In response to 2023’s Government Cyber Breaches Survey, Tom Kidwell, a former British Army and UK Government intelligence specialist, and co-founder of Ecliptic Dynamics, shares his views on the findings, and what they mean for organisations across every sector, as well as what more can be done to improve cyber maturity in the United Kingdom.
“Looking at the figures released today, I’m unsurprised to see a downward shift from last year’s findings. Phishing retains its title as the top attack vector, and in terms of preparedness, response, and investment in cybersecurity on an organisational level, the numbers haven’t changed very much at all, except for smaller businesses, who are identifying attacks, and implementing good cyber hygiene practices less. This is likely due to the current economic climate in the UK, and because many businesses still operate with the ‘it probably won’t happen to me’ mindset, and although in the past you might have got lucky, now it’s not a case of ‘if’, but ‘when’, you get targeted."
Cybersecurity industry
Underreporting is so rife because for any organisation, especially those which handle sensitive information
“In terms of the number of businesses that have been attacked, the number has fallen to 32%. However, as the survey itself highlights, underreporting is a huge issue identified by the cybersecurity industry, meaning this number could be far higher in reality. Underreporting is so rife because for any organisation, especially those which handle sensitive information, admitting that you’ve been breached can have catastrophic effects. Trust in your brand can be wiped away instantly, and have long reaching impacts for stakeholders, which is why so many affected organisations don’t report attacks when they happen."
“And it’s not always deliberately underreported. Lots of businesses simply don’t know they’ve been breached. If people see some strange activity on their email account, they might think ‘oh, someone’s hacked into my email’, and just change their password. But, in reality their entire network may be compromised, leaving all of their data vulnerable. Small issues are often the tip of the iceberg."
“We predict phishing will continue to rise with the evolution and adoption of tools such as AI by threat actors."
Government’s Cyber Breaches Survey
Infrastructure attacks such as malicious login attempts, are extremely common
“The reason phishing is such a popular attack vector is that it is low cost and low skill, meaning malicious threat actors can operate on a spray-and-pray approach, hitting as many businesses as they can and waiting to see if any users take the bait. But I believe many vectors are overlooked in studies such as the Government’s Cyber Breaches Survey because they simply aren’t seen by the user. Infrastructure attacks such as malicious log in attempts, are extremely common, and in my experience often more common than user-based attacks like phishing."
"The reason for skewing of the data towards user-attacks may be because IT professionals see attempted infrastructure attacks and hostile scanning every day and view it as a normal part of their work. Whereas a user who is targeted by a malicious email that’s been made to look like it’s from their boss, for example, is much more likely to report and remember that attack."
Constant juggling act
“Ultimately, even if these figures change slightly the underlying trends will remain much the same in the coming years. The mindset of many organisations is still not aligned with the threats posed by malicious groups, with companies not adequately protecting themselves, and with the cost of cybersecurity continuing to rise, it’s a constant juggling act between risk and affordability for businesses."
"Think about a local bakery for example, even if they do suffer a breach, are they likely to invest tens of thousands of pounds into state-of-the-art cybersecurity solutions? What’s important is reacting proportionately to the risk. For most businesses the bottom line is what drives them forward, and although good cybersecurity posture is crucial, many won’t see the value until something does go wrong."
