In February, the Government published the results from their fourth wave cyber security longitudinal survey, a multi-year project following the same organisations over time to understand how their security posture is changing in relation to new policy and the introduction of new processes. The survey was undertaken between July and October of 2024.
The report acknowledges that the cyber threat landscape has continued to evolve, and it is increasingly essential for businesses of all sizes to establish clear cyber security policies and implement robust practices to ensure their protection. We looked at the key findings which include:
Prevalence and impact of cyber incidents
- 79% of medium and large businesses, and a similar number of charities, have experienced some form of cyber incident in the past 12 months.
- Phishing has remained the most common type of cyber incident, 74% of businesses and 72% of charities reported a phishing incident in the past 12 months.
- A rise in staff impersonation via email or online has increased since the previous survey, with around 56% of businesses and 46% of charities reporting this type of attack.
- A rise in attempted online bank account fraud has been observed, although fewer businesses and charities reported takeovers or attempted takeovers of their websites in comparison to previous surveys.
Policy and process
- More businesses reported having attained Cyber Essentials Plus than in the past three surveys, there has also been a noted rise in uptake by charities.
- The adoption of either Cyber Essentials, Cyber Essentials Plus or ISO27001 frameworks by both businesses and charities was noted, although ISO27001 is more popular in businesses.
- The identification of cyber risks by organisations has increased, while the number of organisations conducting formal assessments of their supplier cyber security posture has decreased year on year.
Cyber security behavioural change
- The consumption of external advisory services and expertise was noted by a significant number of businesses and charities as the most influential factor on improving their security posture.
- Despite efforts to improve and enhance internal skills amongst their workforce, a consistent theme in all four surveys has seen human error identified as a significant vulnerability and weakness in medium and large organisations.
- A security incident, such as phishing, or media coverage of a similar sized organisation or industry peer are cited as having a direct impact on an organisation’s cyber security posture and staff engagement levels in cyber security matters.
Budgets and board engagement
- Around 44% of large businesses stated that they have increased their security budgets over the last 12 months, a lesser increase noted for medium sized organisations. Analysis suggests that larger businesses are more aware of the need to stay ahead of cyber threats and are investing, whereas smaller organisations face tougher decisions.
- Cyber security is still not gaining the prominence or representation that it requires at Board level, although an increase in C-Suite visibility of cyber security issues was noted.
Key learnings
The cyber threat landscape is constantly evolving, so while there are occasional good news stories, there are also an increasing number of high-profile security incidents causing extreme financial loss, reputational damage and business failure. Email and human weakness are still the primary vector for threat actors to gain access to an organisation’s infrastructure, finances and customers. So, what can you do to reduce your risk?
Any organisation can help themselves by adopting a recognised security framework. For those starting out, the NCSC sponsored Cyber Essentials and Cyber Essentials Plus standards are best suited to your needs, particularly if you’re a small to medium sized business or similar sized charity. For those scaling or requiring something more robust and internationally recognised, ISO27001 is suitable. Both frameworks support organisations in identifying and managing cyber risk across all areas of your organisation.
Senior leadership is needed to drive cultural change and improve security behaviours. The Board needs to have greater visibility and awareness of the cyber threat and its implications on their organisation. Whilst in larger organisations there may be a CISO, a dedicated security manager, or someone else in the organisation with direct responsibility for cyber security, ultimately it is the Board’s responsibility for setting the tone and the agenda.
Redcentric cyber services
Redcentric has a dedicated Cyber Security Services Team, and we provide a range of advisory services that can be tailored to meet customer specific requirements. Whether you’re seeking to implement a specific framework and certify to Cyber Essentials standards, security test your estate, or shape your wider security strategy to lead a transformation programme, we can assist you.
Contact us for a free 30-minute consultation with one of our cyber advisors and we will identify whether Redcentric can help you solve your security challenges.
