UK Cyber security breaches survey 2024
Lies, damned lies, and statistics (attributed to Disraeli)
The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024. Not surprisingly it summarises and discusses recent trends in cyber incidents. Out of 2,000 businesses and 1,004 charities surveyed; 1,111 businesses and 459 charities identified a breach or attack in the last 12 months. Here is a summary of their findings:
Types of breaches or attacks: (Businesses, Charities)
- Phishing attacks, i.e. staff receiving fraudulent emails or arriving at fraudulent websites: (84%, 83%)
- Others impersonating, in emails or online, your organisation or your staff: (35%, 37%)
- Organisation’s devices being targeted with other malware (e.g. viruses or spyware): (17%, 14%)
- Takeovers or attempts to take over your website social media accounts or email accounts: (8%, 6%)
- Hacking or attempted hacking of online bank accounts : (7%, 5%)
- Organisation’s devices being targeted with ransomware: (6%, 3%)
- Denial of service attacks, i.e. attacks that try to slow or take down your website, applications or services: (5%, 5%)
- Unauthorised accessing of files or networks by staff even if accidental: (1%, 4%)
- Unauthorised accessing of files or networks by people outside your organisation (other than staff or students): (1%, 1%)
- Unauthorised listening into video conferences or instant messaging: (1%, 0%)
- Any other breaches or attacks: (3%, 3%)
The vast majority of these attack vectors are emails or spoof websites. Genuine risks but relatively easy to deal with.
Kindus will consider where these conclusions came from and how much weight should be given to the findings. The publications’ sources are quite open and are discussed in a separate technical report that describes how survey targets were identified and the questions asked of them. The survey contacted 2,000 UK businesses, 1,004 UK registered charities and 430 education institutions. Responses could be given over the phone or through a web portal. The targeted respondents were not completely random but chosen so the results could be ‘weighted up’ to provide a picture of the UK as a whole.
The investigation began with contact details for 32,612 businesses and 7,298 charities. The survey was only completed if a valid respondent could be found. This was not a case of someone answering the phone. They had to be a senior person with responsibility for cyber security and not a sole trader nor was the business operating as part of the public sector. It could take several calls to identify a suitable person willing to answer the set questions. The process continued until the required count of completed responses was achieved; 2,000 businesses and 1,004 charities. Although the initial sample was chosen to reflect the range of UK business sectors the actual completed responses may have skewed this. The survey results were weighted to take into consideration this factor. Of more interest is the number of targets from the initial pool who refused or were unable to provide a complete set of responses. There is no way of being sure if any of these had been completely free of cyber incidents or had been subject to a breach and were unwilling to disclose details.
Only 44 organisations from the whole pool of respondents took part in a follow on interview. When broken down this includes 2 retail or wholesale businesses and 2 that are involved in information or communications. Other types of business, education or charity show similarly low sample numbers or are not represented at all. The session itself took on average 1 hour with £50 being paid to the respondent or as a donation to charity. This session was based around open rather than closed questions with the questions being adapted to the business in question.
Although the initial survey and follow on data collection reflects relatively small data sets it should not be dismissed. If the UK cyber security environment were perfect all contacted organisations would have preventive measures in place and all potential breaches would have been halted. This is so unlikely that if a survey showed such results its mechanisms would be rightly questioned. As well as giving some idea of the current state of UK cyber awareness the 2024 results have been compared to data from previous years. There are relatively few examples of this sort of comparison within the report but where present the degree of change over time is minor. For example; ‘Percentage of organisations over time where cyber security is seen as a high priority for directors, trustees, and other senior managers’ varies from 69% in 2016 to 75% in 2024 for businesses.