The study has included more information about cyber crime and fraud that occurred as a result of cyber crime. The key points are highlighted below:
Increase in cyber attacks - likely because the difficult economic conditions were driving opportunists to take advantage. An increase in phishing attacks, this has resulted in some organisations investing more in cyber security.
Phishing attacks have become more sophisticated because of an advancement in technology.
Organisations are not going to official sources for advice and more likely to rely on IT consultants as just 1% of businesses and 2% of charities mention the NCSC by name.
Cyber security was not commonly raised as a consideration when choosing a digital services provider (cloud provider) with the focus being on track record and cost. The was often an assumption that the DSP would be responsible for the risks and management of cyber security i.e. placing a great deal of trust in the DSP.
There was a significant increase among medium businesses to having a formal cyber security strategy in place, with four in ten businesses and a third of charities reporting being insured against cyber security risks in some way.
The report gives statistics about general cyber resilient controls that businesses and organisations have in place:
Figure 3.6 Percentage of organisations that have the following rules or controls in place
| Rules or controls in place | Businesses | Charities |
|---|---|---|
| Up-to-date malware protection | 83% | 65% |
| A password policy that ensures that users set strong passwords | 72% | 54% |
| Backing up data securely via a cloud service | 71% | 54% |
| Restricting IT admin and access rights to specific users | 73% | 65% |
| Firewalls that cover the entire IT network, as well as individual devices | 75% | 48% |
| Security controls on organisation-owned devices (e.g. laptops) | 58% | 44% |
| Only allowing access via organisation-owned devices | 61% | 34% |
| An agreed process for staff to follow with fraudulent emails or websites | 54% | 35% |
| Rules for storing and moving personal data securely | 48% | 47% |
| Backing up data securely via other means | 55% | 41% |
| Any Two-Factor Authentication (2FA) for networks/applications | 39% | 33% |
| Separate Wi-Fi networks for staff and visitors | 35% | 25% |
| Monitoring of user activity | 30% | 29% |
| A virtual private network, or VPN, for staff connecting remotely | 32% | 18% |
| A policy to apply software security updates within 14 days | 34% | 20% |
Bases: 2,000 UK Businesses, 1,004 charities
Half of businesses (50%) and around a third of charities (32%) report having experienced any kind of cyber security breach or attack in the last 12 months. The types of breaches:
With phishing attacks being by far the most disruptive.
Adding staff time to deal with the attacks was the highest impact on an organisation when dealing with a breach followed by implementing new measures for future attacks. Actions taken to prevent future breach attacks since the most disruptive breaches:
Additional staff training
Changed or updated firewall or systems configurations
Installed, changed or updated antivirus or anti-malware software
Increased monitoring
No action taken
While a lot of the results suggest that the prevalence of some activities have increased or at least stabilised in 2024, the trends are mostly negative when looking at organisational awareness and the use of information. There has been a fall in the proportion of businesses seeking information or guidance on cyber security from outside their organisation in the past year.
The full report is available to read: Cyber Security Breaches Survey 2024