One in three UK firms suffered phishing attack last year, government study finds

Written by Margaret Taylor on 1 April 2022 in News

Message-based threat is by far the most prevalent form of attack, annual study from DCMS concludes

The proportion of UK businesses that were hit by a cyberattack remained steady at 39% in the past year, with phishing attempts representing by far the biggest threat.

The UK Government’s Cyber Security Breaches Survey, which has been charting the cyber resilience of UK businesses and charities since 2016, found that more significant threats, such as malware or ransomware attacks, were significantly less prevalent than phishing. A fifth of those that suffered an attack claimed to have been exposed to the more serious breaches – compared with 83% that suffered a phishing attack.

This means that about one in three of all UK businesses suffered phishing attempt last year.

Among those that reported any form of attack, 31% of businesses and 26% of charities estimated that they were attacked at least once a week over the course of the year. About one in five organisations in each sector said they experienced a negative outcome as a direct consequence of an attack.

Department for Digital, Culture, Media and Sport analyst Maddy Ell said UK organisations are now placing greater importance on cybersecurity than in any other year the survey has been carried out.

“In the qualitative interviews it was found that this was driven by a good high-level understanding at the senior level of the risks cyberattacks pose,” she said. “This, coupled with the use of board sponsors and cyber security experts enabled organisations to practice good cyber hygiene.”

Related content

However, she added that gaps remain, with fewer than one in five organisations having a formal incident management plan in place to deal with a breach.

There is a lack of technical expertise within smaller organisations and at the senior level within larger organisations and there is also a lack of “commercial narrative to effectively negotiate a cyber security budget against other competing organisational priorities”, she said.

“The findings from this year’s survey demonstrate that there is room for improvement in many elements of organisations’ cyber hygiene,” Ell added. “It is clear that cyber resilience is highly influenced by board behaviours. Though the high-level prioritisation of cyber security amongst boards is high, this does not translate into high expertise. Furthermore, cyber and IT staff are unable to justify the business case for cyber security, which impacts ability to make effective cyber security decisions.

“This means investments are often not made into key areas that enhance organisations’ cyber security. This leads to a reactive approach to cyber incidents as opposed to a proactive approach in limiting cyber risk. This is an area we will closely monitor in future years of the survey.”

Earlier this month, Scottish Government justice secretary Keith Brown revealed that the number of crimes reported across the country rose sharply in the year to April 2021, with a total of 403 recorded by Police Scotland, up from 57 the previous year. In 1999-00 there was just one recorded case, with the total remaining below 100 in each year between then and 2020-21.

Of the total in the 2020-21 financial year, 331 incidents fell under sections one and two of the Computer Misuse Act, meaning they were the result of perpetrators gaining unauthorised access to someone else’s computer. The remaining 72 incidents fell under section three of the act, meaning whoever accessed the computers had attempted to make modifications to them.


About the author

Margaret Taylor is a journalist at PublicTechnology sister publication Holyrood, where a version of this story first appeared. She tweets as @MagsTaylorish.

Share this page




Please login to post a comment or register for a free account.

Related Articles

MoJ reprimanded by ICO after ‘bags of confidential documents’ exposed for over two weeks
25 May 2023

Sensitive data was left unsecured in prison holding area, according to data watchdog

‘Extremely concerned and disappointed’ – more councils caught up in Capita breach
24 May 2023

Authorities have complained about the lack of time taken to be notified by IT firm and wrongly being told personal data was not put at risk 

MoD seeks senior exec to boost ‘cyber awareness, behaviours and culture’ across defence sector
23 May 2023

Role comes with a remit to work with current and former military personnel, as well as officials and commercial suppliers

Interview: CDDO chief Lee Devlin on the ‘move from being disruptive to collaborative’
23 May 2023

In the first of a series of exclusive interviews, the head of government’s ‘Digital HQ’ talks to PublicTechnology about the Central Digital and Data Office’s work to unlock £8bn...

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...