Title page
Contents
Summary 3
Chapter 1: Introduction 6
1.1. Code of practice for statistics 6
1.2. Background 6
1.3. Methodology 6
1.4. Changes since the 2020 survey 7
1.5. Interpretation of findings 7
1.6. Acknowledgements 8
Chapter 2: Profiling UK businesses and charities 9
2.1. The digital footprint of different organisations 9
2.2. Use of industrial control systems 10
2.3. Use of personal devices 11
2.4. Older versions of Windows 11
Chapter 3: Awareness and attitudes 13
3.1. Perceived importance of cyber security 13
3.2. Involvement of senior management 15
3.3. Sources of information 18
3.4. Cyber security priorities and drivers of change 22
Chapter 4: Approaches to cyber security 24
4.1. Identifying, managing and minimising cyber risks 24
4.2. Insurance against cyber security breaches 29
4.3. Technical cyber security controls 31
4.4. Staff training and awareness raising 33
4.5. Responsibility for cyber security 34
4.6. Outsourcing of cyber security functions 34
4.7. Cyber security policies and other documentation 35
4.8. Cyber accreditations and government initiatives 37
4.9. Dealing with COVID-19 41
Chapter 5: Incidence and impact of breaches or attacks 44
5.1. Identified breaches or attacks 44
5.2. The breaches and attacks considered most disruptive 47
5.3. Frequency of breaches or attacks 48
5.4. How are businesses affected? 49
5.5. Financial cost of breaches or attacks 53
Chapter 6: Dealing with breaches or attacks 58
6.1. Incident response 58
6.2. Reporting breaches or attacks 59
6.3. Actions taken to prevent future breaches or attacks 60
Chapter 7: Conclusions 62
Annex A: Further information 64
Annex B: Guide to statistical reliability 65
Table 4.1. Percentage of organisations undertaking action in each of the 10 Steps areas 39
Table 5.1. Average cost of all breaches or attacks identified in the last 12 months 54
Table 5.2. Average short-term direct cost of most disruptive breach or attack from the last 12 months 55
Table 5.3. Average long-term direct cost of most disruptive breach or attack from the last 12 months 55
Table 5.4. Average staff time cost of the most disruptive breach or attack from the last 12 months 56
Table 5.5. Average indirect cost of the most disruptive breach or attack from the last 12 months 56
Figure 2.1. Percentage that currently have or use the following digital services or processes 9
Figure 2.2. Percentage that have any staff using personally owned devices to carry out regular work-related activities 11
Figure 2.3. Percentage or organisations that have older versions of Windows installed 12
Figure 3.1. Extent to which cyber security is seen as a high or low priority for directors, trustees and other senior managers 13
Figure 3.2. Percentage of organisations over time where cyber security is seen as a high priority for directors, trustees and other senior managers 15
Figure 3.3. How often directors, trustees or other senior managers are given an update on any actions taken around cyber security 16
Figure 3.4. Percentage of organisations with board members or trustees that have responsibility for cyber security 17
Figure 3.5. Percentage of organisations over time that never update senior managers on any actions taken around cyber security 17
Figure 3.6. Percentage of organisations over time with board members or trustees with responsibility for cyber security 18
Figure 3.7. Proportion of organisations that have sought external information or guidance in the last 12 months on the cyber security threats faced by their organisation 19
Figure 3.8. Percentage of organisations aware of the following government guidance, initiatives or communication campaigns 20
Figure 4.1. Percentage of organisations that have carried out the following activities to identify cyber security risks in the last 12 months 25
Figure 4.2. Percentage of organisations that have carried out work to formally review the potential cyber security risks presented by the following groups of suppliers 27
Figure 4.3. Barriers to businesses undertaking formal review of supplier or supply chain risks 28
Figure 4.4. Percentage of organisations that have the following types of insurance against cyber security risks 30
Figure 4.5. Percentage of organisations that have the following rules or controls in place 32
Figure 4.6. Percentage of organisations that have had training or awareness raising sessions on cyber security in the last 12 months 34
Figure 4.7. Percentage of organisations that have an external cyber security provider 35
Figure 4.8. Percentage of organisations that have the following kinds of documentation 36
Figure 4.9. When organisations last created, updated or reviewed their cyber security policies or documentation 36
Figure 4.10. Percentage of organisations that have each of the following features in their cyber security policies 37
Figure 4.11. Percentage of organisations adhering to various cyber security standards or accreditations 39
Figure 4.12. Percentage of organisations that have undertaken action in half or all the 10 Steps guidance areas 40
Figure 5.1. Percentage of organisations that have identified breaches or attacks in the last 12 months 44
Figure 5.2. Percentage that have identified the following types of breaches or attacks in the last 12 months, among the organisations that have identified any breaches or attacks 45
Figure 5.3. Percentage of organisations over time identifying any breaches or attacks 46
Figure 5.4. Percentage that report the following types of breaches or attacks as the most disruptive, excluding the organisations that have only identified phishing attacks in the last 12 months 48
Figure 5.5. How often organisations have reported breaches or attacks in the last 12 months 48
Figure 5.6. Percentage that had any of the following outcomes, among the organisations that have identified breaches or attacks in the last 12 months 50
Figure 5.7. Percentage that were impacted in any of the following ways, among the organisations that have identified breaches or attacks in the last 12 months 51
Figure 5.8. How long it took organisations to restore operations back to normal after their most disruptive breach or attack was identified 52
Figure 5.9. Percentage of businesses over time that have been affected by breaches or attacks in the following ways, among those that have identified any breaches or attacks in the last 12 months 53
Figure 6.1. Percentage of organisations that take the following actions, or have these measures in place, for when they experience a cyber security incident 58
Figure 6.2. Percentage of organisations that report their most disruptive breach or attack of the last 12 months, excluding those that only report to their outsourced cyber security provider 60
Figure 6.3. Percentage of organisations that have done any of the following since their most disruptive breach or attack of the last 12 months 60
Figure 6.4. Percentage of organisations that have done any of the following since their most disruptive breach or attack of the last 12 months, in cases where breaches had material outcomes 61