enhance cyber maturity, reduce cyber risk and improve regulatory compliance.

“These standards help organisations to establish strong security foundations for managing risks and deploy appropriate controls to enhance the protection of their valuable information assets,” he adds.

“ISO 27001 is designed to support continuous improvement, helping organisations enhance their overall cybersecurity posture and resilience as threats evolve and regulations change. This not only protects the most critical information but also builds trust with stakeholders – offering a competitive edge.”

Cato Networks chief security strategist, Etay Maor, agrees but warns that compliance doesn’t necessarily equal security.

“These strategic guidelines should be part of a holistic security practice that includes more operational and tactical frameworks, constant evaluation to compare it to current threats and attacks, breach response exercises and more,” he tells ISMS.online. “They are a good place to start, but organisations must go beyond.”

Author

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

View all posts by Phil Muncaster

Related Posts

SOC 2 is here! Strengthen your security and build customer trust with our powerful compliance solution today!