UK businesses' response to security breaches has "astounded" experts following the release of the government's official cybercrime stats for 2024.

The report from the Department for Science, Innovation and Technology (DSIT), released today, painted security as more of an afterthought for UK businesses, especially when considering the figures about how breaches are handled.

Some of the figures are remarkably low. For example, only 22 percent of 2,000 businesses have a formal incident response plan in place, which has "astounded" experts.

"Only a fraction of UK businesses have any kind of formalized incident response plan, which I find astounding," said Andy Kays, CEO at Socura. "Businesses will always have a plan in case of a fire, but will not apply the same due care for a data breach - which is statistically much more likely. It flies in the face of common sense."

The reporting of breaches to external authorities and organizations is also low. Only 10 percent of businesses ring the police when they detect the most disruptive breach in the previous 12 months - a stat that's halved when looking at who reports incidents to the National Cyber Security Centre (NCSC).

Reporting rates to arguably the most important entity, the Information Commissioner's Office (ICO), weren't even included in the report since the watchdog didn't make the top ten organizations that receive reports of breaches. Banks, building societies, and credit card issuers, on the other hand, placed first - 32 percent of businesses reported incidents to them.

Clients and customers were only alerted 5 percent of the time.

In most cases (68 percent), organizations don't deem the incidents significant enough to report to anyone. Other excuses included not knowing where to report incidents (13 percent of businesses), thinking a report would make no difference (9 percent), and incidents being too recent to allow time to report (4 percent).

As for the action taken, as many as 39 percent of businesses took no action following their most disruptive breach in the previous 12 months. Most defaulted to delivering more training to staff (23 percent), with a much smaller proportion making any changes to firewalls (9 percent) or anti-malware solutions (8 percent).

Small and micro businesses appear to be pulling the figures down considerably. Overall, 59 percent of businesses enacted some sort of organizational change following a breach, but medium and large businesses were much more likely to take action, with 74 and 86 percent of each respectively doing something to prevent further intrusions.

Breaches that resulted in material outcomes for victims, such as the theft of data, led to slightly different results. A greater diversity of measures were enacted by businesses and charities in this case, such as introducing new security tools, but still, 18 percent of businesses did absolutely nothing in response, even after a material breach.

"In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident," said Kays.

"They are failing to do the bare minimum. It's also important to note that businesses are doing very little to prevent or detect breaches in the first place."

Figures from DSIT's survey also showed a general decrease in awareness of security initiatives and willingness to seek support.

Just 41 percent of businesses sought cybersecurity information from outside their organization over the previous 12 months - a decline from 49 percent the previous year. It represents a steady, continued downward trend since the early GDPR days when, naturally, the proportion of businesses seeking outside help was high at 59 percent.

The overall figures were largely driven by micro businesses, since only 39 percent sought outside expertise compared to 70 percent of medium companies. The figures for charities also stand at 39 percent but have remained largely unchanged since 2018, give or take a few percentage points each year.

IT consultants appear to be favored heavily compared to the services provided by "official sources" such as the UK's NCSC, especially by medium businesses that may not be able to hire their own internal talent.

Only 1 percent of businesses and 2 percent of charities mentioned the NCSC by name when searching for security guidance, down from 2 percent each last year, suggesting the costly alternatives make a more convincing business case.

Awareness of the information campaigns run by the NCSC has also been in continued decline for the past two to three years, according to today's survey.

Cyber Aware, the general online safety advice book from the NCSC, plus the 10 Steps to Cyber Security guide and its Cyber Essentials assessment are all gradually falling off businesses' radars, although the drop is only slight from last year. The multi-year downward trend may give cause for concern, however.

"The decline in awareness for Cyber Aware since 2022 is driven by a decline among micro and small business," the survey reads. "There was a significant decline in awareness for Cyber Aware among micro businesses since 2021 from 34 percent to 24 percent in 2024 and a similar, and significant, decline among small business since 2021 from 38 percent to 28 percent in 2024. 

"Similarly, the decline in awareness seen for 10 Steps to Cyber Security is driven by a decline in micro and small business, but to a lesser extent."

Cost of a UK breach

According to DSIT's data, the average business that suffered any kind of security breach took a financial hit of £1,206 ($1,529). For medium and large businesses, this was predictably much higher than any micro and small organizations at £10,830 ($13,731).

The median cost of these breaches, both in the short and long term, stands at £0, though, which indicates that in the vast majority of cases, no material outcome is identified and no action needs to be taken.

But with incidents that do lead to material outcomes such as data theft, it becomes much costlier - the average cost soared to £6,940 ($8,799) with an average high of £40,400 ($51,221) for medium and large businesses. The costs were fairly evenly split between short-term and long-term outlays for the larger organizations, but those on the smaller side typically reported larger short-term costs, such as those related to the engagement of outside experts or paying sums to attackers.

Long-term costs refer more to things like replacing hardware or software, legal fees, and hiring new talent.

Attacks targeting the UK

It's estimated that around 312,000 registered business in the UK were targeted by some flavor of cybercrime in the past year, and 27,000 registered charities - 22 percent and 14 percent of the total respectively.

It may come as little surprise that phishing leads the way as the most common type of cybercrime affecting UK businesses, with 90 percent of respondents saying they had identified attempts in the past 12 months.

Large businesses were the biggest reporters of cybercrime attempts against them at 58 percent, and they were also the primary targets of non-phishing crimes such as unauthorized access attempts, malware, and ransomware.

They were "significantly" more likely to be targeted by cybercrime than smaller businesses - a trend that's also true for charities. Those with an income of more than £500,000 ($633,935) (37 percent) were more than twice as likely to be targeted compared to the average (14 percent). ®

https://www.theregister.com//2024/04/09/uk_biz_response_to_cybercrime/