UK firms are failing miserably at data breach responses

Cyber security concept image showing a digitized padlock resting on an illuminated circuit board.
(Image credit: Getty Images)

UK businesses are woefully poor at dealing with cyber breaches, according to a new government survey. 

The government’s annual Cyber Security Breaches Survey found that while more than half of firms experienced a cyber attack or breach over the last 12 months, nearly four-in-ten said they’d taken no action whatsoever in response to the incident.

The study showed that seven-in-ten medium-sized businesses fell victim to a breach, along with three quarters of large businesses and around a third of charities.

However, the report uncovered practices among many organizations, with few implementing proactive measures to contend with rising security threats.

Only 22% of businesses and 19% of charities have a formal incident response plan, the study found. Meanwhile, just over half (55%) of medium-sized firms have any formal response procedures.

Larger enterprises fared better in this regard, the study noted, with 73% revealing they have a formal incident response plan.

Andy Kays, CEO of threat detection and response firm Socura, said the survey raises serious questions about the ability of UK companies to contend with an increasingly perilous threat landscape.

"Only a fraction of UK businesses have any kind of formalized incident response plan, which I find astounding," he said.

"In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident. They are failing to do the bare minimum. It’s also important to note that businesses are doing very little to prevent or detect breaches in the first place."

The most common type of attack identified by the survey was phishing, hitting 84% of businesses and 83% of charities. More than a third, meanwhile, were breached thanks to others impersonating organizations in emails or online, while 17% of businesses and 14% of charities were affected by viruses or malware.

A key concern highlighted by the survey was the lack of awareness training for employees in the last year. Only 18% of respondents said they’d provided any training on security threats.

Only one-third of respondents said they employ techniques such as two-factor authentication for employees.

Mike Newman, CEO of My1Login, said that while many businesses focus on password policies to protect employees, these often fail to address underlying issues such as a lack of awareness, or the ability for sophisticated threat actors to manipulate users into divulging sensitive information.

"The majority of businesses appear to focus on password policies on users, believing this will help protect them against phishing. But this is not the case," he said.

"When users are aware of passwords, they can still easily be tricked into handing them over to phishing scammers, so it is not a true defense against the attack vector, especially in the age of AI-generated phishing scams."

There is some good news, with businesses having slightly improved their defenses since 2023.

A majority (83%) are now using up-to-date malware protection, up from 76% in the year previous, while the number restricting admin rights has risen from 67% to 73%.

Three quarters are now using network firewalls, up from 66% last year, and 54% have agreed processes for phishing emails, up from 48%.

One rather puzzling aspect of the report is its evaluation of the cost of a breach.

According to the report, the single most disruptive breach from the last 12 months cost each business, of any size, an average of £1,205, rising to £10,830 for medium and large businesses. For charities, it was around £460.

"This will cause alarm bells, not because of its significance, but because of its insignificance and potential inaccuracy," said William Wright, CEO of Closed Door Security.

"It could also leave business leaders wondering why they should invest in cyber security when the hit is so manageable."

The answer seems to be that the report relies on self-reporting and is more skewed towards smaller businesses than reports such as IBM’s Cost of a Data Breach study, which found that the average breach costs organizations more than $4 million.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.