UK government’s “scarcely believable” cybersecurity survey makes grim reading for all sizes of business

The UK Government has published ‘wave three’ of its Cyber Security Longitudinal Survey (CSLS), which represents the culmination of a multi-year study tracking the same organisations over time. And it highlights just how vulnerable UK’s cybersecurity defences are.

The survey aims to analyse cybersecurity policy within medium-to-large-sized organisations in an attempt to better understand how they evolve.

First, let’s look at the results for medium-sized organisations. In particular, board engagement, with 60% saying that their boards “integrate cyber risk considerations into wider business areas”.

That any board does not engage with cybersecurity is the face-palming moment that many security professionals will be oh so familiar with, unfortunately.

The facepalms continue when we look at how many board members have any cybersecurity training. 47%. Yes, less than half. Yet the report authors would have us think this is a success as it is “significantly more” than the 33% who had received training in wave one from 2021.

Related: Would your business pass a Cyber Essentials audit?

Cybersecurity in UK’s medium-sized businesses

I’m sorry to report that the sad face emoji continues to dance around my screen when we look at the number of medium-sized businesses that have formally assessed or managed, potential cybersecurity risks in the supply chain.

You know, that thing that is increasingly responsible for dropping organisations into the ransomware and data breach brown stuff. The number is, erm, just 24%.

None of this is overly surprising to me, not least when you consider the survey found only 17% of medium-sized businesses had bothered with the National Cyber Security Centre (NCSC) Cyber Essentials accreditation and a meagre 7% the Cyber Essentials Plus one.

Andy Kays, CEO of managed detection and response provider Socura, says that “some of these figures are scarcely believable, but as a government-controlled longitudinal survey, these may be some of the most realistic cybersecurity survey figures ever obtained in the UK.”

I’d have to agree with that, and it’s preferable for such numbers to emerge without a rose-tinted skewing of results. Even if what it shows is “the grim reality that many UK businesses are not prioritising cyber security, or are making changes to their security posture at a glacial pace”, says Kays.

He picks on the Cyber Essentials certification figures in particular. “Only 17% of businesses are cyber essentials certified, which is one of the lowest bars for measuring security best practices. These figures are all far from perfect.”

UK businesses vulnerable to cyberattacks

William Wright, CEO of Scottish cyber security experts Closed Door Security, warns that the survey highlights “how vulnerable UK organisations are to cybercrime today and the need for them to prioritise their defences”.

While the data overall does show that many organisations are “taking steps to expand or improve their defences over the next year,” he adds, “there is still a large gap in terms of cyber featuring in board and wider company decisions”.

As Wright concludes: “organisations must move away from treating cyber as an IT issue. It impacts every single business area, so it needs to feature in almost all business decisions.

“The UK is currently under increased threat from hostile nation states and these countries possess highly advanced cyber skills that can cause real damage to businesses and societies. Organisations must prepare for these threats and prioritise their cyber resilience. Attacks are not going down, they are only getting worse, and so are their consequences.”

Worth a read

• KIOXIA and HPE collaborate on Spaceborne Computer-2 Programme
• AMD launches Ryzen Pro 7040 series: an AI-enhanced Core i7 killer for professional laptops
• Wimbledon partners with IBM to deliver AI commentary on matches