UK firms are adapting to cyber security threats “at a glacial pace”

Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.
(Image credit: Getty Images)

UK businesses are investing in cyber security capabilities “at a glacial pace”, according to an industry expert. 

Andy Kays, CEO of Socura, said a recent government-led survey on enterprise security capabilities paints a stark picture of the current state of cyber readiness across the country.

Three-quarters of medium and large businesses in the UK were hit by a security incident in the last year, the survey found, prompting concerns over the ability of firms to contend with escalating threats.

“Some of these figures are scarcely believable,” Kays said.

“While other surveys may skew towards positive and sensational results, tracking the same 1000 businesses over several years shows the grim reality that many UK businesses are not prioritizing cyber security, or are making changes to their security posture at a glacial pace.”

His comments follow the publication of the government’s third annual Cyber Security Longitudinal Survey, which showed there was little improvement in cyber resilience between 2022 and 2023.

The survey found that only 60% of businesses have a written procedure in place for responding to cyber security incidents while just half said they’ve tested incident response policies within the last 12 months.

Meanwhile, only a third of medium businesses adhere to a standard or accreditation related to cyber security - most commonly ISO 27001 at 18% and Cyber Essentials at 17%. 

Only 7% adhered to the Cyber Essentials Plus standard.

Over the last year, a quarter of medium businesses carried out work to formally assess or manage the potential cyber security risks presented by their suppliers or partners, with most that had taken action saying they'd set minimum cyber security standards in supplier contracts.

However, over two-thirds said they'd improved network security, with a similar proportion improving processes for user authentication and access control and improving malware defenses.

Cyber security shouldn't just be a reactionary function

A key concern highlighted in the study centered around the fact that smaller businesses appear to be disregarding proactive efforts to bolster security.

Many, it found, are focusing more on reaction and response as opposed to preventative measures, which it said is a trend that must be addressed.

"Both businesses and charities are less likely to take steps that would keep their organizations safe in future and instead have built policies and procedures to handle their response to cyber security incidents," the report said.

It added that "challenging this mindset is potentially a major obstacle for government bodies to address".


Larger businesses have performed better with regard to security, as expected.

Around 40% said they have worked to assess or manage supplier risks, and nearly half adhere to cyber security standards. Only 15% said they adhere to the Cyber Essentials Plus standard, however.

The majority are improving preventative capabilities, however, with 80% upping network security while three-quarters have improved malware defenses or processes for user authentication and access control.

Nearly two-thirds (60%) have improved the way they monitor systems or network traffic, bolstered processes for managing cyber security incidents, or improved processes for updating and patching systems and software.

"Large businesses have a more sophisticated approach to cyber security. As noted above, medium-sized firms find it challenging to keep pace with developments in cyber security," the study noted.

"Large businesses, with their greater access to resources, find it easier to keep developing their processes."

William Wright, CEO of Closed Door Security, echoed Kays’ comments, noting that while it’s positive to see some measures being taken by organizations, many still view cyber security as an afterthought.

"The data shows that while many organizations are taking steps to expand or improve their defenses over the next year, there is still a large gap in terms of cyber featuring in board and wider company decisions," he said.

"Organizations must move away from treating cyber as an IT issue. It impacts every single business area, so it needs to feature in almost all business decisions."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.