Breach Notification , Security Operations , Standards, Regulations & Compliance
Half of UK Firms, Charities Failed to Report Cyber Incidents
Survey: SMBs, Charities Mostly Targeted With Phishing, Online Impersonation in 2023Cybercriminals launched 7.78 million attacks against U.K. businesses and nearly 1 million against charity organizations, according to the latest U.K. government survey report. But fewer than half of those firms reported the incidents to authorities, something researchers say is a concerning trend.
See Also: Preparing for New Cybersecurity Reporting Requirements
The Cyber Security Breaches Survey 2024 report by the Department of Science, Innovation and Technology was released Tuesday. The survey asked 2,000 businesses and 1,004 charities about incident reporting, and the report says that "many of these cases simply involve organizations reporting breaches to their external cybersecurity or IT providers and no one else."
Nicholas Ryder, professor of law at Cardiff University, said many organizations are unwilling to report cyber incidents because they fear hefty fines from regulatory agencies as well as the reputational damage that comes with disclosure.
The U.K Information Commissioner's Office requires businesses and other organizations to report a cyber incident within 72 hours, but the reporting obligations depend on the severity of the attack on the targeted systems and the number of affected customers.
Since attacks on small organizations and charities tend to be less severe, reporting is voluntary, which allows some victim organizations to avoid adequate regulatory scrutiny, said Ryder, who also serves as the special adviser for the U.K Parliament's Home Affairs Select Committee's investigation into fraud.
Not having an incident response is a "red flag," regardless of the scale of the attack for any organization, said Ryan McConechy, CTO of Glasgow-based Barrier Networks. Organizations that rely on an attack mitigation strategy that is "informal" and shows "loose understanding" typically end up "wasting time and suffering more serious attacks," he said.
McConechy said smaller organizations that struggle with cybersecurity should use the National Cyber Security Center's guidance as a starting point to improve their defenses.
Since guidance tends to be voluntary in nature, firms are not forced to follow it, Ryder said. One way to address that problem is by making reporting mandatory for cyberattacks and cyber fraud, he said.
Small to Midsized Businesses at Risk
According to the survey, most of the attacks targeted small to midsized organizations and lacked sophistication. They mostly involved phishing schemes and online impersonation. While the NCSC earlier warned about a potential increase in ransomware attacks targeting British charities, the report says that only 3% of the surveyed organizations were targeted by ransomware.
Many of the organizations surveyed reported a lack of resources and cybersecurity expertise. The survey asked respondents about their awareness of NCSC guidance such as 10 Steps to Cyber Security, which is designed to help organizations tackle cyber risks. Many did not follow the complete recommendations and placed lower priority on areas such as supply chain risk management, regularly holding staff training, and patching vulnerabilities.