Forgot password?


3 surprising stats from the Cyber Security Breaches Survey 2022 

[5 minute read]
The annual
DCMS Cyber Security Breaches Survey 2022 was released by the UK Government yesterday. This annual cyber security breaches survey aims to gain insight into the key issues which UK organisations are facing, what breaches or cyberattacks have been identified over the previous 12 months, and how businesses, charities, and educational institutions are currently approaching cyber security.  

The results of the survey are used to inform what government policies are needed to drive cyber security adoption and an overall more resilient digital economy in the UK. They are also designed to offer guidance and information for businesses to be able to protect themselves from security breaches, with around half of businesses reporting that they are actively seeking guidance on cyber security from outside of their organisation.  

Only 39% of UK organisations can identify a breach 

The first surprising stat which is covered in the report is that only a 39% proportion of organisations in the UK are able to identify if they’ve suffered a breach. This is a worryingly low figure when you take into consideration that there were over 620 million ransomware attacks alone in the last year. And that doesn’t take into account the prevalence of phishing attacks and other more sophisticated forms of attack such as denial of service or malware which were also identified in the survey responses. Interestingly, of those who were able to identify cyberattacks, 31% said that they saw attacks at least once a week.  

With this level of frequency, thoughts go to the 60%+ of organisations in the UK who are likely to be unknown victims of a surreptitious cyberattack. We regularly speak to organisations who relied on the hope that they would be too small to be a target or have relied on back-ups as a ‘cyber security insurance policy’. Unfortunately, this could be the very reason that they fall victim to an attack. Cybercriminals often target smaller, less cyber-equipped companies with an eye on their larger partnering organisations. We’ve also recently talked about the fact that back-ups are no longer sufficient in order to recover from ransomware attacks. In view of the 61% of attacks which saw attackers use compromised access credentials to have uninterrupted access to IT environments, which allows them to lock up back-ups for them to be extorted and ultimately also held to ransom, this becomes particularly pertinent. 

The survey findings show that, in fact, eight in ten businesses (82%) report that cyber security is a high priority for their senior management. The gap between this and the reality of such a low proportion of UK businesses being able to identify attacks, let alone being able to take action to recover from any breaches, is inevitably down to the cyber skills gap. This is reported to impact more than 50% of organisations.  

Businesses should be looking to an outsourced Security Operations Centre (SOC) to protect themselves from cyberattacks. This provides 24/7/365 monitoring of all sources of network traffic and activities to detect threats, plus the ability to neutralise an attack in less than 6 minutes. It’s not always possible for organisations to invest in an in-house security team or a wider technology stack. Top cyber talent in the industry is also more likely to head toward a SOC to benefit from a more diverse workload. But by investing in a managed SOC, organisations will save on the costly and time-consuming set up, certifications costs, and expensive tooling required by in-house teams.  

Only 14% of businesses and 9% of charities have carried out penetration testing 

Considering the majority of organisations are unable to identify if they’re under active attack or have suffered a breach, preventative measures should be prevalent as a countermeasure to these blind spots. However, the survey found that proportionally only 14% of businesses and 9% of charities in the UK have carried out penetration testing within the last year. When you take into account the growing digital footprint across organisations, including online charity donations, in addition to the near-universal use of email accounts and a company website, this is concerning. 86%+ of businesses therefore are unaware of their attack surface.  

Percentage that currently have or use the following digital services or processes

Photo credit: Cyber Security Breaches Survey 2022 – GOV.UK (www.gov.uk) – Percentage that currently have or use the following digital services or processes 

Penetration testing is the ideal solution for organisations that want to identify if they have any weaknesses or vulnerabilities at that point in time. It’s a cost-effective measure to understand risk profile before implementing any further proactive cyber security strategies. With organisations, especially charities, holding sensitive personal data, it’s essential that this is being protected against attack and subsequent release on the dark web.  

It’s imperative that businesses have a clear understanding of the threat to their security. A penetration test, whether on internal or external infrastructure, or on a mobile or web application, enables organisations to remedy any issues before a breach occurs and it’s too late. 

Organisations aren’t aware of Cyber Essentials 

Cyber Essentials is a scheme and security certification which is suitable for businesses of all sizes to protect themselves against a range of common cyber threats. This scheme will support organisations in putting technical controls in place and provide peace of mind to customers and partners.  

In fact, we often see new business questionnaires asking for proof of Cyber Essentials Certification. For any organisations bidding for government contracts, Cyber Essentials Certification is a prerequisite. So, we were surprised that the awareness of this certification was low, with only 6% of businesses holding a Cyber Essentials Certification. This drops to only 1% of business having a Cyber Essentials Plus certification.  

To obtain Cyber Essentials Certification, organisations are assessed against five basic security controls. The simplicity of approach to the certification is accessible for smaller organisations and those without in-house technical skills. There are additional benefits to certification, with success displayed on the Government’s National Cyber Security Centre (NCSC) website. On top of that, any UK organisation that certifies their whole organisation and has less than £20m annual turnover automatically gets £25,000 of cyber liability insurance cover, and access to a 24-hour helpline to report incidents.  

If you’re starting your cyber security journey, Cyber Essentials Certification is a great first step on your roadmap to a more secure posture. 

Take a proactive approach to prevent breaches before they happen 

It’s promising that small, medium, and large businesses are already outsourcing their IT and cyber security to an external supplier 58%, 55%, and 60% of the time, respectively, to proactively mitigate against the risks mentioned above. By working with a certified managed security services provider (MSSP), organisations can benefit from access to greater expertise and resources to prevent cyberattacks before they happen, drawing on the aggregate value of cyber professionals with extensive knowledge of the threatscape. This can be especially beneficial for smaller organisations that simply do not have the resources in-house to identify or prevent attacks.  

If you’re looking for guidance on how you can get buy-in from the board for your cyber security program or how to choose the right cyber security partner for your business, then visit the Knowledge Base for more information.  

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert


Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]