53% of UK organizations experienced ransomware attacks
According to the Sophos State of Ransomware report 2022 survey of 5,600 IT professionals, a global average of 66% of organizations experienced ransomware attacks in 2022, up from 37% a year earlier. The main reason for the rise is the growth in ransomware-as-a-service, which has encouraged more criminals to try their hand at ransomware. In this context, the UK figure of 53% looks good, and indeed it was one of the lowest across the 31 countries surveyed. The equivalent figure for Australia was 80%, for Poland 77%, and for Israel 65%. The cost of recovering from a successful attack fell significantly in 2021 but was still $1.08 million per incident.
81% of UK organizations suffered some form of cyberattack in 2021
The CyberEdge Group’s 2022 Cyberthreat Defense Report found that eight in ten UK organizations suffered a cyberattack of some form in 2021, again a relatively good performance by international standards. Around the same number, 83%, believed that a cyberattack was “more likely than not” to occur in the coming 12 months. UK organizations experiencing a web or mobile attack was 88%.
Lack of skills no nearer being solved
The issue that stood out in CyberEdge’s report as the most significant worry in the UK and elsewhere was the difficulty in finding staff with the right cybersecurity skills, which was rated 3.74/5 rating, followed by a lack of security awareness among employees, with a rating of 3.72/5. Poor integration between security products was a close third with a rating of 3.66/5. Interestingly, lack of budget came in last place in the ten concerns covered, but even this was rated as 3.55/5 in terms of its concern level.
42% of organizations have cyber-insurance cover
While the Sophos report found that only four in ten have comprehensive cyber-insurance, 35% of respondents had cyber-insurance but with some policy exclusions. The global rate at which insurance paid out was a steady 98%. This broke down to clean up costs being paid in 77% of cases, ransoms paid out in 40% of cases, and 27% for additional fees.
Cyberattacks don’t always lead to change.
According to the UK Office of National Statistics (ONS) annual Cyber Security Breaches Survey for 2022, UK organizations that suffered a breach in the previous 12 months were still slow to change their cybersecurity policies. Only 15% adopted new security software or changed a firewall rule, while only 8% reported adopting multi-factor authentication to secure password access. Overall, 17% took no action at all.
Managed services boom but cybersecurity taken on trust
The ONS survey found that four in ten businesses now use a managed service provider (MSP), rising to seven in ten for enterprises. However, this was to use hosted email or cloud services rather than cybersecurity in most cases. This underlines the tendency to see MSP services be taken on trust. “Instead, they assumed that the providers would have excellent cyber security, far better than their own because they were often multinational technology companies,” said the ONS.
UK cyberattacks are decreasing, or are they?
On a positive note, the ONS survey notes a gradual decline in the number of reported cyberattacks since the survey began in 2017, from 46% that year to 39% in 2022. However, they note that because some organizations have invested in a way that increases the detection rate, it’s likely that the laggards are not detecting all attacks. The decrease might simply be that some organizations are spending and detecting more attacks, while others continue under-invest.
Risk legacy Windows is still common.
The ONS found that 16% of UK businesses continue to run old versions of Windows, defined as those that are end of life or not supported. The number of severe and unpatched vulnerabilities leaves those organizations at a much higher risk of compromise than if they’d upgraded. Why don’t they upgrade? Usually, they are running hard-to-replace applications that depend on the older version of Windows. Some sectors lag more than others, with utilities and larger organizations notable holdouts at 26% and 23%.