Title page
Contents
Summary 3
Chapter 1: Introduction 6
1.1. Code of practice for statistics 6
1.2. Background 6
1.3. Methodology 6
1.4. Changes since the 2019 survey 7
1.5. Interpretation of findings 7
1.6. Acknowledgements 8
Chapter 2: Profiling UK businesses and charities 9
2.1. The digital footprint of different organisations 9
2.2. Use of industrial control systems 10
2.3. Use of personal devices 10
Chapter 3: Awareness and attitudes 12
3.1. Perceived importance of cyber security 12
3.2. Involvement of senior management 13
3.3. Drivers of attitudinal and behaviour change 15
3.4. Sources of information 16
Chapter 4: Approaches to cyber security 21
4.1. Identifying, managing and minimising cyber risks 21
4.2. Insurance against cyber security breaches 26
4.3. Technical cyber security controls 28
4.4. Staffing and outsourcing 30
4.5. Cyber security policies and other documentation 32
4.6. Implementing government initiatives 34
Chapter 5: Incidence and impact of breaches or attacks 37
5.1. Experience of breaches or attacks 37
5.2. The breaches and attacks considered most disruptive 39
5.3. Frequency of breaches or attacks 40
5.4. How are businesses affected? 41
5.5. Financial cost of breaches or attacks 45
Chapter 6: Dealing with breaches or attacks 49
6.1. Identifying and responding to breaches or attacks 49
6.2. Reporting breaches or attacks 50
6.3. Actions taken to prevent future breaches or attacks 52
Chapter 7: Conclusions 54
Annex A: Further information 55
Annex B: Guide to statistical reliability 56
Table 4.1. Percentage of organisations undertaking action in each of the 10 Steps areas 35
Table 5.1. Average cost of all breaches or attacks identified in the last 12 months 45
Table 5.2. Average direct cost of the most disruptive breach or attack from the last 12 months 46
Table 5.3. Average recovery cost of the most disruptive breach or attack from the last 12 months 46
Table 5.4. Average estimated long-term cost of the most disruptive breach or attack from the last 12 months 47
Figure 2.1. Percentage that currently have or use the following digital services or processes 9
Figure 2.2. Percentage that have any staff using personally owned devices to carry out regular work-related activities 10
Figure 3.1. Extent to which cyber security is seen as a high or low priority for directors, trustees and other senior managers 12
Figure 3.2. Percentage of organisations over time where cyber security is seen as a high priority for directors, trustees and other senior managers 13
Figure 3.3. How often directors, trustees or other senior managers are given an update on any actions taken around cyber security 14
Figure 3.4. Percentage of organisations over time that never update senior managers on any actions taken around cyber security 15
Figure 3.5. Proportion of organisations that have sought external information or guidance in the last 12 months on the cyber security threats faced by their organisation 16
Figure 3.6. Percentage of organisations aware of the following government initiatives, guidance or communication campaigns 19
Figure 4.1. Percentage of organisations that have carried out the following activities to identify cyber security risks in the last 12 months 22
Figure 4.2. Percentage of organisations that have carried out work to formally review the potential cyber security risks presented by the following groups of suppliers 24
Figure 4.3. Percentage of organisations that have the following types of insurance against cyber security risks 26
Figure 4.4. Percentage of organisations that have the following coverage through cyber insurance policies, among those that have any form of cyber insurance 27
Figure 4.5. Percentage of organisations that have the following rules or controls in place 29
Figure 4.6. Percentage of organisation with staff whose job role includes information security or governance 30
Figure 4.7. Percentage of organisations with board members or trustees that have responsibility for cyber security 30
Figure 4.8. Percentage of organisations over time with board members or trustees with responsibility for cyber security 31
Figure 4.9. Percentage of organisations that have an external cyber security provider 31
Figure 4.10. Percentage of organisations that have the following kinds of documentation 32
Figure 4.11. When organisations last created, updated or reviewed their cyber security policies or documentation, among those that have policies 33
Figure 4.12. Percentage of organisations that have each of the following features in their cyber security policies, among those that have policies 33
Figure 4.13. Percentage of organisations that have undertaken action in half or all the 10 Steps guidance areas 36
Figure 5.1. Percentage of organisations that have identified breaches or attacks in the last 12 months 37
Figure 5.2. Percentage that have identified the following types of breaches or attacks in the last 12 months, among the organisations that have identified any breaches or attacks 38
Figure 5.3. Percentage that identify the following types of breaches or attacks as their most disruptive one, among the organisations that have identified breaches or attacks in the last 12 months 40
Figure 5.4. How often organisations have experienced breaches or attacks experienced in the last 12 months 40
Figure 5.5. Percentage that had any of the following outcomes, among the organisations that have identified breaches or attacks in the last 12 months 42
Figure 5.6. Percentage that were impacted in any of the following ways, among the organisations that have identified breaches or attacks in the last 12 months 43
Figure 5.7. How long it took organisations to restore operations back to normal after their most disruptive breach or attack was identified 44
Figure 5.8. Percentage of businesses over time that have been affected by breaches or attacks in the following ways, among those that have identified any breaches or attacks in the last 12 months 44
Figure 5.9. Changes over time in average (mean) costs for the most disruptive breaches with material outcomes 48
Figure 6.1. Percentage of organisations that identified their most disruptive breach or attack in the last 12 months in the following ways 49
Figure 6.2. Percentage of organisations that take the following actions, or have these measures in place, for when they experience a cyber security incident 50
Figure 6.3. Percentage of organisations that report their most disruptive breach or attack of the last 12 months, excluding those that only report to their outsourced cyber security provider 51
Figure 6.4. Percentage of organisations that have done any of the following since their most disruptive breach or attack of the last 12 months 53
Figure 6.5. Percentage of organisations that have done any of the following since their most disruptive breach or attack of the last 12 months, in cases where breaches had material outcomes 53