Freely subscribe to our NEWSLETTER

This report presents two types of analysis: cross-sectional and longitudinal. The cross-sectional analysis focuses on the differences between all responding organisations from each wave and therefore acts as a snapshot of organisations’ status at a given time. The longitudinal analysis, in contrast, analyses the organisations that have completed multiple waves of the survey and enables greater understanding of the changes these organisations experience over time. The longitudinal analysis is covered at the end of this chapter and in detail in Chapter 9.

This report also provides additional insight from 30 follow-up qualitative interviews with survey respondents that covered topics such as cyber security resilience, awareness and usage of the Cyber Essentials standard, record keeping, internal and external reporting, responsibility for cyber security, and monitoring of supply chains. These are presented alongside reporting on quantitative findings.

Broadly, businesses have a more formalised set of processes and policies in place than charities. This is particularly true among large (250 – 499 employees) and especially very large firms (500 or more employees), who are much more likely to have sophisticated approaches to cyber security. This is likely to reflect their higher budgets and ability to maintain specific cyber security staff. However, it is important to note that, for many organisations, the board is under-engaged and many of the processes that are in place are less proactive.

Overall, organisations have shown improvements in their cyber resilience since the first wave of the study. However, between Waves Two and Three, their resilience profile has largely remained stable. As budgets are often stretched and priorities are shifted, organisations may be less likely to invest heavily in cyber security and this may help to explain the broadly stagnant position between Waves Two and Three.

Below is a more detailed summary of key findings from each chapter of this report. The survey results are subject to margins of error, which vary with the size of the sample and the percentage figure concerned. For all percentage results, subgroup differences by size, sector and survey answers have been highlighted only where statistically significant[footnote 1][footnote 2](at the 95% level of confidence).
Cyber profile of organisations

As technology continues to develop, it has changed the way that people work. Changes range from remote working and cloud computing through to the growing importance of Artificial Intelligence (AI). These new challenges have necessitated shifts in the way that organisations respond to cyber security.

Almost all businesses (96%) and charities (98%) have a cloud or physical server to store data. Although, compared to previous waves of this study, this proportion has remained stable, the underlying trends have shifted. Increasingly, physical servers are less likely to be used by businesses (76% in Wave Three compared to 81% in Wave Two and 82% in Wave One) and charities (60% in Wave Three compared to 72% in Wave One).

Charities are more likely than businesses (56% vs. 35%) to allow their staff to access their systems using a personal device. This has remained stable between the different waves of the survey. This is a good example of how charities tend to take a less formalised approach to cyber security than businesses. Further to this, given the lack of change between waves, it suggests that cyber security is not always a high priority for charities. In the qualitative phase, many respondents across businesses and charities noted that personal errors were likely to be the most common source of cyber breaches, suggesting that this topic is a vital area of improvement for organisations.

Mirroring the proportion of organisations that allow for access to systems with personal devices, businesses are also more likely than charities (81% vs. 69%) to require staff to use VPN for remote access, which has not dramatically changed compared to previous waves of the survey. Again, this suggests that businesses take a more formalised approach to cyber security.

However, it is also important to note that both businesses (23%) and charities (16%) are currently not likely to use AI or machine learning as a means to improve their cyber resilience, which has not changed between Wave One and Wave Three. This suggests that organisations have not moved towards taking on cutting-edge technology to help improve their cyber resilience. Further, given the potential for these technologies to help organisations to act proactively, it is indicative of organisations’ reactive mindset.
Cyber security policies

Given the speed of developments in the cyber security area, it is vital that organisations keep their policies and governance up to date to ensure they remain secure and build their resilience.

Respondents were asked about whether they have any of five best practice documents for cyber security governance: a cyber security business continuity plan, documentation to identify critical assets, a written list of IT vulnerabilities, a risk register, and a document outlining how much cyber risk they are willing to accept. Around nine in ten organisations have at least one of these five documents in place (89% of businesses and 92% of charities) This represents an improvement among businesses since Wave One. However, businesses are more likely than charities to have all five documents in place (22% vs. 16%). Although this is again indicative of businesses’ more holistic approach to cyber security, it also suggests most organisations still have room for improvement.

Since the first wave of the survey, an increased proportion of businesses have a business continuity plan that covers cyber security (76% in Wave Three vs. 69% in Wave One), a written list of their company’s vulnerabilities (61% in Wave Three vs. 54% in Wave One), and a risk register (55% in Wave Three vs. 48% in Wave One). However, there is little movement between Waves Two and Three. Charities by comparison are most likely to have a business continuity plan and risk register in place, which is consistent across waves.

The document that is least prevalent among organisations is a document outlining how much cyber risk organisations are willing to accept (33% among businesses, an increase compared to 26% at Wave One, and 29% among charities which is comparable to previous waves). Again, this indicates that organisations are not necessarily forward thinking in their planning for cyber security.

Businesses (69% in Wave Three vs. 61% in Wave Two and 53% in Wave One) and charities (79% in Wave Three vs. 66% in Wave One) are increasingly likely to have a cyber insurance policy. For businesses, this is most likely to be part of a broader insurance policy (43%), an increase on Wave Two (36%). Charities are also most likely to have a broad cyber insurance policy (46%), in line with previous waves (42% at both Wave One and Wave Two).

A majority of organisations have undertaken cyber security training or an awareness raising session, an increase on Wave One (59% of businesses in Wave Three vs. 48% in Wave One, and 62% of charities vs. 55% in Wave One). However, this has not changed substantively between Wave Two and Wave Three. This may indicate attempts among some organisations which have not put procedures in place to prevent their staff from accessing systems with their personal device, and to instead promote cyber security training and reduce human error.
Cyber security processes

In addition to updating their written policies and governance, organisations must also adapt their processes to ensure that they keep up with the changing cyber security environment. Respondents were asked about their adherence to three of the key cyber security certifications: Cyber Essentials Standard, Cyber Essentials Plus and ISO 27001.

For both businesses and charities, more than one-third of organisations (38% of businesses and 36% of charities) adhere to at least one of these certifications. This represents a consolidation of the increases observed since Wave One but is comparable to the results from Wave Two.

Compared to Wave One, adherence to Cyber Essentials has increased among charities (23% in Wave Three vs. 19% in Wave One) but remains consistent for businesses across all three waves. Whilst it has not shown a significant improvement between Wave One (15%) and Wave Three (19%), findings from the qualitative interviews suggest the ISO 27001 certification is considered by businesses to be the most robust and substantive accreditation available.

Consistent with previous waves of this survey, most organisations have put in place at least four of the five technical controls required to attain Cyber Essentials and around six in ten organisations (62% of businesses, 59% of charities) have all five. However, patch management (67% among businesses, 66% among charities) and user monitoring (58% of businesses, 55% of charities) remain the technical controls that organisations are least likely to have in place. There are two key implications of this: firstly, that organisations often do not invest in proactive measures and, secondly, that many organisations have put in place the controls required to attain Cyber Essentials but have not gained a full accreditation.

The proportion of businesses that have taken steps in the last twelve months to help identify risks to their cyber resilience has increased (90% in Wave Three, compared to 86% in Wave Two and 82% in Wave One). The proportion of businesses making changes in the last year to improve their cyber security has also increased since Wave One (85% vs. 79%), although it has remained consistent between Waves Two and Three (both 85%). This includes moves to integrate more proactive measures (for example, 54% of businesses have improved their patching systems), which suggests over time businesses are becoming more active in cyber security. This finding could potentially be worth further exploration in additional research.

Broadly speaking, approximately one-quarter of organisations (28% of businesses and 26% of charities, comparable to previous waves of the survey) have measures in place to evaluate the quality of their suppliers’ cyber security measures. This is a clear area for organisations to improve as it poses a significant gap in organisations’ cyber resilience profile.

Overall, of these measures, there is a clear trend between business size and the sophistication of their approach to cyber security. For example, very large businesses (500+ employees) are nearly twice as likely as businesses overall to adhere to the Cyber Essentials Plus standard (16% vs. 9%) and are much more likely to have put in place all five technical controls required to attain Cyber Essentials (79%, compared to 62%). This is likely a reflection of the greater resources that these businesses are able to dedicate to managing their cyber resilience.

Organisations that have a cyber security certification often have further checks in place on cyber security. For example, organisations that adhere to a cyber security certification are more likely to report having completed a supplier cyber security risk assessment in the last twelve months. This suggests that firms that seek a cyber security accreditation also take a wider more holistic approach to their security either through necessity or choice.
Board involvement

To ensure that organisations can maintain high levels of cyber resilience, it is vital that senior staff buy into the importance of cyber security. Indeed, there is some evidence that the presence of designated cyber responsibilities among senior staff is related to more robust cyber security processes. For example, around three-quarters (73%) of businesses and two-thirds (67%) of charities with one or more board members with oversight of cyber security have all five technical controls required to attain Cyber Essentials in place.

In Wave Three, approximately half of organisations (55% of businesses, 45% of charities) have a member on their board responsible for oversight of cyber security. More organisations (66% of businesses, 61% of charities) have a staff member that is responsible for cyber security that reports to the board. Among businesses this is an increase on Wave One (55%) but is comparable to Wave Two (61%).

Further to this, board-level cyber security training has increased for both businesses (50% in Wave Three compared to 35% in Wave One) and charities (38% in Wave Three compared to 28% in Wave One) but has remained consistent between Wave Two and Three. This training is most likely to be completed once a year, although for around one-third (31%) of businesses this board-level training happens several times a year.

While this suggests that the majority of organisations understand the value of cyber security, it is important to note that the proportion of organisations reporting regular board-level cyber security discussions is quite low. Only 43% of businesses and 37% of charities’ boards discuss cyber security at least quarterly. Among businesses this has decreased in Wave Three (from 37% in Wave One) but has remained quite stable for charities. This suggests that improving regular board engagement remains a key area of focus to help improve cyber resilience.

Again, large businesses are more likely to have greater levels of board engagement. For example, 66% of very large businesses with 500+ employees report that their board has received cyber security training. This continues to suggest that larger businesses are able to take a more sophisticated approach to cyber security.
Sources of information

To ensure that organisations can remain informed of security best practice, it is important that they are able to access up to date and relevant information.

The National Cyber Security Centre (NCSC) provides a range of information resources for both businesses and charities[footnote 3]. Use of NCSC resources is more common among charities (43%) than businesses (29%). This represents an increase between Wave One and Wave Three for both businesses (29% in Wave Three vs. 23% in Wave One) and charities (43% in Wave Three vs. 32% in Wave One) but is comparable to Wave Two. The lower usage among businesses potentially reflects their greater resources and access to external consultants.

Indeed, businesses are also more likely to report being influenced by external consultants since Wave One (53% vs. 47%). However, there is little change between Wave Two and Wave Three.

Since Wave One, more businesses (34% in Wave Three vs. 26% in Wave One) and charities (45% vs. 30%) report their actions on cyber security being influenced by their insurers.

Among those organisations that use NCSC information or guidance, for both businesses and charities, the most common guidance accessed is General Data Protection Regulation (GDPR) guidance (by 67% of businesses and 68% of charities), followed by the ‘“10 Steps to Cyber Security’ (by 62% of businesses and 64% of charities). This is consistent with previous waves of the survey.

In addition to this, among businesses, there has been an increase in usage of the Cyber Assessment Framework (57% in Wave Three vs. 41% in Wave One), NCSC weekly threat reports (45% vs. 32%), and Cyber Security Board Toolkit (34% vs. 23%).
Cyber incident management

Part of building organisations’ cyber resilience also relates to the management processes they have put in place for when a cyber incident happens.

A majority of organisations have a written procedure in place for responding to cyber security incidents (59% of businesses, 56% of charities). Among businesses, this represents an increase compared to Wave One (59% in Wave Three compared to 51% in Wave One), though it has remained consistent since Wave Two. For charities, there has been little change between waves of the survey. This suggests that there is still space for these management processes to become more formalised among charities in future.

Among those organisations that have written incident management procedures, the most common security area covered is guidance for reporting incidents externally (78% among businesses, 87% among charities). For businesses, this represents a decrease when compared to Wave Two (78% in Wave Three vs. 85% in Wave Two) but is in line with Wave One. There is also an increase in the proportion of businesses that have a communications and public engagement plan in place (from 55% in Wave One to 66% in Wave Three). For charities, the results in Wave Three are roughly comparable to previous waves of the survey.

Approximately half of businesses (46%) have tested their incident response policies within the last twelve months. This represents an increase from Wave One (46% vs. 37%). Around one-third of charities (34%) have tested their policies, which is in line with previous waves.
Prevalence and impact of cyber security incidents

Beyond simply getting a sense of organisations’ cyber incident response processes, it is also important to understand the prevalence of these incidents and the impact that they can have on organisations.

Three-quarters of businesses (75%) and around eight in ten charities (79%) have experienced a cyber security incident within the last twelve months. These findings are comparable across the three waves of the survey.

Despite this, the underlying data does show some change between waves. A higher proportion of charities experienced an attempted hacking of their website or social media accounts compared to Wave Two (18%, up from 11%). The equivalent proportion from businesses remained consistent across waves.

With regards to ransomware, the proportion of businesses that do not have a ransomware policy in place or are not sure whether they had one in place remained consistent with Wave Two. However, the proportion of charities who are unsure if a ransomware policy exists decreased in comparison to Wave Two (22% vs. 33%).

Broadly, organisations reported that most cyber security incidents only rarely cause a material loss (e.g., money or data). Only around one-quarter of businesses (23%) and charities (24%) experiencing incidents in the last year report material consequences. Further to this, most of these losses are short-term. Despite this, it is important to note that cyber incidents still have the potential to cause significant costs for organisations.
Longitudinal analysis

The longitudinal analysis is comprised of three components. First, a segmentation technique was used to group together organisations that used similar patterns of protective behaviours, policies and processes. It identified five distinct groups of organisations according to a combination of the number and types of protective practices used. The segmentation is based on robust cyber resilience requiring the adoption of technical and governance policies, procedures and tools to protect against incidents and mitigate impacts and outcomes. The five groups identified are:

High level of preparation: protection well above the average level on all activities.
Mostly prepared: mostly above average protection on all items but to a lesser extent than those in the ‘high’ level group.
Governance led: protection was around or above average for policy and procedures but low on technical responses.
Technical led: tended to have had recent improvements in network security, malware defence, authentication and secure backup but lower than average governance.
Low level of preparation: protection was low across all activities, except secure cloud backup.

Patterns of cyber security resilience were found to vary across organisations with some organisations using many practices, others few; some organisations rely more on governance procedures and others on technical practices.

The pathways of cyber resilience are not one way. Some organisations take a step back and lower their levels of resilience, others take a step forward and many remain at stable levels.

There is some evidence supporting the hypothesis that experiencing a cyber security incident acts as a trigger for improving resilience. However, this is not true for all organisations, as some experience an incident and show no change in their resilience or become less resilient. More needs to be known about the context and other factors influencing protective behaviours alongside experience of cyber incidents.

The second aspect of the longitudinal analysis looked at adherence to cyber security certifications or standards. The analysis found that:

Adherence to cyber security certifications or standards is quite low.
Adoption of adherence to certifications or standards is most prevalent amongst those with stronger patterns of resilience than those with less resilient protection. Similarly, losing adherence to accreditations or standards was less likely among more resilient organisations.
Businesses are more likely than charities to retain their adherence to accreditations or standards but no more likely to take up certifications.
Experience of a cyber security incident appears to trigger either a take-up of adherence to certifications or standards or retention of these, albeit among a minority of organisations.

The third and final part of the longitudinal analysis covered board representation. The main findings include:

Various board activities supporting cyber resilience exist, but substantial numbers of organisations do not appear to have much, if any, board engagement across these activities.
Board engagement involves both negative and positive steps but generally the trend is towards more engagement over time (i.e., in the follow-up wave interview). Improvement is more apparent for organisations with lower patterns of cyber resilience.
The experience of cyber security incidents again appears to trigger adoption of board activities and/or a lower rate of negative change in board engagement, although only for a minority of organisations that experience such incidents.

Andy Kays, Socura CEO comment:
“Some of these figures are scarcely believable, but as a Government controlled longitudinal survey, these may be some of the most realistic cybersecurity survey figures ever obtained in the UK. While other surveys may skew towards positive and sensational results, tracking the same 1000 businesses over several years shows the grim reality that many UK businesses are not prioritising cyber security, or are making changes to their security posture at a glacial pace.

“In the last year, only half of UK board members have had security training, only a quarter of businesses are assessing suppliers for possible security risks, and a fifth of UK boards failed to discuss cyber security even once. Only 17% of businesses are cyber essentials certified, which is one of the lowest bars for measuring security best practice. These figures are all far from perfect.

“In a way, I think the most positive statistic in the whole survey is the fact that more than half of UK businesses say they rely on external consultation for security. Their reliance on trusted third-party security service providers and vendors may be a factor in the generally poor standards of internal security development.