Cyber attacks on businesses and charities remain HIGH

19th December 2022

New report reveals the risk of cyber attacks on businesses and charities remain dangerously high.

Businesses and charities are still leaving themselves dangerously wide open to cyber attacks, a major new report has concluded.

The Cyber Security Longitudinal Survey (CSLS) is published by the Government and you can read it in full here.

It aims to better understand the cyber security policies and processes within medium and large businesses and high-income charities, and to explore the links over time between these policies and processes and the likelihood and impact of a cyber incident.

Among the key conclusions were:

Overall, the cyber resilience profile of organisations continues to vary between businesses and charities as well as by business size and sector.

Businesses are more likely than charities to have formal, written cyber security policies and processes in place. Large businesses (250+ staff), and particularly very large businesses (500+ staff), demonstrate greater cyber maturity compared to medium businesses and charities.

However, overall, organisations’ approach to cyber is likely to be more reactive than proactive, with many struggling to get senior level buy-in to improve their cyber defences.

Almost all businesses and charities (98% and 97% respectively) use a cloud-based or physical server to store data or use a virtual private network (VPN) that allows staff to connect remotely.

Around eight in ten businesses (82%) and charities (75%) with a VPN require their staff to use it when accessing the organisation’s network or files from outside the workplace. The requirement is most strongly enforced among businesses that have a specific cyber security insurance policy.

Although more businesses use physical than cloud-based servers, the opposite is true among charities, where there remains greater adoption of cloud-based data storage. Eight in ten charities store data or files in the cloud.

Businesses employ more controls than charities in terms of how staff access their network when working remotely. A majority of charities (54%) allow access via personally owned devices, compared to around one in three businesses (36%).

Approximately nine in ten organisations (86% of businesses and 91% of charities) have in place at least one of the five documents considered part of an effective cyber security strategy.

In the last twelve months approximately six in ten businesses (58%) and charities (62%) have delivered cyber security training or awareness raising sessions specifically for staff and/or volunteers who are not directly involved in cyber security. This represents an increase from a previous survey (48% and 55% respectively).

The majority of both businesses and charities took steps to improve their cyber defences and, over the past twelve months, almost nine in ten businesses (85%) and charities (86%) have taken at least one action to expand or improve an aspect of their cyber security. For businesses this represents an increase from a previous survey (79%). Charities are equally as likely as businesses to have made efforts to expand or improve aspects of their cyber security although they are less likely than businesses to have strengthened the way they monitor systems or network traffic.

However fewer than three in ten businesses (26%) or charities (28%) have formally addressed the potential cyber security risks associated with their suppliers/ partners. These findings were in line with the baseline survey.

Commenting on the findings, Roy Shelton, the CEO of the Connectus Group, said: “This report throws up some really alarming details about the gaps many businesses still have in their armoury when it comes to cyber attacks. Since the pandemic the risk and has grown and the danger of falling victim to a cyber attack has never been higher.

The fact nearly half of businesses polled have not delivered training underlines the neglect some are paying with regards to this issue. It’s  also concerning to see so many businesses properly engaging with their suppliers to make sure they are up to date with cyber security measures. This report illustrates the opportunity that exists for the Connectus Group to continue help providing our services to business support which will, in turn, help safeguard them from attacks in 2023.