Reflections on the 2021 Cyber Security Breaches Survey

The UK Government recently published the latest edition of its Cyber Security Breaches Survey, which found that despite increased awareness about cybercrime and data security, a huge proportion of businesses and charities are still falling victim.

The annual survey, which was first published in 2016, examines the actions organisations are taking on cybersecurity and the costs and impacts of cyber breaches and attacks.

This year’s survey warned that the cyber risk to organisations against the current backdrop of a global pandemic is heightened. This has made it more challenging for organisations to secure their digital environments, with organisational resources being diverted to facilitate home working for staff.

As always, the survey provided a useful picture of the current cybersecurity issues facing businesses, charities and public sector organisations in the UK. It also asked more questions than it answered.

Here are our thoughts on the 2021 Cyber Security Breaches Survey…

What did the 2021 Cyber Security Breaches Survey say?

Overall, the most surprising aspect of the 2021 Cyber Security Breaches Survey was that cybersecurity breaches continue to pose a severe threat to all types of organisations and charities. Despite increased awareness, advances in technology and intervention from government and law enforcement agencies, the threat of cyberattack remains ever-present.

Nearly half (47%) of the organisations surveyed said they had staff using personal devices for work, with only 18% having a cybersecurity policy to govern their use. And less than a quarter (23%) of businesses had cybersecurity policies that cover home working.

The report found that in the past 12 months, two in five businesses (39%) and a quarter of charities (26%) reported suffering a cyber breach or attack.

Its data also showed that fewer businesses took recommended cybersecurity measures to protect their networks and data in the same timeframe.

The report stated that fewer businesses (35%) used monitoring tools to identify abnormal activity indicating a breach compared to the 2020 figure of 40%.

This would suggest that organisations are less aware of the latest threats and attacks, which include phishing emails, online impersonation, viruses and other malware.

It also found that, on average, a breach that resulted in the loss of data or assets cost SME businesses and charities £8,460, rising to £13,400 for medium and large businesses.

However, despite the challenges brought about by the coronavirus pandemic, the report found that cybersecurity remains high on the agenda for organisations, with 77% saying it is a priority, up from 65% in the inaugural report in 2016.

Our thoughts on the 2021 Cyber Security Survey

As we said in our recent blog about the importance of digital skills in the workplace, cybercrime is increasing year on year and affects smaller organisations just as much as larger ones.

To combat these risks, it’s vital all your staff receive Cyber Awareness Training, while your ICT team needs to understand and manage an organisation’s cybersecurity.

In the current climate, with more people working remotely, it’s vital that organisations put the right measures in place to protect their systems, networks and data from cyberattack.

It was quite shocking to see that 37% of micro firms have experienced breaches or cyberattacks in the past 12 months, which shows that even small businesses or sole traders can be targets.

While data wasn’t provided for charities, we’d imagine that larger charities with £1m+ turnovers would be similarly high-value targets in the same way larger commercial organisations are.

This illustrates the importance for businesses of all sizes, especially local trader and the shops in the high street, to ensure that have at least a basic level of protection in place.

It is, however, encouraging that the report found that accreditations such as Cyber Essentials and Cyber Essentials Plus are becoming vital criteria for contractual purposes, with an increasing number of public sector organisations insisting their contractors hold these accreditations.

The whole point of the Cyber Essentials scheme is to provide a basic cybersecurity standard for business.

It provides organisations with the tools they need to protect their data, networks and digital assets from cyberattack. It also provides validation that the companies which hold it are taking all necessary steps to protect themselves and keep their data safe.

The report also clearly shows the challenges raised by the pandemic, which has made it harder for organisations to identify security breaches or attacks and become less aware of the latest emerging threats. This has been exacerbated by the increase in home or remote working, which has made it harder for organisations to monitor their networks and devices and know if staff are following their policies and processes.

It has also made upgrading or updating hardware, software and systems more difficult. And with more staff working from home, running updates has become more difficult due to the presence of VPNs and potentially more devices to consider per user.

Organisations placing their immediate focus on enabling homeworking and service continuity at the start of the pandemic created a backlog of cybersecurity tasks and projects in some organisations. This left some ICT teams facing competing priorities and having to choose between service continuity and maintenance work, meaning that many routine cybersecurity tasks, such as patching software, were delayed or ignored altogether.

Project work around cyber security may also have been delayed due to enabling users to work remotely while at the same time, the requirement to enable large numbers of users to work remotely rapidly may have introduced risks that organisations may either not be aware of or may have pragmatically accepted as an emergency measure.

However, with many organisations now looking to adopt more blended or flexible working practices as lockdown starts to wind down, their users may be less receptive to cybersecurity approaches requiring user activity to be locked down.

As always, there is a balance to strike between ease of use and security. If there is a trend of users being less willing to be inconvenienced by security, then ICT security functions will need to step up with solutions that work out of the box and detect anomalous behaviour more readily.

This will help them pick up problems quickly, rather than having to secure by locking down devices, which can disrupt staff’s day-to-day activities and your usual service delivery.

How AMDH Services can help your organisation improve its cybersecurity

If you’re concerned that your organisation’s cybersecurity may have taken a backseat over the past 12 months or have any concerns about lockdown easing and more staff returning to the workplace, AMDH can help.

We can help you identify any potential threats and vulnerabilities that have emerged over the past 12 months, understand the impact they can have, then finding the best way to address them.

You may not possess the knowledge or expertise in-house to do this effectively.

We can provide you with an objective view of your organisation and the risks it faces, along with the technical leadership required to develop and implement an enhanced security strategy to address any concerns you might have.

We have a wealth of experience in developing and implementing data protection strategies and solutions. We can help your organisation identify and mitigate your risks and recommend the technologies and security options that will deliver the best return on investment.

We can also provide you with the right technical expertise to enhance the overall value of your investment in cybersecurity technology. To find out how we can help, get in touch today.


If you enjoyed this blog and want to learn more about how we can help your organisation improve its cybersecurity, give us a call on 01332 322588. And if you would like to stay up to date with the latest news, views and insight on everything going on in the ICT and technology sector, subscribe to our FREE email newsletter.

Want to know more?

Why not subscribe to our FREE Newsletter to receive regular updates from us on ICT, technology and what we’ve been doing?