UK government’s “scarcely believable” cybersecurity survey makes grim reading for all sizes of business
The UK Government has published ‘wave three’ of its Cyber Security Longitudinal Survey (CSLS), which represents the culmination of a multi-year study tracking the same organisations over time. And it highlights just how vulnerable UK’s cybersecurity defences are.
The survey aims to analyse cybersecurity policy within medium-to-large-sized organisations in an attempt to better understand how they evolve.
First, let’s look at the results for medium-sized organisations. In particular, board engagement, with 60% saying that their boards “integrate cyber risk considerations into wider business areas”.
That any board does not engage with cybersecurity is the face-palming moment that many security professionals will be oh so familiar with, unfortunately.
The facepalms continue when we look at how many board members have any cybersecurity training. 47%. Yes, less than half. Yet the report authors would have us think this is a success as it is “significantly more” than the 33% who had received training in wave one from 2021.
Related: Would your business pass a Cyber Essentials audit?
Cybersecurity in UK’s medium-sized businesses
I’m sorry to report that the sad face emoji continues to dance around my screen when we look at the number of medium-sized businesses that have formally assessed or managed, potential cybersecurity risks in the supply chain.
You know, that thing that is increasingly responsible for dropping organisations into the ransomware and data breach brown stuff. The number is, erm, just 24%.
None of this is overly surprising to me, not least when you consider the survey found only 17% of medium-sized businesses had bothered with the National Cyber Security Centre (NCSC) Cyber Essentials accreditation and a meagre 7% the Cyber Essentials Plus one.
Andy Kays, CEO of managed detection and response provider Socura, says that “some of these figures are scarcely believable, but as a government-controlled longitudinal survey, these may be some of the most realistic cybersecurity survey figures ever obtained in the UK.”
I’d have to agree with that, and it’s preferable for such numbers to emerge without a rose-tinted skewing of results. Even if what it shows is “the grim reality that many UK businesses are not prioritising cyber security, or are making changes to their security posture at a glacial pace”, says Kays.
He picks on the Cyber Essentials certification figures in particular. “Only 17% of businesses are cyber essentials certified, which is one of the lowest bars for measuring security best practices. These figures are all far from perfect.”
UK businesses vulnerable to cyberattacks
William Wright, CEO of Scottish cyber security experts Closed Door Security, warns that the survey highlights “how vulnerable UK organisations are to cybercrime today and the need for them to prioritise their defences”.
While the data overall does show that many organisations are “taking steps to expand or improve their defences over the next year,” he adds, “there is still a large gap in terms of cyber featuring in board and wider company decisions”.
As Wright concludes: “organisations must move away from treating cyber as an IT issue. It impacts every single business area, so it needs to feature in almost all business decisions.
“The UK is currently under increased threat from hostile nation states and these countries possess highly advanced cyber skills that can cause real damage to businesses and societies. Organisations must prepare for these threats and prioritise their cyber resilience. Attacks are not going down, they are only getting worse, and so are their consequences.”
Worth a read
NEXT UP
Slow buyers cause tech firms to rethink sales approaches as tough Q1 hits home
New research suggests tech sales were slow in Q1, with buyers of technology and professional services taking their time before committing to any solutions.
ByteDance says it has no plans to sell TikTok and refuses to bow to US pressure
ByteDance, the Chinese company that owns TikTok, stated that it “doesn’t have any plans to sell TikTok” on Toutiao, a social media platform that it also happens to own.
Solace Kidisil, Group COO of Nsano: “The difference between traditional finance and fintech is the questions we ask”
We interview Solace Kidisil, Group COO of Nsano, a fintech company from Ghana, offering digital payment solutions across Africa