Cyberattacks on UK businesses and charities rose markedly last year, says the government. According to its annual Cyber Security Breaches Survey, half of all businesses and a third of charities were the victims of some form of breach in 2023 – up from 32% and 24% respectively the previous year. The survey also found that, of those companies targeted, large (74%) and medium-sized firms (70%) were more likely to be breached, with phishing attacks constituting the most common vector of attack. 

Despite these figures, the government said that the overall cybersecurity context for UK businesses is more stable than it has been in previous years, not least given the easing of economic pressures like inflation in recent months. “Organisations have faced significant challenges in recent years related to the COVID pandemic and the economic climate,” it wrote. “In last year’s survey, smaller organisations in particular highlighted rising costs and challenges with financial planning, due to high inflation, higher energy prices and overall economic uncertainty. This may have resulted in cyber security falling as a priority, relative to these wider concerns.” 

A broken padlock sitting on a circuitboard, used to illustrate an article about cybersecurity among UK businesses.
The latest Cyber Security Breaches Survey conducted by the UK government found that half of all UK businesses had been victim to some form of cyberattack, the vast majority of which appear to be attempts at phishing staff or service providers. (Photo by wk1003mike / Shutterstock)

UK businesses slow to report breaches

The survey also concluded that, while UK businesses continue to invest in cybersecurity solutions, most do not have a formal incident response plan. Overall, only 22% of firms and 19% of charities have them, though this percentage rises to 73% and 50% for large businesses and high-income charities respectively. This is in spite of the fact that at least 93% of medium-sized businesses and 98% of larger firms stated that cybersecurity remained a high priority. 

It also remains unlikely that businesses will report a breach to the relevant authorities, with only 34% of firms and 37% of charities bothering to do so. “Many of these cases simply involve organisations reporting breaches to their external cyber security or IT providers and no one else,” said the survey.

This may be because 91% of charities and 92% of businesses polled said that they were able to restore their operations within 24 hours of a disruptive breach, pointing to the relative unsophistication of the vast majority of cyberattacks. Nevertheless, a growing number of organisations do seem to be investing in policies and protections in case one of these attempts upon their systems proves wildly successful. The percentage of businesses taking out cyber insurance premiums, for example, has risen from 37% to 43% year on year, while 63% of medium-sized firms and 71% of large businesses now deploy security monitoring tools.

Phishing most common attack

Up to 90% of businesses and 94% of charities identified social engineering attacks as the most common form of cyberattack, with non-phishing attacks like ransomware and denial of service (DDoS) attacks constituting only 2% of incidents or an estimated 116,000 cases. Despite their relatively pedestrian reputation among cybersecurity experts, such attacks can still have devastating consequences for individual businesses, warned Chris Roeckl, chief product officer at Appdome. 

“The brand damage and financial repercussions of these attacks on businesses are staggering, costing billions in investigations, remediation, refunds, and potential regulatory penalties,” said Roeckl. “The personal emotional pain and financial loss to victims can be tremendous. It’s imperative for brands to counteract these social engineering tactics decisively.”

The ability to automate and refine phishing and vishing attacks using generative AI will only increase the burden on the UK private sector, he added. “The reality we face is stark,” said Roeckl. “Continuous growth in attacks is inevitable.” 

Read more: New cybersecurity guidelines for businesses in UK published