While we know that cyber preparedness is important, it can be difficult for businesses to assess if they are doing enough. Helpfully, the UK Government has recently published the results from two cyber surveys which can give organisations useful insights into market practices and how their competitors are dealing with cyber threats:
- “Wave Three” of its Cyber Security Longitudinal Survey has collected data from the same organisations over the past three years to evaluate changes in their cyber practices over time; and
- the 2024 Cyber Security Breaches Survey, the ninth instalment of this ongoing annual government survey, provides a cross-sectional ‘snapshot’ of cyber resilience in the market for a given year.
Cyber threats continue to grow
It remains a truism that cyber threats are only increasing. In the last 12 months, 74% of large businesses experienced a breach or attack (up from 69% the year before), with phishing attacks being the most disruptive kind (making up 91% of incidents).
Despite this, many organisations are struggling to keep up with the pace of change in cyber security. Wave Three of the Longitudinal Survey found that, after initial improvements between Waves One and Two, the cyber preparedness of some businesses is stable or deteriorating. Although most businesses still cite cyber as a high priority (and there are modest upward trends in cyber resilience across the market overall), shifting priorities, budget constraints and economic conditions appear to be constraining cyber investment.
Lurking supply chain risk
Both surveys reiterate that managing supply chain risk is a critical factor in cyber preparedness, and the “main area for improvement” for large organisations.
The Breaches Survey found that only 28% of medium businesses and 48% of large businesses review cyber risks in relation to their immediate suppliers, and just 15% and 23% of them (respectively) assess their wider supply chains. The Longitudinal Survey made similar findings, with such figures remaining almost unchanged over the three-year survey. Evidently, supply chain risk remains a major blind spot for many businesses.
As a case in point, both surveys confirm that some businesses do not prioritise cyber security when selecting digital service providers, such as cloud providers (DSPs). Some rely on their DSPs to manage cyber risks, feeling that they have “no option but to trust” DSPs with “state-of-the-art cyber security protections”. In fairness to such customers, this could also reflect that large (particularly cloud) providers may be unable (or unwilling) to alter their security practices according to individual customer requirements.
However, high profile supply chain breaches (such as Capita) show that even large suppliers can be vulnerable. Recent warnings from the NCSC and others also suggest that cloud providers in particular are a growing target for some threat actors (see our recent blog) as cloud adoption increases. It is therefore important that customers consider, and where possible, proactively manage, cyber risk throughout the supply chain lifecycle. See our article for a few pointers.
Boards must steer the ship
It is no surprise that 98% of large businesses report that cyber is a high priority for their senior management. However, while “boards acknowledge the importance of cyber security … their engagement is relatively shallow”.
For example, only 30% of all businesses have a board member who is explicitly responsible for managing cyber security, although this rises to 63% for large businesses.
Importantly, the surveys show that strong board engagement is not just a box-ticking exercise – it makes a measurable difference. The Longitudinal Survey shows a strong correlation between board cyber representation and the uptake of critical technical controls in businesses, as well as possibly also indicating that “organisations whose boards are more engaged in cyber security are more likely to monitor their systems and detect breaches”.
Therefore, it remains of utmost importance that businesses continue to keep their boards engaged with cyber. Our article here has more information on cyber governance, and (for the 67% of businesses that reported not being aware of it) the NCSC’s Board Toolkit is also a great resource.
Cyber security is not “set and forget”
To wrap up with a poignant observation from the surveys, cyber resilience is not necessarily a linear upwards trend. Despite some modest improvements in the market overall, the cyber resilience of some organisations is stagnating or even deteriorating with time despite a growing cyber risk. Organisations, and boards in particular, must remain proactive in managing the risk of cyber threats, and keep pace with current cyber security practices (see, for example, the NSCS’s latest Cyber Assessment Framework 3.2, guidance for CEO’s) and evolving risks.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-24-12-34-05-907-66a0f4bdee1a649f3a66a72e.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-24-08-52-54-610-66a0c0e6137180fc02901892.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-23-13-23-27-360-669faecf137180fc028dd803.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-07-18-13-42-40-167-66991bd05538a3820933fc5a.jpg)