Research and analysis

Cyber security longitudinal survey - wave four results

Published 6 February 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cyber-security-longitudinal-survey-wave-four-results/cyber-security-longitudinal-survey-wave-four-results

The Cyber Security Longitudinal Survey (CSLS) is a multi-year longitudinal study, which follows the same organisations over time. It aims to better understand cyber security policies and processes within medium and large businesses and high-income charities, and the extent to which these organisations change and improve over time.

It will also explore the links over time between these policies and processes and the likelihood and impact of a cyber incident to quantify specific actions resulting in improved cyber incident outcomes.

This is the fourth research year, and therefore the main objective of this report is to establish any significant changes between the first, second and third research years. The quantitative survey was carried out in July-October 2024 and the qualitative element in September 2024.

Enquiries:

cybersurveys@dsit.gov.uk

Executive summary

Introduction

The purpose of the Cyber Security Longitudinal Survey (CSLS) is to investigate the change over time in organisations’ cyber security policies and processes, as well as looking at the relationship between these changes and the impact of cyber security incidents. This report covers the findings from the fourth wave of a multi-year survey, including comparisons to previous waves of the research (Wave One from 2021, Wave Two from 2022, Wave Three from 2023). It also summarises the differences between businesses and charities within Wave Four of the study, along with descriptive summaries for different sub-groups.

Participants in the study include medium (50-249 employees) and large (250+ employees) UK businesses and high-income charities (annual income of more than £1 million). The main stage survey for Wave Four took place between July and October 2024. Qualitative interviews were conducted between September and October 2024.

This report presents quantitative and qualitative cross-sectional analysis. The cross-sectional analysis focuses on the differences between all responding organisations from each wave and therefore acts as a snapshot of organisations’ status at a given time. This report does not attempt to report on longitudinal data as an ‘exploratory’ analysis of this data was conducted separately at Wave Four.

This report also provides additional insight from 30 follow-up qualitative interviews with survey respondents. These interviews explored cyber incidents, uptake of government products, cyber security policies, cyber security processes, cyber security budgets and understanding cyber security behaviour change, details of which can be found in the methodology. These are presented alongside reporting on quantitative findings.

Key findings

As the cyber threat landscape constantly evolves, it is imperative for businesses to establish clear cyber security policies and implement robust practices to ensure their ongoing protection. This report outlines critical aspects of cyber security that organisations must consider when evaluating their cyber security posture. Key findings from the report are as follows:

Prevalence and impact of cyber incidents

  • A majority of medium and large organisations (79% of businesses and also 79% of charities) have experienced some form of cyber incident in the past 12 months. This highlights the continued importance of a robust cyber security posture to protect from these incidents
  • Phishing remained the most common type of cyber incident, with 74% of businesses and 72% of charities reporting they experienced a phishing incident in the past 12 months
  • People impersonating staff in emails or online is more prevalent since Wave Three, particularly for businesses (up from 43% in Wave Three to 56% in Wave Four) but also for charities (up from 38% in Wave Three to 46% in Wave Four)
  • The proportion of businesses that experienced hacking or attempted hacking of online bank accounts also increased year-on-year (up from 3% in Wave Three to 6% in Wave Four), as well as amongst charities (up from 4% in Wave Three to 6% in Wave Four)
  • Fewer businesses stated they had takeovers or attempted takeovers of their website, social media or email accounts year-on-year (down from 15% in Wave Three to 10% in Wave Four), as well as charities (down from 18% in Wave Three to 9% in Wave Four)
  • Of those businesses who experience incidents, fewer businesses reported cyber incident impacts year-on-year (down from 54% in Wave Three to 36% in Wave Four) as well as fewer charities (down from 55% in Wave Three to 42% in Wave Four)
  • However, more charities reported incident impact than businesses (42% of charities vs 36% of businesses)

Organisations’ cyber policies and processes

  • More businesses had Cyber Essentials Plus than in the first three waves (15% Wave Four, 9% Wave Three, 11% Wave Two, 8% Wave One), as well as more charities (12% Wave Four, 8% Wave Three, 9% Wave Two, 7% Wave One)
  • A higher proportion of businesses (45%) compared to charities (35%) held at least one of the following accreditations: ISO 27001, Cyber Essentials, or Cyber Essentials Plus
  • Notably, the adoption of ISO 27001 was significantly higher among businesses (15%) compared to charities (9%)
  • More businesses stated that they use a cloud server that stores data or files than a physical server (79% in Wave Four compared to 72% Wave Three, 70% Wave Two and 68% Wave One), as well as more charities (88% in Wave Four compared to 86% Wave Three, 80% Wave Two and 77% Wave One)
  • Compared to Wave Three, more businesses reported that they have not done anything to identify cyber security risks (15% have done nothing to identify cyber security risks in Wave Four compared to 10% doing nothing in Wave Three) as well as more charities (19% in Wave Four and 11% in Wave Three)
  • The proportion of businesses that carried out a formal assessment of suppliers has decreased year-on-year (28% Wave Three vs 23% Wave Four) as well as fewer charities (26% Wave Three vs 23% Wave Four)

Understanding cyber security behaviour change

  • Participants described their individual roles within teams dealing with cyber security as multifaceted and often broadly defined, which can lead to a diffusion of cyber responsibility.
  • Medium-sized businesses, often facing resource limitations, consolidate cyber security responsibilities within a single staff member, small team, or outsourced entity
  • Advice from external cyber security experts was noted as the most frequently cited influence for improving the organisation’s cyber security posture in both businesses (61%) and charities (58%)
  • More organisations in Wave Four (33% of businesses and 41% of charities) said that regulators had an impact on their cyber security than Wave Three (21% of businesses and 27% of charities)
  • Similarly, more organisations in Wave Four (29% of businesses and 36% of charities) said that auditors had an impact on their cyber security than Wave Three (21% of businesses and 26% of charities)
  • Despite widespread efforts to enhance cyber security skills among staff, participants in the qualitative study consistently identified human error as a significant vulnerability in preventing cyber security incidents
  • Both direct experiences, such as phishing incidents, and indirect experiences, such as industry news and events, can affect an organisation’s cyber security engagement levels

Cyber security budget and board involvement

  • Almost half (44%) of large businesses stated that they had increased their cyber security budgets over the past 12 months, more than medium businesses (34%)
  • Despite this, a majority (83%) of large businesses believed their current cyber security budgets were sufficient. This suggests that while current budgets are viewed as sufficient, larger businesses remain more aware of the need to stay ahead of cyber threats and are investing accordingly
  • Businesses in Wave Four were more likely to have one or more board members responsible for cyber security risks than in all three previous waves (61% compared to 50% Wave One, 54% Wave Two, 55% Wave Three)
  • Large businesses were more likely to discuss cyber security with the board quarterly or more often (62% vs 48% of medium-sized businesses) while medium-sized businesses were more likely to discuss one to two times a year than large businesses (24% vs 14%)

1. Introduction

1.1 Background to the research

The Department for Science, Innovation and Technology (DSIT) commission the Cyber Security Longitudinal Survey (CSLS); a study composed of businesses, which are divided into medium (50-249 employees) and large enterprises (250+ employees)[footnote 1] , and high-income charities (annual income of more than £1m). In turn large businesses consist of both large (250-499 employees) and very large businesses (500+ employees). The findings will evaluate long-term links between the cyber security policies and processes adopted by these organisations, and the likelihood and impact of a cyber incident. It also supports the government to shape future policy in this area and inform future government cyber interventions and support future strategies with quality evidence.

This report is based on Wave Four (2024) of a multi-year study. This study has collected longitudinal data from 2021 (Wave One), 2022 (Wave Two) and 2023 (Wave Three). Due to the longitudinal nature of the study, the aim is to track trends over time and, wherever possible, speak with the same organisations in each wave. The design of this research was influenced by a study the Department for Digital, Culture, Media and Sport (DCMS) previously commissioned to investigate the feasibility of creating a new longitudinal study of large organisations.

The core objectives of this study are to:

  • Explore how and why UK organisations are changing their cyber security profile and how they implement, measure, and improve their cyber defences
  • Provide a more in-depth picture of larger organisations, exploring topics that are covered in less detail in the Cyber Security Breaches Survey (CSBS), such as understanding drivers of change in relation to cyber security, awareness and uptake of government guidance and budgetary constraints in relation to implementing cyber security policies
  • Explore the effects of actions adopted by organisations to improve their cyber security on the likelihood and impact of a cyber incident

While the overarching methodology of this study is to analyse longitudinal data, this report focuses on the cross-sectional data. At Wave Four, DSIT and Ipsos are using Wave Four longitudinal data to do exploratory research– see section 1.4 for further details.

1.2 Difference from the Cyber Security Breaches Survey

This study differs from the CSBS in multiple important aspects. Firstly, it uses a longitudinal approach, where the aim is to track changes in cyber resilience over time, whereas the CSBS uses a cross-sectional sample that provides a snapshot of cyber resilience. This four-year longitudinal study (CSLS) collects data from the same organisation (businesses or charities) on more than one occasion (up to four points in time) to analyse the link between large and medium organisations’ behaviours towards cyber security and the extent to which they influence the likelihood and impact of experiencing an incident over time. This report focuses on the cross-sectional part of CSLS as the Wave Four longitudinal data was used for exploratory research – see section 1.4 for further details. In comparison, the results from CSBS provide a static view of cyber resilience, cyber threats organisations face and the actions they are taking to stay secure at a given time.

Secondly, the CSLS focuses only on medium and large businesses, and high-income charities whereas the CSBS includes businesses of all sizes, all charities, and educational institutions. As CSBS is representative of all organisation sizes it is considered an official government statistic. Therefore, for overall statistics on cyber security, results from CSBS should be used.

Additionally, different questions are used, so while there are some similarities in the questions and topics covered by the two surveys, results are not comparable. Further detail on overlapping questions can be found in the Cyber Security Longitudinal Survey Wave Four Technical Report. Please visit the gov.uk website to see publications of the Cyber Security Breaches Survey.

1.3 Changes in wave four versus waves one to three

For Wave Four of the Cyber Security Longitudinal Survey, the Department of Science and Technology (DSIT) identified a number of new priority areas of focus. The new priority areas were:

  • Driving behaviour change – understanding what the key turning points are for organisations changing their behaviours towards cyber security
  • Government products – better understanding the uptake and use of products and interventions of government products and how this relates to organisations changing their behaviour towards cyber security
  • Budgetary constraints – better understanding the budgetary constraints within organisations to implement best practice cyber security policies With these changes in priority, the Quantitative questionnaire changed substantially in Wave Four to allow new questions to be added. Further detail on which questions were removed and added can be found in the Technical Report.

The COM-B (Capability, Opportunity, Motivation, Behaviour) behavioural science approach was introduced in the Qualitative arm of the survey. COM-B provided a structured way of understanding the mechanisms underpinning behaviour and what needs to be changed subsequently to facilitate optimal engagement with cyber security practices, processes and policies. Further details can be found in the Technical Report.

1.4 Longitudinal analysis and cross-sectional analysis

For Wave Four of the Cyber Security Longitudinal Survey, the Department for Science, Innovation and Technology (DSIT) and Ipsos have agreed to do exploratory research into the themes and trends among the longitudinal sample. This explanatory research covers key themes, drawn out during discussions between DSIT and Ipsos, that will help policy makers understand cyber resilience, how it changes over time and its relationship to other activities and experiences faced by organisations that broadly relate to cyber circumstances.

The longitudinal data collected also affords the opportunity to understand how a particular activity, such as acting on NCSC guidance, changes over time. For example, comparisons of the average number of organisations taking NCSC guidance at two time points can be supplemented by the number who move from not taking advice in one year to taking advice in the successive year. Conversely, we can also identify the number taking advice in one year who stop taking advice in the next year.

As the analysis done for the longitudinal arm is explanatory for Wave Four the rest of this report will be based on the cross-sectional data only. Further detail on how the longitudinal data is analysed can be found within the Technical Report.

1.5 Methodology

There are two strands to the Cyber Security Longitudinal Survey. First, Ipsos undertook a random probability multimode[footnote 2] (telephone and online) survey covering 674 businesses and 548 UK registered charities between July and October 2024[footnote 3]. Of these, 965 interviews (79%) were completed via telephone and 257 interviews (21%) were completed through the online survey option. The data for businesses and charities have been weighted to be statistically representative of these two populations. Subsequently, 30 in-depth interviews were conducted in September and October 2024, to gain qualitative insights from some of the organisations that participated in the quantitative survey.

This longitudinal study tracks changes over time by attempting to follow the same organisations in all four annual waves. In Wave Three, 724 organisations (464 businesses and 260 charities) agreed to be recontacted in Wave Four. Data for Wave Four includes 26% (321 interviews) of completed interviews who were part of the longitudinal sample, comprising 192 interviews with businesses and 129 with charities. While only 26% of the organisations that completed interviews took part in Wave Three and Wave Four findings are still comparable between both waves.

In addition to the organisations that had participated in the study in previous years, the survey was issued to businesses and charities that had not taken part previously. 74% (901 interviews) of the achieved sample in Wave Four came from fresh sample, comprising 482 interviews with businesses and 419 with charities. This allowed the survey to maintain a strong overall achieved sample size and, as such, ensure that robust analysis could be completed from this research and allow more detailed longitudinal analysis in future waves. To avoid possible selection bias, the ‘fresh’ business sample was selected using random probability sampling. The business sample was proportionally stratified by region, and disproportionately stratified by size and sector.

More technical details, including methodological notes for the longitudinal analysis and a copy of the questionnaire, are available in the separately published Technical Annex.

1.5.1 Profile of survey respondents

Figure 1.1.1: Businesses and charities overall (weighted %)

Percentage of the sample that were businesses, split by size, and charities

Businesses 55%
Charities 45%

Base: All businesses (n=674); All Charities (n=548)

Figure 1.1.2: Businesses size breakdown – makeup of businesses that responded (weighted %)

Medium Businesses 80%
Large Businesses 9%
Very Large Businesses 9%

Base: Medium businesses (n=456); Large Businesses (n=92); Very Large Businesses (n=116)

Figure 1.2.1: Businesses breakdown by region (weighted %)

The distribution of responding businesses by UK regions and nation

North East 2%
Yorks and Humberside 8%
East Midlands 7%
Eastern 11%
London 13%
South East 13%
South West 9%
Wales 4%
West Midlands 9%
North West 10%
Northern Ireland 3%
Scotland 10%

Base: All businesses (n=674). Businesses in East Midlands (n=50); Eastern England (n=70); London (n=70); North East (n=16); North West (n=68); Northern Ireland (n=21); Scotland (n=64); South East (n=93); South West (n=63); Wales (n=26); West Midlands (n=61); Yorkshire and Humberside (n=52).

Figure 1.2.2: Charities breakdown by nations (weighted %)

The distribution of responding charities by UK nations

England and Wales 82%
Northern Ireland 3%
Scotland 15%

Base: All Charities (n=548); Charities in England and Wales (n=448); Northern Ireland (n=17); Scotland (n=83).

Figure 1.3: Businesses breakdown by sector (weighted %)

Distribution of responding businesses by sector

Manufacturing 16%
Retail or wholesale (including vehicle sales and repairs) 14%
Administration 12%
Professional, scientific or technical 11%
Health, social care or social work (excluding NHS) 10%
Food or hospitality 9%
Information or communication 7%
Construction 5%
Transport or storage 5%
Finance or insurance 3%
Education (excluding public sector schools, colleges and universities) 2%
Arts or recreation 2%
Utilities or production 1%
Real estate 1%
Service or membership organisations 1%

Base: All businesses (n=674); Administration (n=90) Real Estate (n=12); Construction (n=30); Education (n=13); Service and membership organisations (n=24); Finance and insurance (n=28); Food and hospitality (n=38); Health, social care and social work (n=81); Information and communication (n=56); Manufacturing, utilities and production (n=102); Utilities and production (n=4); Professional, scientific and technical (n=74); Retail and wholesale (n=86); Transport and storage (n=36).

1.5.2 Profile of qualitative respondents

Thirty follow-up interviews were carried out with representatives of organisations covered by the survey. They were selected in order to provide the following profile:

Table 1.1: Profile of qualitative respondents

Category Definition Achieved
Category Businesses 20
  Charities 10
Size (employees): (Businesses only) Medium (50-249) 14
  Large (250+) 6
Sector (Businesses only) Broad mix of sectors 20
Region (Businesses only) Broad mix of regions 20

1.6 Interpretation of quantitative findings

The survey results are subject to margins of error, which vary with the size of the sample and the percentage figure concerned. For all percentage results, subgroup differences by size, sector and other survey answers have only been highlighted where they are statistically significant[footnote 4] (at the 95% level of confidence).

There is a guide to statistical reliability in the technical report.

For the purposes of analysis, businesses are divided into medium (50-249 employees) and large enterprises (250+ employees)[footnote 5]. In turn large businesses consist of both large (250-499 employees) and very large businesses (500+ employees). All charities included in the survey have a reported annual income of at least £1 million according to national charity regulator sample data.[footnote 6]

Where base sizes are noted as smaller than 50, they should be treated with caution.

1.7 Interpretation of qualitative findings

The qualitative findings in this report are intended to provide insight into the behaviours, views, and experiences of a range of businesses and charities. As part of the changes in Wave Four, Ipsos introduced the COM-B behavioural science approach to help understand behaviour changes. This research did not set out to determine the prevalence of these behaviours, views, and experiences.

Where the report indicates that ‘few’, ‘some’, or ‘many’ businesses and charities experienced or felt something, this is in relation to the research participants only. Findings cannot be considered representative of the entire UK business and charity population and should not be interpreted as generalisable to the entire business population.

1.8 Acknowledgements

Ipsos and DSIT would like to thank all the organisations and individuals that participated in the survey. We would also like to thank the organisations that endorsed the fieldwork and encouraged businesses and charities to participate, including:

  • Tech UK
  • Association of British Insurers
  • Institute of Chartered Accountants in England and Wales (ICAEW)

2. Prevalence and impact of cyber incidents

This chapter explores the type and frequency of cyber incidents that organisations have experienced over the last twelve months. It also discusses the impact that these incidents have on organisations. Understanding the occurrence of cyber incidents and the impact that they cause are fundamental to understanding an organisation’s experience of, and stance on, cyber security.

The official government statistics of cyber incidents should be taken from CSBS. Results on CSLS are focused on medium and large businesses, and high-income charities.

While prevalence and outcomes of cyber incidents remains stable wave on wave there has been a significant decline on the impact of cyber incidences on organisations. Key findings of greatest note are:

  • Two types of activity dominated organisations’ experience of cyber security incidents: phishing (74% amongst businesses and 72% among charities) and where people are impersonating the organisation in emails or online (56% amongst businesses and 46% amongst charities). Impersonations had significantly increased for both businesses (from 43% in Wave Three to 56% in Wave Four) and charities (from 38% in Wave Three to 46% in Wave Four)
  • Almost two thirds of businesses (64%) and six in ten charities (58%) reported incidents as having no impact on their organisation which is a significant shift compared to Wave Three (46% amongst businesses and 45% amongst charities).

2.1 Prevalence of cyber incidents

Around eight in ten businesses and charities (79%) reported they had experienced some form of cyber security incident over the last twelve months. As summarised in Figure 2.1 there is an upward trend among businesses experiencing some form of cyber security incident year on year, though this is not statistically significant.

Figure 2.1: Prevalence of any cyber security incidents (including Phishing attacks)

Have any [types of cyber security incidents] happened to your organisation in the last 12 months? (% yes)

Wave Businesses Charities
Wave 1 72% 73%
Wave 2 74% 81%[s1]
Wave 3 75% 78%
Wave 4 79% 79%

[s1] Significant change from previous year at 95% significance level

Base: All businesses at Wave One (n=1,205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674); All charities at Wave One (n=536), Wave Two (n=373), Wave Three (n=310), and at Wave Four (n=548).

Large businesses were significantly more likely to have experienced some form of cyber security incident over the last twelve months (84% amongst large businesses vs 79% of all medium and large businesses). The professional, scientific or technical sectors were more prevalent to having cyber security incidences in the last 12 months (89% vs 79% of all medium and large businesses).

Prevalence of cyber security incidents excluding phishing shows that businesses were significantly more likely to experience incidents than charities (Figure 2.2).

Figure 2.2: Prevalence of any cyber security incidents (excluding phishing attacks).

Have any [types of cyber security incidents] happened to your organisation in the last 12 months? (% yes, excluding phishing attacks)

Wave Businesses Charities
Wave 1 50% 47%
Wave 2 53% 51%
Wave 3 53% 53%
Wave 4 62%[s1][s2] 53%

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All businesses at Wave One (n=1,205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674); All charities at Wave One (n=536), Wave Two (n=373), Wave Three (n=310), and at Wave Four (n=548).

2.2 Types of cyber incidents

Phishing and email impersonation scams were the most prevalent cyber security incidents experienced by organisations, with 74% of businesses and 72% of charities reporting phishing incidents. Around half (56% of businesses and 46% of charities) reported email impersonation scams, which has significantly increased for both businesses (from 43% in Wave Three to 56% in Wave Four) and charities (from 38% in Wave Three to 46% in Wave Four) with businesses more likely to experience impersonations than charities. This highlights the need for organisations to be adaptable in the ever-changing cyber landscape.

There are also significant differences seen between business sizes in respect to the types of incidents identified. These include:

  • Large businesses were more likely to experience phishing attacks (81%) than medium-sized businesses (72%)
  • Very large businesses (those with 500+ employees) were more likely to experience denial of service attacks (14%) than medium-sized businesses (7%)
  • Large businesses were more likely to experience unauthorised accessing of files or networks by staff, even if accidental (11%), than medium-sized businesses (4%)
  • Very large businesses (those with 500+ employees) were more likely to experience unauthorised accessing of files or networks by people outside their organisation (8%) than medium-sized businesses (3%)

While larger businesses were frequently targeted by diverse attacks, medium-sized businesses also remained vulnerable to cyber threats, albeit to a lesser degree.

Figure 2.3: Types of cyber incident experienced by businesses in the last twelve months

Have any of the following happened to your organisation in the last 12 months?

Wave % Phishing attacks % People impersonating, in emails or online, your organisation or your staff/volunteers % Takeovers or attempted takeovers of organisations website, social media accounts or email accounts % Denial of service attacks % Hacking or attempted hacking of online bank accounts
Wave 1 66 39 11 5 3
Wave 2 69 42 11 5 4
Wave 3 70 43 15[s1] 8 3
Wave 4 74 56[s1] 10[s1] 7 6[s1]

[s1] Significant change from previous year at 95% significance level

Base: All businesses at Wave One (n=1,205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

Figure 2.3 above shows the types of cyber incident experienced by businesses in the last twelve months. Figure 2.4 below shows the types of cyber incident experienced by charities in the last twelve months.

Figure 2.4: Types of cyber incident experienced by charities in the last twelve months

Have any of the following happened to your organisation in the last 12 months?

Wave % Phishing attacks % People impersonating, in emails or online, your organisation or your staff/volunteers % Takeovers or attempted takeovers of organisations website, social media accounts or email accounts % Denial of service attacks % Hacking or attempted hacking of online bank accounts
Wave 1 69 32 10 5 3
Wave 2 77 37 11 6 3
Wave 3 74 38 18[s1] 7 4
Wave 4 72 46[s1] 9[s1] 6 6

[s1] Significant change from previous year at 95% significance level

Base: All charities at Wave One (n=536), Wave Two (n=373), Wave Three (n=310), and at Wave Four (n=548).

The types of incidents reported in the qualitative phase were broadly similar to the Wave Four quantitative findings. The most reported recent incident in interviews were phishing attacks. This mainly consisted of attackers impersonating other members of staff and sending emails with links. A minority of participants mentioned direct attempts to log into or hack into an account.

Most reported that the phishing attempts were mitigated either through existing software in place such as firewalls or multifactor authentication or through staff action like recognising emails as spam and initiating scans of systems.

Several cues were used by staff to identify an email as an attempted phishing attack. These cues included mistakes in the email address/name, characters in a different language in the email body, or directly reaching out to staff member being impersonated to confirm that they sent the email. For successful phishing attempts, participants shared that most led to financial losses at varying levels or data breaches.

“The most recent one would have been a phishing attack, just where somebody gained access to an online booking portal.”

Business, Medium, Administration, East of England

A minority of participants also mentioned that they had not experienced a successful cyber security incident for several years. This was attributed to the infrastructures in place to prevent escalation of incidents, such as a 24/7 Service Operation team, portal set up, and multi-factor authentication.

“To be honest, most of them are phishing related or email related things. We’ve not had that. And we do have some attempts at account logins from other countries, but due to Microsoft Venture and our conditional access rules, those are blocked out fairly strictly. So yeah, we haven’t had a major breach since I’ve been here.”

Business, Medium, Construction, London

2.3 Outcomes of cyber incidents

While most organisations did not suffer any serious consequences as a result of cyber security incidents, around one-fifth had been negatively impacted (21% of businesses and 22% of charities that experienced an incident in the last year). As shown in Figure 2.5, this is in line with previous waves. Large businesses were more likely to suffer any serious consequences as a result of cyber security incident than medium-sized businesses (35% vs 18% respectively).

Figure 2.5: Proportion of cyber incidents that had any outcome on organisation

Have any outcomes happened to your organisation in the last 12 months as a result of a cyber security incidents? (% yes)

Wave Businesses Charities
Wave 1 25% 24%
Wave 2 25% 26%
Wave 3 23% 24%
Wave 4 21% 22%

No significant changes from previous years or between businesses and charities at 95% significance levels were observed

Base: All businesses at Wave One (n=883), Wave Two (n=533), Wave Three (n=422) and at Wave Four (n=537); All charities at Wave One (n=394), Wave Two (n=303), Wave Three (n=245), and at Wave Four (n=432).

The most common outcomes mentioned as seen in Figure 2.6 and Figure 2.7 were:

  • temporary loss of access to files or network (8% of both businesses and charities)
  • the organisation’s website, applications or online services were taken down or made slower (5% of businesses and 6% of charities)
  • losing access to any third-party services they rely on (6% of both businesses and charities)

Figure 2.6: Type of outcome of cyber incident amongst businesses

Thinking of all the cyber security incidents experienced in the last 12 months, which, if any, of the following happened as a result?

Wave % Temporary loss of access to files or networks % Lost access to any third-party services you rely on % Your website, applications or online services were taken down or made slower % Software or systems were corrupted or damaged % Compromised accounts or systems used for illicit purposes (e.g. launching attacks)
Wave 1 10 4 6 6 6
Wave 2 10 4 5 4 5
Wave 3 8 4 7 4 6
Wave 4 8 6 5 4 3[s1]

[s1] Significant change from previous year at 95% significance level

Base: All businesses at Wave One (n=883), Wave Two (n=533), Wave Three (n=422) and at Wave Four (n=537).

Figure 2.6 above shows the types of outcome of cyber incidents experienced by businesses in the last twelve months. Figure 2.7 below shows the types of outcome of cyber incidents experienced by charities in the last twelve months.

Figure 2.7: Type of outcome of cyber incident amongst charities

Thinking of all the cyber security incidents experienced in the last 12 months, which, if any, of the following happened as a result?

Wave % Temporary loss of access to files or networks % Your website, applications or online services were taken down or made slower % Lost access to any third-party services you rely on % Compromised accounts or systems used for illicit purposes (e.g. launching attacks) % Software or systems were corrupted or damaged % Physical devices or equipment were damaged or corrupted
Wave 1 9 8 4 5 5 3
Wave 2 9 4 4 8 4 5
Wave 3 7 9 3 7 3 3
Wave 4 8 6 6 4 3 3

No significant changes from previous years or between businesses and charities at 95% significance levels were observed

Base: All charities at Wave One (n=394), Wave Two (n=303), Wave Three (n=245), and at Wave Four (n=432).

Large businesses were more likely to experience certain outcomes of a cyber security incident than medium-sized businesses. For example, they were more likely to:

  • Experience loss of access to third party services relied on (Large businesses at 11% vs medium businesses at 5%)
  • Experience software or system damages (Large businesses at 8% vs medium businesses at 3%)
  • Experience physical devices or equipment being damaged (Large businesses at 8% vs medium businesses at 2%)
  • Experience compromised accounts or systems used for illicit purposes (Large businesses at 8% vs medium businesses at 2%)
  • Experience temporary loss of access to files or networks were taken down (Large businesses at 13% vs medium businesses at 7%)

2.4 Impact of cyber incidents on organisations

Incidents that did not result in negative financial consequences or data loss can still have wider impact on organisations. Therefore, organisations that experienced a cyber security incident in the last twelve months were also asked about the wider impact of incidents on their organisation. Figure 2.8 shows a notable decrease in the impact of cyber incidents across organisations. This finding should be monitored and investigated further in Wave Five and Wave Six of this study.

Figure 2.8: Proportion of cyber incidents that had an impact on organisation

Has your organisation faced any impacts in the last 12 months as a result of a cyber security incidents? (% yes)

Wave Businesses Charities
Wave 1 49% 49%
Wave 2 51% 52%
Wave 3 54% 55%
Wave 4 36%[s1] 42%[s1][s2]

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All businesses at Wave One (n=883), Wave Two (n=533), Wave Three (n=422) and at Wave Four (n=537); All charities at Wave One (n=394), Wave Two (n=303), Wave Three (n=245), and at Wave Four (n=432).

While the prevalence of impactful cyber incidents has significantly decreased across businesses and charities, the most common impacts remain consistent, as shown in Figures 2.9 and 2.10. Notably, 24% of businesses and 29% of charities reported the need for new measures to prevent future incidents. Additional staff time was required to deal with such incidents, and charities in particular were significantly more impacted (29%) than businesses (21%) in Wave Four.

Large businesses were more likely than medium-sized businesses to report that cyber security incidents have led to adding new measures needed to prevent or protect against future incidents (35% amongst large business vs 22% amongst medium businesses), require additional staff time to deal with the incident (30% amongst large businesses vs 19% amongst medium businesses) and that incidents have stopped staff from carrying out their day-to-day duties (17% amongst large businesses vs 10% amongst medium businesses).  

Figure 2.9: Impact of cyber incidents on businesses

And have any of these incidents impacted your organisation in any of the following ways?

Wave % New measures needed to prevent or protect against future incidents % Additional staff time to deal with the incident, or to inform customers/beneficiaries or stakeholders % Stopped staff from carrying out their day-to-day work % Any other repair or recovery costs
Wave 1 35 32 15 8
Wave 2 35 33 15 7%
Wave 3 40 34 18 7
Wave 4 24[s1] 21[s1] 12[s1] 7

[s1] Significant change from previous year at 95% significance level

Base: All businesses at Wave One (n=883), Wave Two (n=533), Wave Three (n=422) and at Wave Four (n=537).

Figure 2.9 above shows the impact of cyber incidents on businesses. Figure 2.10 below shows the impact of cyber incidents on charities.

Figure 2.10: Impact of cyber incidents on charities

And have any of these incidents impacted your organisation in any of the following ways?

Wave % Additional staff time to deal with the incident, or to inform customers/beneficiaries or stakeholders % New measures needed to prevent or protect against future incidents % Stopped staff from carrying out their day-to-day work % Any other repair or recovery costs
Wave 1 34 36 14 4
Wave 2 36 34 17 5
Wave 3 40 34 18 7
Wave 4 29[s1] 29[s1] 15 5

[s1] Significant change from previous year at 95% significance level

Base: All charities at Wave One (n=394), Wave Two (n=303), Wave Three (n=245), and at Wave Four (n=432).

In the qualitative interviews, participants who experienced cyber security incidents made employees in their organisation more aware of the severity of cyber security incidents. This was consistent across both senior leadership and wider staff.

Some participants mentioned that despite the potential for large impacts from incidents they experienced, in reality they only experienced minimal impacts. This may have important implications, as it initiates conversations within organisations to ensure they are covered for the worst possible outcome.

“I think that really did light a fire under a lot of people to go, ‘oh, this could have been very, very bad.’ So that did help, that did help a lot in getting people to understand that they do need to follow the policies and procedures.”

Charity, England

Actions taken in response to the incident after they had taken place were either structural or people centric. Structural changes included updates to software that prevent or monitor attempted cyber-attacks or implementing measures to assess effectiveness of software. For example, updating firewalls, and in the longer term, updating plans, processes and procedures such as sign off on mass emails and introducing a more comprehensive supplier form.

People-centric changes included notifying employees of the incident and, in the longer term, implementing or updating training for employees on cyber security processes and procedures, and ways to respond to an attempted incident.

“We added a number of new firewall rules. We did an assessment across the organisation to see if we can be affected again. In terms of actual costs, very little. In terms of time and resources, which obviously does amount to costs, then there was some time spent to it. So, if I had to actually put a financial figure on it going forward, I would suggest that one incident itself probably cost us in the region £10,000. That’s just in time and resources, though.”

Business, Large, Finance or Insurance, London

“So, if a user requests something, we don’t just say ‘yeah, that’s fine’ […] it’s actually ‘Right, well you need your manager’s approval on that first, so get your manager to have that flow’.”

Business, Medium, Manufacturing, Northwest England

“So, it was basically posting notifications to all staff that this type of thing has happened and can happen, and just be especially aware and not to fall for that particular scam. But I regularly send out messages to the entire staff warning them of whatever scam is happening at the time, really, or going round.”

Charity, England

3. Cyber security policies and processes

Robust cyber security policies and processes are essential for organisational cyber resilience. This chapter explores organisational uptake on government cyber security products. It also denotes the overall cyber security policies and processes that organisations reported. It is important to measure organisations’ uptake of government cyber security products to measure their effectiveness on improved cyber security. It is also vital to understand organisation’s overarching policies and processes to address cyber security threats.

Some organisations have adopted security standards and accreditations like ISO 27001, Cyber Essentials, and Cyber Essentials Plus, with 45% of businesses and 35% of charities adhering to at least one of them. The prevalence of Cyber Essentials Plus particularly increased compared to previous waves. This is important because Cyber Essentials Plus adherence generally relates to continued improvements in cyber security practices (96% of businesses and 94% of charities with Cyber Essentials Plus made some cyber security improvement in the past 12 months).

Organisations that discussed cyber security with their board at least monthly were more likely to have an accreditation, and those that experienced a recent incident were also more likely to be certified. This suggests that board involvement or experience of recent incidents could lead to increased uptake of accreditations.

While fewer organisations were actively identifying cyber security risks compared to previous waves, most had basic security controls in place such as restricting IT access and using firewalls. Businesses were more proactive in performing vulnerability audits, investing in threat intelligence, and using security monitoring tools compared to charities. Larger businesses were also more likely to have all four of these procedures in place than medium-sized businesses (vulnerability audits, threat intelligence investments, security tools and a risk assessment covering cyber security). This aligns with earlier findings that larger businesses report both a higher proportion of incidents and varied incidents.

Monitoring cyber security practices of suppliers continues to be a lower priority for organisations. The number of businesses conducting any work to formally assess or manage their suppliers has remained low since Wave Three (28% in Wave Three vs 23% in Wave Four). Businesses with ISO 27001 or Cyber Essentials Plus (64% and 48% respectively) were more likely to carry out a formal assessment of their suppliers’ cyber security than those without an accreditation (24%). A majority (68%) of businesses that reviewed immediate cyber risks set minimum cyber security standards in their supplier contracts. However, few organisations (12% of businesses, 7% of charities) stopped working with a supplier following a cyber security incident.

3.1 Uptake and usage of standards, certifications and government guidance

While some organisations have embraced security standards like ISO 27001, Cyber Essentials, and Cyber Essentials Plus, adoption remains inconsistent across the board. Overall, 45% of businesses stated they had any of the three standards or accreditations, while 35% said they had none of them. Charities also saw a mix of uptake, with 35% adhering to one accreditation but 47% stated they have none. Businesses were more likely to have ISO 27001, Cyber Essentials or Cyber Essentials Plus than charities (45% vs 35%), particularly ISO 27001 (15% vs 9%). More businesses had Cyber Essentials Plus than in the first three waves (15% Wave Four, 9% Wave Three, 11% Wave Two, 8% Wave One), as well as charities (12% Wave Four, 8% Wave Three, 9% Wave Two, 7% Wave One). Organisations were also more likely to have an accreditation if they discussed cyber security with the board monthly or more often (62% of businesses, 52% of charities) compared to every time there is an attack (37% of businesses, 31% of charities).

Figure 3.1: Businesses’ standards and accreditations

Which of the following standards or accreditations, if any, does your organisation adhere to?

Wave % ISO 27001 % Cyber Essentials % Cyber Essentials Plus % None of these % Don’t know
Wave 1 15 14 8 42 26
Wave 2 17 19[s1] 11[s1] 39 20
Wave 3 19 18 9 41 21
Wave 4 15[s2] 23 15[s1] 35 20

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All businesses at Wave One (n=1205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

Figure 3.1 above shows businesses’ standards and accreditations. Figure 3.2 below shows charities’ standards and accreditations.

Figure 3.2: Charities’ standards and accreditations

Which of the following standards or accreditations, if any, does your organisation adhere to?

Wave % ISO 27001 % Cyber Essentials % Cyber Essentials Plus % None of these % Don’t know
Wave 1 9 16 7 46 25
Wave 2 9 23[s1] 9 40 24
Wave 3 7 23 8 45 19
Wave 4 9 19 12 47[s2] 18

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All charities at Wave One (n=536), Wave Two (n=373), Wave Three (n=310) and at Wave Four (n=548).

Despite a lack of cyber accreditation across organisations, most organisations reported that they had some form of rules or controls in place to minimise cyber security threats. In fact, a significant majority of organisations had taken the following actions:

  • Restricted IT admin and access rights to specific users (97% of businesses, 95% of charities)
  • Used up to date malware protection across all devices, security controls on organisation’s devices (97% of businesses, 93% of charities)
  • Firewalls that cover IT networks and individual devices (97% of businesses, 90% of charities)

The implementation of security controls on businesses own devices has seen a modest increase compared to previous waves (97% in Wave Four vs 91% Wave Three, 92% Wave Two, 92% Wave One). This suggests that cyber security decision makers are recognising more than ever the importance of protecting a business device.

General organisational guidance continues to be a large source of awareness, compared to more technical cyber guidance. For example, the NCSC GDPR guidance had the highest awareness of the NCSC information and guidance sources (72% of businesses, 74% of charities), while Exercise in a box had the lowest awareness (19% of businesses, 17% of charities). Aside from GDPR guidance, large businesses were more likely to be aware of all pieces of NCSC information and guidance than medium-sized businesses. Almost half (48% of businesses, 46% of charities) of organisations were not aware of NCSC guidance on 10 steps to Cyber Security. Businesses were more likely than charities to be aware of supply chain security guidance (35% vs 27%). Large businesses demonstrate a stronger inclination towards using NCSC guidance, with over half (52%) actively using it compared to just a third (33%) of medium-sized businesses. This highlights the importance of tailoring outreach and support efforts to encourage wider adoption of valuable cyber security resources among smaller organisations.

Similar to the quantitative findings, standards and accreditations mentioned by participants in the qualitative phase varied. Cyber Essentials was the most mentioned and acquired accreditation. Some participants mentioned being in the process of acquiring Cyber Essentials, Cyber Essentials Plus or ISO 27001 but had noted the difficulty in achieving or meeting certain standards as it required group compliance across staff and relevant stakeholders.

A minority of participants shared that their organisation did not follow a formal standard, best practice or guidelines, but enforced measures to manage the organisation’s cyber security such as firewalls or multi-factor authentication.

“The holy grail for it is definitely that we follow our Cyber Essentials guidelines more than anything.”

Business, Medium, Manufacturing, Northwest England

“There are some requirements that are difficult for us to achieve. We are a specialist college. Some of our students have real difficulties remembering passwords and things like that. There are issues with some of the things that Cyber Essentials make us have to do and not very easy for us to do with some of our students.”

Charity, England

It is important that accreditations are robust enough to improve cyber security, while also an achievable and reachable target for organisations. If they are unachievable this may put organisations off attempting to adhere to them, and potentially lead to poorer cyber security measures.

Beyond Cyber Essentials (Plus) and ISO 27001, participants also followed industry specific guidelines or guidelines imposed by the partners or clients they worked with. This tended to be the case for organisations that worked with the public sector.

“Okay, so I use the national information security, the NIST stuff. We’re handling NHS IDs. So, we’ve had to sign up for the NHS cyber security standardisation.”

Charity, England

Some participants spontaneously mentioned the NCSC as a source that they used to stay informed of advice and guidance on cyber security, demonstrating an awareness and usage of the source. A minority mentioned being aware of the NCSC but not using it as a key source of advice and guidance. They prioritised other sources for advice, most of which were through other stakeholders such as insurance providers, IT partners or third parties.

“So, we have a look at NCSC every now and then. I think that’s part of the review process on the cyber security policy. I believe that’s every six months. So, we check on the NCSC every six months.”

Charity, England

3.2 Current cyber security policies

Organisations were asked to identify their current cyber security policies. Compared to previous waves, more organisations reported that they have not taken any steps to identify cyber security risks (17% in Wave Four have done nothing compared to 10% in Wave Three). All measures significantly decreased compared to Wave Three except for vulnerability audits, which have stayed similar levels.

Figure 3.3: Identifying cyber security risks

Which of the following, if any, have you done over the last 12 months to identify cyber security risks to your organisation?

Wave Businesses Charities
A cyber security vulnerability audit 56% [s2] 47%
A risk assessment covering cyber security risks 67% 66%
Invested in threat intelligence 36% [s2] 25%
Used specific tools designed for security monitoring, such as Intrusion Detection Systems 69% [s2] 56%
None of these 15% 19%

[s2] Significant difference between businesses and charities at 95% significance level

Bases: 674 UK businesses; 548 charities

Businesses were more likely than charities to have:

  • Performed a cyber security vulnerability audit (56% vs 47%)
  • Invested in threat intelligence (36% vs 25%)
  • Used specific tools designed for security monitoring (69% vs 56%)

This decrease in cyber security policy implementation wave on wave depicts concerning cyber challenges for organisations, but charities are finding it more challenging than businesses. Businesses were more likely than charities to have all four cyber security procedures in place (25% vs 15% had vulnerability audits, threat intelligence investments, security tools and a risk assessment covering cyber security). Larger businesses were also more likely to have all four procedures in place compared to medium-sized businesses (43% vs 21%). The percentages of businesses and charities that conducted cyber security risk assessments were similar (67% businesses, 66% charities).

Charities were more likely to have a risk registry that covered cyber security than businesses (73% vs 60%), whereas businesses were more likely to have documentation that identified most critical assets their organisation wanted to protect than charities (59% vs 53%).

While cyber insurance adoption remains comparable to Wave Three, some organisations still cited budget constraints as a barrier. Around seven in ten organisations (69% of businesses, 71% of charities) in Wave Four stated they had cyber insurance either in the form of a specific policy or as part of a broader insurance policy. This is similar to Wave Three for businesses (69% in Wave Three) but lower than Wave Three for charities (79% in Wave Three). Businesses in the information and communication sector were particularly likely to have any kind of cyber insurance (83%) compared to all businesses (69%). The most common reason organisations stated for having no cyber insurance or cover was that it is not a budgetary priority (32% of businesses, 33% of charities). Almost one quarter (21% of businesses, 24% of charities) of respondents stated they were not aware of cyber insurance as a concept.

Figure 3.4: Businesses that have cyber insurance policies or cover

There are general insurance policies that provide cover for cyber security incidents, among other things. There are also specific insurance policies that are solely for this purpose. Which of the following best describes your situation?

Wave % We have a specific cyber security insurance policy % We have cyber security cover as part of a broader insurance policy % We are not insured against cyber security incidents % Don’t know
Wave 1 18 35 13 34
Wave 2 25[s1] 36 11 28
Wave 3 26 43[s1] 13 17
Wave 4 29 40 11 20[s2]

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Figure 3.4 above shows businesses that have cyber insurance policies or cover. Figure 3.5 below shows charities that have cyber insurance policies or cover.

Base: All businesses at Wave One (n=1205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

Figure 3.5: Charities that have cyber insurance policies or cover

There are general insurance policies that provide cover for cyber security incidents, among other things. There are also specific insurance policies that are solely for this purpose. Which of the following best describes your situation?

Wave % We have a specific cyber security insurance policy % We have cyber security cover as part of a broader insurance policy % We are not insured against cyber security incidents % Don’t know
Wave 1 24 42 14 20
Wave 2 32[s1] 42 10 16
Wave 3 32 46 10 11
Wave 4 30 41 16[s1][s2] 12

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All charities at Wave One (n=536), Wave Two (n=373), Wave Three (n=310) and at Wave Four (n=548).

Organisations are increasingly moving towards cloud-based storage for data. In fact, more organisations in Wave Four stated that they use a cloud server that stores data or files than all previous waves (79% of businesses in Wave Four compared to 72% Wave Three, 70% Wave Two and 68% Wave One). The move is particularly evident among charities, who were more likely than businesses to have a cloud server (88% vs 79%). In addition, charities were more likely to allow networks or files to be connected on personal devices than businesses (52% vs 30% businesses).

Figure 3.6: Businesses’ use of physical server or cloud server

Does your organisation use or provide any of the following?

Wave % A cloud server that stores your data or files % Your own physical server that stores your data or files % None of these
Wave 1 68 82 3
Wave 2 70 81 2
Wave 3 72 76 4
Wave 4 79[s1] 76[s2] 3

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All businesses at Wave One (n=1205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

Figure 3.6 above shows businesses’ use of physical server or cloud server. Figure 3.7 below shows charities’ use of physical server or cloud server.

Figure 3.7: Charities’ use of physical server or cloud server

Does your organisation use or provide any of the following?

Wave % A cloud server that stores your data or files % Your own physical server that stores your data or files % None of these
Wave 1 77 72 5
Wave 2 80 66 3
Wave 3 86 60 2
Wave 4 88[s2] 54 5

[s2] Significant difference between businesses and charities at 95% significance level

Base: All charities at Wave One (n=536), Wave Two (n=373), Wave Three (n=310) and at Wave Four (n=548).

From the qualitative phase, participants mentioned a range of measures that their organisations had in place to identify, monitor and prevent cyber security incidents. This included vulnerability audits or penetrative tests which were largely triggered by insurers or external partners, spam filtering software, antivirus software, firewalls, a shift to cloud servers to manage sensitive data and multi-factor authentication to prevent cyber security incidents.

“So, we’ve got Sophos that looks after the firewalls and website block and antivirus. But then also, well, we’re looking to move across to something called office. It’s an Office 365, basically it’s Windows Defender. But they do like a 24/7 support. So, they’ll always look at our system and see if there’s any cyber issues and anything, and then they’ll report to us or they’ll block it as soon as they can.”

Charity, England

“Because of the change in technology, where cloud has come so much into the picture, where everything is hosted onto the cloud, so our systems, when they’re hosted on the cloud, it’s not our own private cloud. We host our systems with the application provider, so it becomes their responsibility. Their risk to ensure the data is protected based on the agreements that we sign off. So that reduces our risks to a greater extent. And that’s a model that we prefer.”

Business, Large, Food and Hospitality, London

However, very few participants spontaneously mentioned having a business continuity plan in response to cyber security threat. It was implied that preventative measures meant a lower likelihood of successful cyber security attacks and therefore less of a need for a cyber specific business continuity or recovery plan.

3.3 Cyber processes

Supplier cyber management remains a low priority for organisations. Similar to Wave Three, less than a third of organisations at Wave Four stated they carried out formal assessment of suppliers in the past 12 months (28% of businesses and 26% of charities in Wave Three vs 23% for both in Wave Four). At Wave Four, this was more common in large businesses compared to medium (37% vs 20%), however a majority of charities did not carry out any assessment of suppliers (70% in Wave Four). This is a concerning challenge since suppliers can be a risk factor in cyber-attacks.

Businesses were more likely to assess suppliers if they had ISO 27001 (51% of businesses) or Cyber Essentials Plus (37% of businesses) compared to those with just Cyber Essentials (20% of businesses) or no accreditation (16% of businesses). Of those organisations that reviewed immediate cyber risks, a majority (68% of businesses, 56% of charities) set minimum cyber security standards in supplier contracts. For charities this is consistent across waves and for businesses this is broadly in line with Wave Three (58% of businesses, 63% of charities) but higher than in Wave Two (56% of businesses, 49% of charities) and Wave One (57% of businesses, 54% of charities). This highlights the importance of accreditations like Cyber Essentials Plus and ISO 27001 in driving improved supplier cyber security management, ultimately contributing to a more resilient supply chain. Few organisations (12% of businesses, 7% of charities) stated they stopped working with a supplier following a cyber security incident.

From the qualitative phase, many participants also mentioned a lack of a formal process or structure for assessing suppliers on their cyber security and identified this as a weakness in their organisation. Compliance checks on suppliers tended to look at risks regarding data protection and management and not specifically on cyber security.

A minority mentioned that this process was managed by external partners in their organisation or that they relied on a list of approved suppliers as a shortcut to determine that suppliers adhere to cyber security standards. After onboarding suppliers, measures were in place to limit supplier access to information that is irrelevant for their involvement. For example, some organisations provided suppliers with a user account that was only valid for a limited period or monitored emails from suppliers.

“One of the areas we do need to do more work on is compliance of suppliers in all sorts of areas, including cyber security. But we’ve got, like I said, we’ve got Cyber Essentials Plus, and part of that is making sure that kind of data coming in and data going out from sort of remote partners is secure. So, we do rely on a few external systems and obviously we do have contracts with them and policies they state about how they process and store our data.”

Charity, UK

“We don’t have a lengthy report that we expect people to complete to say, you know, cyber protection in place or anything like that.”

Business, Medium, Manufacturing, Southwest England

Testing these processes is an important step to determine their effectiveness. Of those who had incident management processes, less than half (47% of businesses, 37% of charities) of organisations tested their incident response policies. Larger businesses were more likely to do this (59% vs 44% medium-sized businesses).

Around six in ten organisations (66% of businesses, 58% of charities) in Wave Four stated they had an incident response plan. For businesses, this is more than at Wave One (51%) and Wave Two (56%) and Wave Three (59%). Large businesses were also more likely to have this compared to medium-sized businesses (78% vs 64%).

4. Understanding behaviour change

It is important to understand current influences on organisations’ cyber security policies and processes to facilitate further engagement with cyber security practices. It is also imperative to understand why organisations decide to improve their cyber security posture. Therefore this chapter focuses on new questions added to Wave Four that explore the factors driving organisational behaviour change on cyber security.

In the quantitative survey, participants were asked about the extent to which their approach to cyber security was influenced by certain groups such as external IT consultants, investors and customers. Organisations were also asked which factors were influential in helping to improve the organisation’s cyber security posture. Furthermore, the follow-up qualitative interviews helped to identify key influencing factors that need to be addressed to ensure optimal engagement with cyber security practises and processes.

The qualitative phase was informed by a behavioural science approach, which provides a structured way of understanding the mechanisms underpinning behaviour and subsequently what needs to be changed to facilitate desired behaviours and more optimal decision making.

With the aim of facilitating optimal engagement with cyber security practices, processes and policies, we used the COM-B framework[footnote 7] to identify the influences on behaviour change (see methodology and technical report for more details).

4.1 Organisational structure and culture that influence approach towards cyber security

4.1.1 Multiple stakeholder involvement

Cyber security management and improvement are a complex task requiring the involvement of multiple stakeholders, both internal and external to organisations. Within an organisation, a diverse range of teams contribute to cyber security. These teams frequently include, but are not limited to, IT, Compliance, Finance, and Human Resources, although this can vary depending on size and structure of the organisation. Large organisations typically have staff in place for each of these areas.

In contrast, medium-sized businesses, often due to resource constraints, tend to consolidate cyber security responsibilities. This is often with a single staff member or small team covering multiple areas or an outsourced team. Nonetheless, these staff members are not the only stakeholders who influence cyber security in organisations.

Compared to earlier waves, different stakeholders are noted to have growing impact on a business’s cyber security. Wave Four indicates more businesses were influenced by IT or cyber security consultants than the previous three waves (64% reported being influenced a great deal or fair amount vs 53% in Wave Three, 53% in Wave Two, 47% in Wave One). Businesses that discussed cyber security with the board regularly (monthly or more often) were more likely to be influenced by external IT or security consultants (73 %) than those that only discuss cyber security every time there is an attack (59%). Regulators and auditors have increased their levels of influence on businesses in Wave Four compared to Wave Three (33% Wave Four vs 21% Wave Three were influenced by regulators, and 29% Wave Four vs 21% Wave Three were influenced by auditors).

For businesses, customers also tended to shape businesses’ approaches towards cyber security more than previously (35% in Wave Four vs 21% Wave One, 27% Wave Two, 21% Wave Three). Wave Four also indicates more businesses were influenced by investors or shareholders than at Wave One and Two, but in line with Wave Three (18% in Wave Four vs 12% Wave One, 13% Wave Two, 16% Wave Three). The influence of insurers has also increased for businesses since the previous wave, up to 42% in Wave Four from 34% in Wave Three. However, charities noted a similar level of influence from insurers (42% in Wave Four compared to 45% in Wave Three).

Figure 4.1: Influence of feedback on cyber security amongst businesses

Over the last 12 months, how much have your actions on cyber security been influenced by feedback from any of the following groups? (A great deal/fair amount)

Wave % External IT or cyber security consultants % Your insurers % Your customers % Regulators for your sector % Whoever audits your account
Wave 1 47 26 21 21 19
Wave 2 53[s1] 35[s1] 27 23 22
Wave 3 53 34 21 21 21
Wave 4 64[s1] 42[s1] 35[s1] 33[s1][s2] 29[s1][s2]

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All businesses at Wave One (n=1205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

In the qualitative strand of this research, participants described their individual roles within teams dealing with cyber security as multifaceted and often defined them broadly. Responsibilities mentioned by participants spanned a wide spectrum, from the daily operational tasks of IT support and software infrastructure management to strategic functions such as employee training on cyber security best practices, ensuring data protection compliance, budgeting for cyber security resources, and managing relationships with external partners.

This breadth of responsibilities within internal teams highlights the complex interplay of various skill sets and expertise required for effective cyber security management.

Many organisations, particularly medium-sized businesses that may lack the internal resources or expertise, outsourced specific cyber security functions to specialised external partners. These outsourced functions included managing critical areas such as security operations, regular security audits, and achieving necessary security accreditations. Relying on external partners for these functions allowed organisations to leverage specialised knowledge and skills, but it also introduced another layer of complexity to the overall management of cyber security.

“We do have an external Security Operations Centre team, what we refer to as an external SoC, and they are essentially responsible for looking at the system logs that we sent to them, and they will kind of highlight any alerts that are received on systems that we may want to dive into.”

Charity, England

The combination of broadly defined roles within internal teams and the prevalence of outsourcing to external partners could potentially lead to a diffusion of responsibility. This is where individuals within the organisation and external partners may be unclear about who is ultimately accountable for specific cyber security tasks or outcomes. This can hinder effective cyber security management and increase the organisation’s vulnerability to cyber threats.

4.1.2 Knowledge sharing and development with staff

Organisations commonly employed training and awareness programs to educate staff about cyber security best practices and reinforced their importance. These programs often used standard training methods such as online modules and presentations.

However, some organisations explored more innovative approaches to enhance engagement, including personalised training recommendations based on quiz results and gamified training experiences.

“I felt there needed to be more of a board and trustee team representation. So, you need to be reported on more regularly than it was. We haven’t done a desktop exercise, so we haven’t done a cyber security game for the executive team. So just booked one in. So, we’ve got a game. It’s called desktop exercise. So, basically, my cyber security firm is going to come in one playbook around business continuity, disaster recovery in a cyber attack. And they use tv stories, interviews. It’s quite a realistic scenario. A bit like a murder mystery party if knowing, but it’s not murder mystery. So, they’re going to do that takes about 3 hours.”

Charity, England

The timing of training varied, with some organisations providing training at key career milestones, such as during onboarding for new hires, while others opt for regular, recurring training sessions, such as annual or bi-annual refreshers. Email communication was frequently used to share updates and reminders related to cyber security. However, the effectiveness of this method was perceived as inconsistent, with concerns that emails may often go unread.

Businesses were more likely to train their board members on cyber security several times a year than charities (21% vs 7%). Businesses were also more likely to train board members once a year (32% vs 22% charities), with large businesses more likely to train their board several times a year than medium businesses (31% vs 19%). Notably, a significant proportion all organisations stated their board members do not receive any cyber security training, 23% for businesses and 40% for charities.

Figure 4.2: Frequency the board receives cyber security training amongst businesses

On average, how often does the board receive cyber security training?

Wave % Several times a year % Around once a year % Less often than once a year % One received once/one-off training % Board do not receive any cyber security training % Don’t know
Wave 2 [Note 1] 12%[s1] 19[s1] 4 7 40 18
Wave 3 16 24 4 5 37 14
Wave 4 21[s1][s2] 32[s1][s2] 6 9[s1] 23[s1] 9

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

[Note 1] Not asked in Wave One

Base: All businesses at Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

Figure 4.2 above shows the frequency the board receives cyber security training amongst businesses. Figure 4.3 below shows the frequency the board receives cyber security training amongst charities.

Figure 4.3: Frequency the board receives cyber security training amongst charities

On average, how often does the board receive cyber security training?

Wave % Several times a year % Around once a year % Less often than once a year % One received once/one-off training % Board do not receive any cyber security training % Don’t know
Wave 2 [Note 1] 5 13 7 6 42 26
Wave 3 4 18 8 7 45 18
Wave 4 7 22 11[s2] 9 40[s2] 11[s1]

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

[Note 1] Not asked in Wave One

Base: All charities at Wave Two (n=373), Wave Three (n=310) and at Wave Four (n=548).

Participants in the qualitative strand consistently identified human error as a significant vulnerability in preventing cyber security incidents despite widespread efforts to improve cyber security skills among staff. Phishing attacks, in particular, were highlighted as a recurring challenge, with several participants recounting instances where staff interaction with malicious emails led to cyber security breaches. This highlights the importance of regular and up-to-date training to address evolving cyber security threats and reinforce best practices. This also reinforces the need for optimal infrastructures to limit the likelihood of human error.

Furthermore, even when staff possessed the necessary knowledge and skills to mitigate cyber security risks, qualitative findings suggest that motivation and practical application can be significant barriers. While staff may comply with training requirements, underlying attitudes and behaviours can undermine the effectiveness of these programmes. Participants described a prevailing sense of status quo bias amongst staff, that is a preference for maintaining existing work habits and a general apathy towards cyber security practices.

Consequently, the introduction of new security measures, such as two-factor authentication, was often met with resistance and perceived as disruptive to established workflows. For example, some participants expressed reluctance to enable two-factor authentication on their personal devices or to utilise a secondary device for this purpose. This resistance to change and perceived inconvenience can create challenges in fostering a strong cyber security culture.

“The challenges have been you have to implement your processes while you’re still working.”

Charity, England

4.1.3 Implementing infrastructures

From a qualitative standpoint, organisations reported having a range of existing infrastructures in place to manage cyber security. Infrastructures mentioned include Azure, Fortinet, Microsoft, SIEM, SOAR and Sophos. A range of influences impacted the selection of infrastructures implemented by organisations. They included recommendations from external partners to adhere to relevant accreditations or insurer requirements, such as Cyber Essentials.

Most organisations in the qualitative interviews mentioned that they had opportunities throughout the year to provide updates and discuss any concerns with the senior leadership team and/or board members. Participants mentioned that most senior leadership were amenable to the importance of cyber security, though they may not have a full understanding or knowledge of cyber security.

In most cases, they managed to get buy-in from senior leadership to implement certain infrastructures. However, the specific infrastructures selected would not always be the most optimal. Medium-sized businesses and charities’ opportunities were often limited by the size of the team, time restraints, and budgets.

“I’m a regular member of the Senior Management Team myself, and we have at least quarterly meetings…There’s always a sort of slot for, obviously, for every sort of area of the business, if you like. So, there will be a finance update, health and safety have their sort of slots, and so does cyber security.”

Business, Medium, Professional, Scientific or Technical, Wales

“We have to find the funding outside to us, it’s a commercial balance, so there’s probably things that we could do, but we can’t do because of the investment.”

Business, Medium, Education (excluding public sector), Wales

4.2 Cues that trigger change in perception or behaviour

4.2.1 Cyber security incidents

Businesses in general noted that multiple factors helped to improve their organisation’s cyber security posture. Businesses were more likely to report that the following had helped to improve their organisations cyber security posture than charities:

  • Findings from a security review / assessment / test (49% vs 42% charities)
  • Advice from internal cyber security experts (42% vs 38% charities)
  • Recent information received from customers / clients (25% vs 15% charities)

In fact, 20% of charities stated that ‘There has been no notable improvement’ in cyber security within the last 12 months, significantly higher than the 11% of businesses saying this.

Figure 4.4: Driving behaviour change in cyber security practices

In the last 12 months, which, if any, of the following factors have been influential in helping to improve the organisation’s cyber security posture?

Influence Businesses Charities
Findings from security review/assessment/test 49%[s2] 42%
Advice from internal cyber security experts 42% 38%
Advice from external cyber security experts 61% 58%
Reports on cyber security incidents affecting others in our sector 41% 42%
Reports on cyber security incidents in general 52% 53%
Recent updates on regulatory requirements 39% 42%

[s2] Significant difference between businesses and charities at 95% significance level

Bases: 674 UK businesses; 548 charities

Compared to medium-sized businesses, large businesses were significantly more likely to report these as influential factors in helping to improve the organisation’s cyber security posture:

  • Direct experience of cyber security incidents (45% compared to 33%)
  • Reports on cyber security incidents affecting others in the same sector (55% compared to 38%)
  • Reports on cyber security incidents in general (64% compared to 50%)

Overall, advice from external cyber security experts (61% of businesses, 58% of charities) was the most commonly cited influence on an organisation’s cyber security.

If a business or charity had all five Cyber Essential technical controls in place, they were more likely to report these as influential factors. Further, if a business had Cyber Essentials Plus compared to Cyber Essentials, they were more likely to state positive influence from:

  • Findings from a security review / assessment / test (75% vs 61%)
  • Advice from internal cyber security experts (54% vs 40%)

The qualitative findings showed that whilst there was no single source that caused organisations to become more engaged with their cyber security, there was often a significant and highly formative incident that triggered evaluation of existing cyber security practises. This can be direct experiences affecting the organisations, with phishing being the most common example. However, they can also be indirect events mentioned by other organisations both within and outside of their industry. This demonstrated that risk of cyber security incidents can be amplified through social and industry channels and networks.

For some, these incidents served as a turning point in their perceptions of cyber security risks, prompting them to reflect on certain aspects:

  • Experiencing or hearing about cyber security incidents can make cyber security threats more salient, increasing the perceived susceptibility and frequency of such events

“So they had a conversation on stage, wherever someone was asking the questions about, obviously, their business, and they were explaining what happened to their business around cyber security and what caused it, and then what had to do to then basically guard against it and then moving forward, how they built that back up and put things in place ready for when it was live again. And then there was another bit, there’s actually another business that I think they ended up closing. So, there was like 750 jobs lost. I was like, wow, that’s scary.”

Charity, England

Incidents raised awareness of the specific types of cyber security threats currently prevalent and provided valuable insights into potential vulnerabilities and attack vectors. Participants mentioned that cyber security incidents were ever evolving and that they therefore needed to be constantly aware of potential new threats. This improved understanding of the threat landscape can inform more effective cyber security strategies.

  • It demonstrated the consequences of cyber security attacks. Consequences can arise in different forms, whether financially, socially or reputationally. Understanding the magnitude of consequences, including complete business shutdown, helps drive improving cyber security practices

“At the bottom line is, without it in place, we would not be here today. Everything we deal with is personal data.”

Business, Medium, Education (excluding public sector), Wales

  • Significant incidents can foster a “maximiser” mindset, where organisations prioritised selecting the best possible cyber security solutions after thorough evaluation and comparison of available options. This approach aims to minimise risk to the greatest extent possible

“So instead of us just relying on old school email rules that just block an email because it doesn’t reach a certain requirement, we’ve got an AI built tool […] picking those nuances out that we’re finding with an increase in phishing and AI based email. So, it’s blocking out more of that stuff, so reducing that risk.”

Business, Medium, Construction, England

The occurrence of incidents typically led to a range of actions being implemented. These actions included communication and awareness campaigns for staff on how to manage or report cyber security threats. For example, through email notifications or formalised training, implementation of software or infrastructures to prevent cyber security incidents from occurring such as antivirus software, or development of recovery plans or revision of policy plans to address future incidents.

Despite these implemented actions, most organisations that experienced a direct cyber security attack reported limited long-term impact. This suggests that while immediate responses are common, sustaining momentum and embedding lasting changes in cyber security practices can be challenging.

Meanwhile, a minority of organisations that reported limited engagement and changes to cyber security, either had not experienced a significant incident, have successfully mitigated attempted attacks, or perceived incidents affecting other organisations as irrelevant to their own situation. For example, certain organisations did not perceive themselves as managing personal data, which many cyber security incidents they were aware of were linked to.

These organisations tended to exhibit a “satisfices” mindset, opting for solutions that just meet their needs rather than pursuing the most optimal and comprehensive approach. For example, they might choose software that prevents most, but not all, potential attacks. This approach could leave them more vulnerable to evolving threats.

4.2.2 Regular assessments and reviews

Cyber security incidents, while impactful, may not be the sole triggers for evaluating and improving cyber security practices. Their unpredictable and irregular occurrence makes them an unreliable prompt for ongoing improvement. Instead, regular assessments, often driven by the requirements of accreditations like Cyber Essentials, Cyber Essentials Plus, and ISO 27001, suppliers, or insurers, provided more consistent cues for reflective evaluation of an organisation’s cyber security measures.

These assessments, typically occurring annually, encouraged organisations to proactively seek guidance from external partners. This was to ensure their infrastructure and practices were up-to-date and compliant with the necessary standards for re-accreditation or successful insurance audits.

Furthermore, the specific sector in which an organisation operated also influenced the cues that triggered cyber security evaluations. Certain sectors faced additional accreditations or requirements imposed by partners or clients, which directly impacted the cyber security measures they implement. These sector-specific demands can create a more frequent and proactive approach to cyber security management, driven by the need to meet external expectations and maintain industry standing.

“We wanted a new solution that could help us identify and make sure we were adhering to Cyber Essentials’ 14-day update period for major security patches”

Business, Medium, Construction, England

5. Cyber security budget and board involvement

Measuring cyber budgets and attitudes towards them is crucial, as the CSLS has identified that budget constraints can be a barrier to improving organisational cyber security. Additionally, assessing the level of board involvement in cyber security decisions is essential, as increased board engagement has demonstrated a positive impact on organisational cyber security posture. This chapter explores both trends by looking at cyber security budgets, attitudes towards cyber budgets and board involvement for both businesses and charities.

Cyber security budgets are on the rise, with large businesses spending more on cyber security budgets than medium businesses. While 44% of large businesses have increased their budgets, only 34% of medium-sized businesses have done the same. Despite this increase, 83% of large businesses believed their current budgets were sufficient to meet their cyber security needs. Both businesses and charities with insufficient budgets were more likely to have boards that never discuss cyber security or lack cyber insurance. Additionally, medium-sized businesses and organisations without accreditations found it harder to justify cyber security investments compared to their counterparts.

The involvement of board members in cyber security is also on the rise, 61% of businesses and 51% of charities in Wave Four stated they had a board member responsible for cyber security (compared to 55% of businesses and 45% of charities in Wave Three). This is a significant increase for businesses from previous waves, a steady increase for charities. Additionally, businesses stated that board members were more likely to be trained in cyber security compared to Wave Three, with 21% of businesses stating their board members received training several times a year (compared to 16% of businesses in Wave Three). Large businesses reported more frequent board member training, with 31% of large businesses training their board members several times a year compared to 19% of medium-sized businesses. However, board involvement was not consistent, with some organisations having formal board involvement and others having informal discussions. Participants generally felt that training staff was more important than training board members, as staff are more likely to be targeted by phishing or impersonation attacks.

5.1 Budget

Organisations were asked to describe their cyber budgets, characteristics of their budgets and attitudes towards their budgets. Medium-sized businesses were more likely to state their cyber security budget has stayed the same in the last 12 months compared to larger businesses (38% vs 27%). More large businesses reported either sizeably or somewhat increasing their cyber security budget compared to medium businesses (44% vs 34%). This was particularly pertinent in businesses recognising they sizeably increased their budget (16% large businesses compared to 9% medium). Charities were slightly more likely to state cyber security budgets increased to stay in line with inflation (18% vs 14% for all businesses). If businesses had all five technical controls required to attain Cyber Essentials, they were much more likely to have increased their cyber security budget than those with fewer than five controls (43% vs 19%). A very low proportion of organisations decreased their cyber security budgets as shown in figure 5.1 (2% for businesses and 2% for charities).

Figure 5.1: Change in organisations’ cyber security budget

How has the budget for cyber security changed in the last 12 months? Has it…?

% Wave Businesses Charities
Sizeably increased 10% 8%
Somewhat increased 26% 23%
Increased in line with inflation 14% 18%[s2]
Stayed the same 36% 38%
Somewhat decreased 2% 2%
Sizeably decreased 0% 1%
Don’t know 12% 11%

[s2] Significant difference between businesses and charities at 95% significance level

Bases: 674 UK businesses; 548 charities

Most organisations (85% of businesses, 81% of charities) viewed their budgets to be sufficient to address their cyber security goals, needs and main priorities. Organisations whose board never discuss or receive updates on cyber security were more likely to state they had insufficient cyber security budgets (17% of businesses, 28% of charities) than organisations with boards who discuss cyber security monthly or more often (3% of businesses, 6% of charities). Of those organisations that do not have cyber insurance, 16% of businesses and 24% of charities stated they have insufficient budgets. This is more than double those organisations that do have specific (8% of businesses, 6% of charities) or partial (6% of businesses, 11% of charities) insurance.

Figure 5.2: Sufficiency of organisations’ cyber security budget

Which of the following best characterises your cyber security budget? Is it…?

% Wave Businesses Charities
Sufficient to address cyber security needs/goals 37%[s2] 29%
Sufficient to address main priorities 48% 52%
Insufficient and potentially leaving the organisation exposed in some areas 5% 9%[s2]
Insufficient and definitely leaving areas of the organisation exposed 3% 2%
Don’t know 7% 8%

[s2] Significant difference between businesses and charities at 95% significance level

Bases: 674 UK businesses; 548 charities

Medium-sized businesses were more likely to state their cyber security investment is harder to justify than other areas of the business (22% vs 9% larger businesses). Businesses without accreditations (ISO 27001, Cyber Essentials, Cyber Essentials Plus) were more likely to state it is difficult to justify cyber security investments than other areas of the business (28% vs 14% with ISO27001, 16% with Cyber Essentials and 5% with Cyber Essentials Plus).

Figure 5.3: Attitude towards cyber budget

Which of the following statements best describes your organisations attitude towards cyber security investment? Is it…?

% Wave Businesses Charities
Easier to justify than other areas of the business 27% 23%
Given equivalent/fair treatment in comparison to other areas of the business 49% 50%
Harder to justify than other areas of the business 20% 22%
Don’t know 5% 5%

No significant changes from previous years or between businesses and charities at 95% significance levels were observed

Bases: 674 UK businesses; 548 charities

From the qualitative research, budget constraints were a common theme. One medium-sized real estate business stated that there was no IT budget at all. When budgets were identified as a weakness, this was often tied to resourcing constraints or that it was costly to do well.

“The weaknesses, probably there’s not enough of us looking at it. We, you know, we’re a charity, we don’t have a lot of staff, we don’t have a lot of money, so we have to do everything on a shoestring. So that’s a weakness. So, there’s always an opportunity for things to slip by or be missed.”

Charity, England

“Very expensive to do it properly.”

Business, Medium, Information and Communication, England

Linking budgets to how cyber secure felt, some participants emphasised the need for more training rather than more budget. This is because no matter how much budget they may have their staff need to be well equipped to protect against things like phishing attacks or impersonation.

“The training one, I think, is probably the biggest one that we would like over the next 12-13 months to improve upon…it doesn’t always matter how much you invest in hardware, kind of firewalls and security products. If end users are confident when they maybe receive a dodgy email, for example, it’s very easy for them to kind of click something that they think is genuine when actually it’s not…“

Charity, England

5.2 Board involvement

Organisations documented their organisational structures with board members, how often cyber security is discussed with board members, how engaged board members are with cyber and how often they are trained in cyber related matters. Businesses in Wave Four were more likely to have one or more board members responsible for cyber security risks than in all three previous waves (61% compared to 50% Wave One, 54% Wave Two, 55% Wave Three). Most businesses that had Cyber Essentials Plus had a cyber board member, higher than those businesses with Cyber Essentials (80% vs 62%).

Figure 5.4: Businesses’ board governance of cyber security

Does your organisation have any of the following?

Wave % One or more board members whose role includes oversight of cyber security risks % A designated staff member responsible for cyber security, who reports directly to the board % None of these
Wave 1 50 55 30
Wave 2 54 61 [s1] 25
Wave 3 55 66 24
Wave 4 61 [s1] [s2] 63 [s1] 21

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

Base: All businesses at Wave One (n=1205), Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

Figure 5.4 above shows business’ board governance of cyber security. Figure 5.5 below shows charities’ board governance of cyber security.

Figure 5.5 Charities’ board governance of cyber security

Does your organisation have any of the following?

Wave % One or more board members whose role includes oversight of cyber security risks % A designated staff member responsible for cyber security, who reports directly to the board % None of these
Wave 1 40 61 32
Wave 2 41 60 31
Wave 3 45 61 29
Wave 4 51 64 24

No significant changes from previous years or between businesses and charities at 95% significance levels were observed

Base: All charities at Wave One (n=536), Wave Two (n=373), Wave Three (n=310) and at Wave Four (n=548).

In the last few waves, the proportion of organisations with a designated staff member has remained the same (63% of businesses, 64% of charities). For businesses this is higher than in Wave One (55%) but in line with Wave Two and Three (61% and 66%). Organisations that had a designated staff member were more likely to discuss updates with the board monthly or more often (79% of businesses, 87% of charities) than other frequencies.

Medium-sized businesses were more likely to have board-level cyber discussions 1-2 times a year, compared to large businesses (24% vs 14%). Compared to medium-sized businesses, large businesses were more likely to discuss quarterly or more often (62% vs 48%). Wave Four showed that board members were more likely to integrate cyber risk considerations into wider business areas than the previous three waves (71% in Wave Four vs 60% in Wave Three, 56% Wave Two, 53% Wave One).

Figure 5.6: Frequency of board discussion or updates on cyber security

Over the last 12 months, roughly how often, if at all, has your board discussed or received updates on your organisation’s cyber security? Is it …

% Wave Businesses Charities
Never 8% 13%[s2]
Once a year 14% 18%
Once every 6 months 9% 13%[s2]
Quarterly 27% 33%[s2]
Monthly 19%[s2] 5%
Each time there is a breach or attack 13% 12%
Don’t know 7% 6%

[s2] Significant difference between businesses and charities at 95% significance level

Bases: 674 UK businesses; 548 charities

As mentioned in Chapter Four, more businesses reported board members receiving cyber training several times a year in Wave Four (21%) than in Waves Two and Three (12% and 16% ) (question not asked in Wave One). Businesses were around three times as likely to train board members several times a year than charities (21% vs 7%). Compared to medium businesses, large businesses reported board members were more likely to receive training several times a year (31% vs 19%). While medium businesses were more likely to have no board training (25% vs 11% for large businesses).

Figure 5.7: Frequency the board receives cyber security training amongst businesses

On average, how often does the board receive cyber security training?

Wave % Several times a year % Around once a year % Less often than once a year % One received once/one-off training % Board do not receive any cyber security training % Don’t know
Wave 2 [Note 1] 12[s1] 19[s1] 4 7 40 18
Wave 3 16 24 4 5 37 14
Wave 4 21[s1][s2] 32[s1][s2] 6 9[s1] 23 9

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

[Note 1] Not asked in Wave One

Figure 5.7 above shows the frequency the board receives cyber security training amongst businesses. Figure 5.8 below shows frequency the board receives cyber security training amongst charities.

Base: All businesses at Wave Two (n=688), Wave Three (n=542) and at Wave Four (n=674).

Figure 5.8: Frequency the board receives cyber security training amongst charities

On average, how often does the board receive cyber security training?

Wave % Several times a year % Around once a year % Less often than once a year % One received once/one-off training % Board do not receive any cyber security training % Don’t know
Wave 2 [Note 1] 5 13 7 6 42 26
Wave 3 4 18 8 7 45 18
Wave 4 7 22 11[s2] 9 40[s2] 11[s1]

[s1] Significant change from previous year at 95% significance level

[s2] Significant difference between businesses and charities at 95% significance level

[Note 1] Not asked in Wave One

Base: All charities at Wave Two (n=373), Wave Three (n=310) and at Wave Four (n=548).

From the qualitative findings, board involvement and engagement were mixed. When the board were involved, it usually involved sign off and budget related matters. Some organisations noted that board involvement was either formal or informal, ranging from a regular standing order or an informal discussion when issues arose. Some participants noted GDPR as a cause for boards discussing cyber security. Some participants found that board members were actively involved in cyber security, attending conferences or talks with cyber security experts.

“And we actually used [the] board away day, where we had a sort of independent cyber security expert come and talk to them in June, and [that] had great buy in and sort of good comments.”
Business, Medium, Professional, Scientific or Technical, England

Overall, the general sentiment was towards training staff rather than board members. This was because staff, particularly new staff or junior staff, were perceived as a weakness and threat to cyber security. Participants spoke more freely about overarching board involvement with decisions and budgets rather than specific training themselves. This is of interest as board members can be targeted for phishing or impersonation attacks.

Conclusions

This study provides a comprehensive view of organisations’ cyber security across four waves. The key insights from this 2024 report are as follows:

Impersonation scams and hacking attempts on online bank accounts are on the rise, but incident impact is on the decline. While phishing has consistently remained the most experienced cyber security incident across waves, organisations reported a higher incidence of email impersonation scams than in Wave Three (for businesses up from 43% in Wave Three to 56% in Wave Four, for charities up from 38% in Wave Three to 46% in Wave Four) and businesses reported higher online bank account hacking (for businesses up from 3% in Wave Three to 6% in Wave Four). Despite this, the proportion of organisations stating they experienced an impact from a cyber incident has reduced (businesses down from 54% in Wave Three to 36% in Wave Four, charities down from 55% in Wave Three to 42% in Wave Four). This suggests that organisations are more prepared to deal with these incidents and prevent negative consequences. Charities were more likely to state that cyber incidents had impacted the organisation than businesses. Overall, cyber security remains a vital issue for UK organisations as most experienced some kind of cyber security incident in the past twelve months (79% for both businesses and charities).

Despite areas of cyber improvement such as cloud-based solutions, organisations remain vulnerable. There has been a continuous shift towards cloud-based security solutions over the four waves of the study. The increasing adoption of cloud-based data storage solutions highlights the growing preference for flexible and scalable storage options (79% of businesses had cloud-based storage in Wave Four compared to 72% in Wave Three). Despite this, fewer organisations are taking proactive steps to identify and assess cyber security risks overall, potentially leaving them vulnerable to breaches and attacks. For example, organisations (16% of businesses and 15% of charities) stated they took no action to improve their cyber security posture in the past twelve months. Organisations described human error as a major vulnerability, despite general efforts to enhance cyber security awareness and training.

The low priority given to monitoring supplier cyber security practices poses a significant risk to organisational cyber resilience. Organisations have described a lack of awareness of cyber security supplier guidance, and a lack of prioritisation compared to internal cyber security practices. For example, only 23% of businesses and 23% of charities have carried out a formal assessment of their suppliers. This suggests that organisations do not feel largely responsible for suppliers’ cyber security practices or they do not understand the risk suppliers can present to their own cyber security, even though suppliers can directly or indirectly impact their own cyber security.

Charities and medium-sized businesses experience a diffusion of cyber security responsibility. Outsourcing specific cyber security functions to external partners is common, especially for organisations with limited internal resources. Outsourcing was qualitatively viewed as necessary and helpful, however problems arose when clear responsibilities were not set in place. This highlights the need for accountability to ensure diffusion does not lead to a lack of robust cyber security policies and processes.

We are seeing a modest increase in cyber security budgets and board involvement in cyber security discussions. More businesses have board members responsible for cyber security risks than in previous waves (61% compared to 50% in Wave One, 54% in Wave Two, and 55% in Wave Three). Large businesses in particular stated they were more likely to increase their cyber security budgets compared to medium businesses or charities (44% large vs 34% medium, 31% charities). This has important implications on cyber security as board involvement has continuously shown a positive impact on organisations’ cyber security posture.

Final thoughts

This study further explores the evolution of organisations’ cyber security over time. This report highlights both positive and concerning trends in the UK’s cyber security landscape. While organisations are adopting security frameworks and increasing board involvement, the prevalence of cyber incidents and the diffusion of cyber security responsibility remain significant challenges. Addressing these issues through proactive risk assessment, enhanced employee training, and effective leadership will be crucial for building a more resilient cyber security posture in the UK.

Further research waves hold the potential to provide ongoing insights into organisations’ cyber resilience. This is particularly relevant for the longitudinal analysis, which is currently limited by sample size. More complex and detailed analyses require larger samples to support deeper data exploration. A fifth wave would help support a more detailed view of the evolving landscape of organisational cyber resilience.

Glossary

Baseline survey Also see Wave One survey. The first research year of the survey that took place (2021).
Cyber security Cyber security includes any processes, practices or technologies that organisations have in place to secure their networks, computers, programs or the data they hold from damage, attack or unauthorised access.
Longitudinal Survey A longitudinal survey is a research design that involves repeated observations of the same variables (e.g., people or businesses) over short or long periods of time.
Cyber attack A cyber attack is a malicious and deliberate attempt by an individual or organisation to breach the information system of another individual or organisation.
Outcome A negative outcome of an attack involved a material loss from an organisation, such as a loss of money or data.
Impact A negative impact on organisations did not have to involve a material loss. This could be issues relating to staff disruption or implementing new measures in the organisation.
Medium business Businesses with 50 to 249 employees.
Large business Businesses with 250 employees or over.
Phishing Fraudulent attempts to extract important information, such as passwords, from staff with infiltration through a link or attachment sent via email.
Wave One Survey Also see Baseline survey. The first research year of the survey that took place (2021).
Wave Two Survey The second research year of the survey that took place (2022).
Wave Three Survey The third research year of the survey that took place (2023).
Wave Four Survey The fourth research year of the survey. This is the current survey year (2024).

Annex A: Further information

The Department for Science, Innovation and Technology would like to thank Ipsos and Steven Furnell of the University of Nottingham for their work in the development and carrying out of the survey and for their work compiling this report.

This research report is accompanied by a technical report.

The responsible DSIT analyst for this release is Saman Rizvi, and support analyst is Eloise Fritsch. For enquiries on this release, please contact us at cybersurveys@dsit.gov.uk.

For general enquiries contact:

Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG

For media enquiries only (24 hours) please contact the DSIT press office on 020 7211 2210.

This work was carried out in accordance with the requirements of the international quality standard for Market Research, ISO 20252, and with the Ipsos UK Terms and Conditions which can be found at www.ipsos.com/terms.

Annex B: Guide to statistical reliability

The final data from the survey is based on weighted samples, rather than the entire population of UK businesses or charities. Percentage results are therefore subject to margins of error, which vary with the size of the sample and the percentage figure concerned. For example, for a question where 50% of the 674 businesses sampled in the survey give a particular answer, the chances are 95 in 100 that this result would not vary more or less than 4.0 percentage points from the true figure – the figure that would have been obtained had the entire UK business population responded to the survey. The margins of error that are assumed to apply in this report are given in the following table.

Margins of error (in percentage points) applicable to percentages at or near these levels

Total Unweighted base Effective base 10% or 90% 30% or 70% 50%
All business[footnote 8] 674 588 ±2.4 ±3.7 ±4.0
Medium business 456 431 ±2.8 ±4.3 ±4.7
Large business 208 192 ±4.3 ±6.5 ±7.1
Charity 548 548 ±2.5 ±3.8 ±4.2
Accreditation          
ISO 27001 172 154 ±4.8 ±7.3 ±7.9
The Cyber Essentials 256 234 ±3.9 ±5.9 ±6.4
The Cyber Essentials Plus 177 159 ±4.7 ±7.1 ±7.8
Cyber discussions with board          
Never 116 111 ±5.6 ±8.6 ±9.3
1-4 times a year 675 637 ±2.3 ±3.6 ±3.9
Monthly or more often 202 174 ±4.5 ±6.8 ±7.5
Every time there is an attack 144 134 ±5.1 ±7.8 ±8.5

23-093376-01 CSLS W4 Cross Sectional Report v3 - References

23-093376-01 CSLS W4 Cross Sectional Report v3 - Acronyms 1,2

  1. Some references to very large businesses (500+ employees) are included where data is of particular interest. Unless stated otherwise, references to large businesses incorporate all businesses with 250+ employees. 

  2. The survey was set up predominantly as a telephone survey, but using a multimode (telephone and online) approach aims to maximise response rates, and to reduce non-response bias by allowing respondents the choice of whether to complete the survey by telephone or online. Participants with a valid email address were given the option to complete the survey over the phone or online. 

  3. The quantitative fieldwork dates were 15 July- 25 October 2024 

  4. Subgroup differences highlighted are either those that emerge consistently across multiple questions or those that evidence a particular hypothesis (i.e. not every single statistically significant finding has been commented on). 

  5. Some references to very large businesses (500+ employees) are included where data is of particular interest. Unless stated otherwise, references to large businesses incorporate all businesses with 250+ employees. 

  6. If organisations had been confirmed as eligible and included when first interviewed in Waves One, Two or Three, but now have fewer than 50 employees (businesses) or an income below £1 million (charities), they are still considered eligible to participate in this wave. This also applied to 9 organisations in Wave Four. 

  7. https://implementationscience.biomedcentral.com/articles/10.1186/1748-5908-6-42 

  8. Please note: All businesses include businesses that either have an unknown business size, or less than 50 employees. These are excluded from medium and large business unweighted bases 

Back to top