The Cyber Security Breaches Survey 2024 presents insights into cyber threats faced by UK businesses and charities. Half of UK businesses and around a third of charities reported experiencing some form of cyber attack in the last 12 months. These figures rise sharply for medium businesses (70%), large businesses (74%), and high-income charities (66%). Phishing attacks are the most common (84% of businesses and 83% of charities), followed by impersonation attempts (35% of businesses and 37% of charities) and malware (17% of businesses and 14% of charities). The most disruptive breaches cost businesses an average of £1,205, but for medium and large businesses, this figure rises to £10,830, and £460 for charities.
Internal threats include weak passwords, insecure file-sharing practices, and a lack of awareness about phishing tactics. According to a report by Verizon, various forms of human error accounts for 82% of data breaches, often resulting from lax security practices within the organisation.
Much of the cyber threats are relatively basic, and government guidance recommends businesses and charities use "cyber hygiene" measures for protection. Most organisations have adopted a variety of these, like updated malware protection, password policies, cloud backups, restricted admin rights, and network firewalls—used by at least seven in ten businesses and over half of charities. This year, businesses have seen a slight increase in the deployment of these controls, which shows we are moving in the right direction.
Beyond having the right protective technologies, malware protection, email domain security (anti spoofing) and firewalls, there are a few more management practices and plans that you can put into place to protect yourself:
In June 2024, the NHS fell victim to a ransomware attack that affected multiple hospitals across London, leading to cancelled surgeries and diverted emergency care. Investigations revealed that the attack exploited weaknesses in internal systems. This case underlines the importance of addressing basic internal security risks before they can be exploited. For businesses in highly regulated industries like healthcare, financial services, and legal, the impact of an attack can be particularly devastating, affecting not only the business’s bottom line but also its reputation and customer trust, and in this case, actually put lives at risk.
The proportion of businesses seeking external cyber security guidance has declined since 2023. Notably, many organisations, including large ones, remain unaware of key government guidance such as the 10 Steps to Cyber Security or Cyber Essentials accreditation. Currently, only a relatively small number of organisations adhere to recognised standards.
In the past year, 41% of businesses and 39% of charities sought external advice, mainly from cyber security or IT consultants, which is a drop from 2023's 49% for businesses, while the number remains unchanged for charities.
Hopefully, this is demonstrating that businesses are better protected than they were a year ago, but the concern here is the speed at which malicious actors learn and execute. To safeguard your business, speak to, and get advice from the experts. Put your efforts into a focus on internal security measures: train your teams, restrict access, and conduct regular audits to ensure that your business is protected from within.
Speak to the security experts today and take the next step towards securing your business from the inside out.
Explore how we can protect your business from cyber threats here in our Cybersecurity Services pages.