Message-based threat is by far the most prevalent form of attack, annual study from DCMS concludes

The proportion of UK businesses that were hit by a cyberattack remained steady at 39% in the past year, with phishing attempts representing by far the biggest threat.

The UK Government’s Cyber Security Breaches Survey, which has been charting the cyber resilience of UK businesses and charities since 2016, found that more significant threats, such as malware or ransomware attacks, were significantly less prevalent than phishing. A fifth of those that suffered an attack claimed to have been exposed to the more serious breaches – compared with 83% that suffered a phishing attack.

This means that about one in three of all UK businesses suffered phishing attempt last year.

Among those that reported any form of attack, 31% of businesses and 26% of charities estimated that they were attacked at least once a week over the course of the year. About one in five organisations in each sector said they experienced a negative outcome as a direct consequence of an attack.

Department for Digital, Culture, Media and Sport analyst Maddy Ell said UK organisations are now placing greater importance on cybersecurity than in any other year the survey has been carried out.

“In the qualitative interviews it was found that this was driven by a good high-level understanding at the senior level of the risks cyberattacks pose,” she said. “This, coupled with the use of board sponsors and cyber security experts enabled organisations to practice good cyber hygiene.”

Related content

• Revealed: Cabinet Office signed deal last month for ‘immediate cyber incident response’
• Government proposes tougher cyber laws for IT outsourcers
• ICO examining ‘serious cybersecurity incident’ at FCDO

However, she added that gaps remain, with fewer than one in five organisations having a formal incident management plan in place to deal with a breach.

There is a lack of technical expertise within smaller organisations and at the senior level within larger organisations and there is also a lack of “commercial narrative to effectively negotiate a cyber security budget against other competing organisational priorities”, she said.

“The findings from this year’s survey demonstrate that there is room for improvement in many elements of organisations’ cyber hygiene,” Ell added. “It is clear that cyber resilience is highly influenced by board behaviours. Though the high-level prioritisation of cyber security amongst boards is high, this does not translate into high expertise. Furthermore, cyber and IT staff are unable to justify the business case for cyber security, which impacts ability to make effective cyber security decisions.

“This means investments are often not made into key areas that enhance organisations’ cyber security. This leads to a reactive approach to cyber incidents as opposed to a proactive approach in limiting cyber risk. This is an area we will closely monitor in future years of the survey.”

Earlier this month, Scottish Government justice secretary Keith Brown revealed that the number of crimes reported across the country rose sharply in the year to April 2021, with a total of 403 recorded by Police Scotland, up from 57 the previous year. In 1999-00 there was just one recorded case, with the total remaining below 100 in each year between then and 2020-21.

Of the total in the 2020-21 financial year, 331 incidents fell under sections one and two of the Computer Misuse Act, meaning they were the result of perpetrators gaining unauthorised access to someone else’s computer. The remaining 72 incidents fell under section three of the act, meaning whoever accessed the computers had attempted to make modifications to them.