+44(0)1778 382270 [email protected]

The Government has been undertaking a cybersecurity survey of UK organisations for the last seven years – assessing how much progress businesses are making with forming and implementing cybersecurity policies and documenting the evolution and frequency of cyberattacks.

The latest survey was taken during winter 2021-22 and the results were published at the end of March 2022. A total of 1,244 businesses were asked about their cyber experiences from the last year. Here are a few interesting extracts from the survey…

  • Cyberattack rate: During the last 12 months, almost two fifths (39 per cent) of organisations said they had experienced some kind of cyberattack – the same figure as the previous year.
  • Attack type: The majority stated that phishing was the most common type of attack (83 per cent) and one in five (21 per cent) said they had been subject to a ransomware, malware or denial of service attack.
  • Frequency: The frequency of attacks is constant, with a total of 31% of businesses saying that their organisation came under attack at least once a week.
What can businesses do better?

Alarmingly, fewer than one in five businesses have a formal incident management plan in place – although many more have established business continuity plans to ensure that their business can continue uninterrupted if attacked.

The survey revealed that even though businesses know cybersecurity is a critical area of focus, there is still a lack of knowledge of what exactly to do to protect themselves – especially in smaller companies and, perhaps surprisingly, in large organisations at senior level. Too many organisations still ‘react’ to incidents rather than proactively improving their skillsets and systems, with more and more outsourcing cybersecurity to a dedicated supplier. Despite these third-party specialists being themselves a target for attackers, fewer than one in ten businesses who use their services monitor or explore this potential vulnerability.

The research also revealed that companies are not really taking the opportunity to gain industry standard accreditations such as Cyber Essentials – either they aren’t aware of their existence or feel that they simply don’t apply, as they won’t meet the stated criteria.

Stand-out positives

Lots of businesses have implemented technology controls to protect their networks and many have put practices and procedures in place to ensure good cybersecurity protection measures. For the first time in the history of the survey, it is seen as a top priority by a larger number of companies, with many putting in place awareness programmes for employees to emphasise its importance to the business.

The organisations achieving success in this area said that they kept communication on cybersecurity to all staff ‘regular and relatively informal’ to ensure they are not overloaded with technical terms that may cause them to switch off from the importance of keeping the business, its staff and customers safe.

Further reading