2024 UK Cyber Security Guide

Cyber Attacks in the UK

In 2024, half of businesses (50%) in the UK and around a third of charities (32%) reported having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).

Phishing was by far the most common type of breach or attack in 2024, with 84% of businesses and 83% of charities reporting experiencing this type of attack. This is followed, to a much lesser extent, by others impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).

Ransomware & DoS Attacks

In contrast to the U.S. and other regions, ransomware and denial of service attacks are the least reported cyber crimes (2% or less) among UK businesses and charities. Excluding phishing, 3% of businesses and 2% of charities experienced non-phishing cyber crimes in the past year.

Members of the Counter Ransomware Initiative, including the UK, strongly discourage paying ransoms, and institutions under UK national authority should not pay ransomware extortion demands. The NCSC and Information Commissioner’s Office also do not endorse ransom payments, though it is not illegal.

7.8 Million Cyber Crimes

It is estimated that UK businesses have experienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes in the last 12 months. For UK charities, the estimate is approximately 924,000 cyber crimes of all types in the last 12 months. It should be noted that these estimates of scale may have a relative margin of error.

Of the businesses that experienced cyber attacks, 13% reported that at least one had resulted in a direct negative impact such as loss of money or data. 32% of large businesses reported a direct negative impact. 24% of business reported indirect costs, such as lost staff time.

A 2024 survey estimated that the mean total cost of the single most disruptive attack was £4,590 for small and micro businesses and £40,400 for medium and large business. These are a total of direct and indirect costs.

Cyber Preparation & Risk Assessment

61% of medium and 72% of large companies reported undertaking a cybersecurity risk assessment last year. Similarly, 63% of medium and 72% of large businesses deployed security monitoring tools in the past year.

Overall, only one-third of businesses undertook a cybersecurity risk assessment in 2023, while a mere 33% deployed security monitoring tools.

Organisations carrying out activities to identify risks in the last 12 months

These actions are more common in larger organisations:

• Over 8 in 10 or 83% of medium businesses, 9 in 10 or 92% of large businesses, and 8 in 10 or 86% of high-income charities have performed at least one listed activity.
• 63% of medium businesses and 71% of large businesses use security monitoring tools.
• 72% of large businesses conduct cyber security-related risk assessments.

Investing in threat intelligence is the least common with 4 in 10 or 42% of large businesses doing so, while other activities are carried out by 60-70% of large businesses.

Audits & Findings

The way that UK businesses undertake audits continues to be strongly linked to size. Let’s take a look at how small businesses compare to large and whether these audits are conducted internally or with the support of external providers.

Among the 17% of businesses that undertake cyber security vulnerability audits, a third undertake internal audits (31%), a slightly larger proportion only conduct external audits (41%) and a fifth (21%) carry out both.

Supply Chain Risk

In 2024, the UK supply chain faces heightened cybersecurity risks from sophisticated attacks on software dependencies and third-party services. The Cyber Security Breaches Survey 2024 reveals that half of businesses and a third of charities have experienced breaches, with phishing being the most common. The UK Cyber Security Trends Report calls for Zero Trust Architecture, AI/ML defenses, and quantum-resistant cryptography. Supply chain attacks are expected to rise due to growing complexity and stealthier threats. The National Cyber Security Centre has issued new guidance to strengthen supply chain defenses, highlighting the need for continuous cybersecurity improvements.

Organisations Conducting Review of Potential Supplier Risks

Just over 1 in 10 UK businesses review the dangers posted by their immediate suppliers (11% vs. 9% of charities), while more medium companies (28%) and large businesses (48%) review immediate supplier risks.

Top 4 Supply Chain Security Threats 2024

Third-Party Vendor Risks:

3rd party vendors often introduce data security risks to organisations. This is often due to poor security practices stemming from a weak security strategy and vendors not taking cybersecurity seriously.

Digital Risks:

Digital risks are an unavoidable by-product of digital transformation – the more digital solutions within the ecosystem, the more potential network gateways cybercriminals have. The exposures could be due to software vulnerabilities, such as zero-day exploits or overlooked configuration errors.

Supplier Fraud:

Supplier fraud, or vendor fraud, is when a cybercriminal claims to be a known retailer requesting a change to payment processes. These events are difficult to identify as fraudsters commonly adopt advanced social engineering techniques, including AI-generated voicemails, phishing attacks, and Deepfake video recordings.

Data Protection:

Data integrity throughout the supply chain is a significant area of security concern. Security measures should ensure all data states are secure, including at rest and in motion. Data encryption practices are especially important between third-party integrations because hackers know that a target’s third-party vendor likely has access to their sensitive data.

Incident Response

Incident Management: In 2023, reports of cyber attacks into the NCSC increased but the volumes that reached the threshold of national significance remained broadly stable. There were, however, more incidents at the top end of the scale, reflecting more high-level and damaging incidents against the UK.

There was a 64% increase from 1,226 reported incidents to 2,005 reports with 371 or almost one-quarter deemed serious. Of these, 16% were significant with some of the most severe due to the sustained disruption the incident caused to critical infrastructure via supply chains.

While a large majority of organisations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this. These 2024 findings are consistent with previous years.

The most common processes, mentioned by around a third of businesses and charities, are having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting.

External reporting of breaches remains uncommon. Among those identifying breaches or attacks, 34% of businesses and 37% of charities reported their most disruptive breaches outside their organisation. Many of these cases simply involve organisations reporting breaches to their external cyber security or IT providers and no one else.

Only 22% of UK Businesses Have IR Plans

Formal incident response plans are not widespread (22% of businesses and 19% of charities have them). This rises to 55% of medium-sized businesses, 73% of large businesses and 50% of high-income charities.

Board Engagement & Corporate Governance

Board engagement and corporate governance approaches toward cybersecurity tend to be more sophisticated in larger organisations with levels of activity remaining stable compared with 2023, according to NCSC.

Three quarters of businesses (75%) and more than 6 in 10 charities (63%) report that cyber security is a high priority for the senior management. This proportion is higher among larger businesses (93% of medium businesses and 98% of large businesses, vs. 75% overall). The same is true for high-income charities (93% of those with income of £500,000 or more, vs. 63% overall).

Despite economic conditions, many organisations have continued to invest either the same amount or more in cyber security over the last 12 months. Three in ten businesses and charities (both 30%) have board members or trustees explicitly responsible for cyber security as part of their job role – rising to 51% of medium businesses and 63% of large businesses. There has been no change in the overall figures since 2023.

22% of medium businesses and 33% of large businesses have heard of the NCSC’s Board Toolkit rising from 11% and 22% respectively in 2020 (when it was introduced).

NCSC Board Toolkit

What is the NCSC Board Toolkit?

The NCSC’s Board Toolkit helps boards embed cyber resilience and risk management across an organisation’s people, systems, processes, and technologies.

Benefits of Using the Board Toolkit

• Prioritise investment that balances risk exposure
• Integrates compliance into the business more efficiently
• Better understand “enterprise estate” that are critical to operations and identify resources to mitigate threats
• Healthy security, learn from incidents, drive improvement and innovation
• Invest in cyber security training and education to prepare for adverse events and empower decision making

Board, Directors, Trustees Cybersecurity Priority

Relatively few organisations at present are adhering to recognised standards or accreditations. However, a sizable proportion of organisations, including larger organisations, continue to be unaware of government guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber Essentials standard.

Cyber Security Priority in UK Businesses

Four in 10 businesses (41%) and charities (39%) report seeking information or guidance on cyber security from outside their organisation in the past year, most commonly from external cyber security consultants, IT consultants or IT service providers. The figure for businesses is lower than in 2023 (49%), while there has been no change among charities.

The Cyber Essentials scheme is a UK government-backed framework supported by the NCSC (National Cyber Security Centre). It sets out five basic security controls that can protect organisations against 80% of common cyber attacks.

12% of businesses and 11% of charities are aware of the Cyber Essentials scheme, consistent with 2023 but representing a decline over last 2-3 years.

Awareness is higher among medium businesses (43%) and large businesses (59%). Although only 3% of businesses and charities report adhering to Cyber Essentials.

A higher proportion (22% of businesses and 14% of charities) report having technical controls in all five of the areas covered by Cyber Essentials.

Government’s Approach and Cybersecurity Regulations

As of May 2024, government departments such as Cabinet Office, Department for Science, Innovation and Technology (DSIT), and the Home Office are all involved in cyber security and responsible for driving innovation and cybersecurity strategies and policies within the UK government. Non-departmental public bodies are also involved in cybersecurity, such as the National Cyber Security Centre (NCSC), which advises public and private sector organisations.

The strategy aims to shift the burden of cybersecurity from individual citizens to the organisations best placed to manage cyber risks. The government is therefore seeking to improve uptake of the NCSC’s cybersecurity guidance, incentivise investment in cybersecurity measures, increase the number of skilled cyber professionals, and strengthen statutory cybersecurity responsibilities.

The UK’s regulatory framework for cybersecurity comes from multiple pieces of primary and secondary legislation. Different legislation covers the cybersecurity of IT systems, internet-connected products and personal data. The legal obligations in cybersecurity legislation apply to sectors and organisations where cyber-security breaches would have a significant impact on society, the economy or individual rights. These include operators of essential services, such as telecommunications and transport, or digital service providers, such as online search engines (designated under the Network and Information Systems (NIS) Regulations 2018).

NIS Regulations 2018:The Security of Network & Information Systems Regulations (NIS Regulations) provide legal measures to boost the level of security (both cyber & physical resilience) of network and information systems for the provision of essential services and digital services.

Cybersecurity regulations set general expectations rather than specific measures that responsible organisations must take. This provides organisations with a degree of flexibility, which the government regards as important given the rapidly changing nature of cyber threats. Government departments and regulators also publish guidance tailored to specific sectors.

As of April 2024, the Product Security and Telecommunications Infrastructure Act 2022 will place cybersecurity requirements on manufacturers and distributors of internet-connected consumer products

Current Proposals for Regulatory Reform (as of May 2024)

Reforms under debate among policy makers and industry stakeholders include:

• Ethical Hacking: A defense in law for legitimate cyber security researchers who adopt methods used by malicious actors (known as ‘ethical hacking’).
• Reporting & Banning Ransoms: Obligations on the victims of cyber attacks, such as banning ransoms and to obliging victims to report cyber incidents.

The UK Government has also proposed reforms including:

• Increasing the scope of the NIS Regulations by including more organisations and requiring a broader range of incidents to be reported. The government says that these reforms will be implemented once a “suitable legislative vehicle” is found.
• Introducing a ‘cyber duty to protect’, which would place greater responsibilities on organisations who manage online personal accounts. The government has not yet responded to this consultation.
• Increasing corporate responsibility by requiring large organisations to include a ‘resilience statement’ in their annual reports describing how they manage threats, including from cyber attacks. The government withdrew this legislation on the basis that it would be ‘burdensome’.

Negotiations are ongoing at the United Nations regarding a new international cybercrime treaty, proposed by Russia. It would seek to harmonise cyber legislation and improve international collaboration on cyber issues. However, the treaty has drawn criticism from human rights campaigners for its proposed criminalisation of ‘content-based’ activities in cyberspace such as disseminating ‘seditious’ material.

UK Cyber Security Government Departments

Cabinet Office

The Cabinet Office has overall responsibility for cybersecurity policy. It publishes the National Cyber Strategy.

Department for Science, Innovation and Technology (DSIT)

DSIT is responsible for the implementation of the Network and Information Systems (NIS) Regulations 2018 and other aspects of domestic cybersecurity policy.

Home Office

The Home Office is responsible for policy on cyber crime.

Ministry of Defence (MoD)

The MoD leads on work to ‘detect, disrupt, and deter’ adversaries operating in cyberspace, including terrorists, large cyber criminal groups, and state actors. It oversees the National Cyber Force.

Foreign, Commonwealth & Development Office (FCDO)

The FCDO has policy responsibilities for the UK’s international cybersecurity activities. It also oversees the National Cyber Security Centre and (alongside the MoD) the National Cyber Force.

National Cyber Security Centre (NCSC)

The NCSC is a pubic agency and is part of Government Communication Headquarters and is designated under the NIS Regulations as the UK’s:

• Single point of contact, responsible for liaising with national and international partners;
• Technical authority, responsible for providing expert technical advice to Competent Authorities and other organisations; and
• Computer Security Incident Response Team (CSIRT), responsible for monitoring and reporting on cyber incidents, conducting threat assessments, and providing early warning about cyber threats.

The general responsibilities of the NCSC are set out in the National Cyber Strategy 2022.

Competent Authorities

Competent authorities are responsible for the implementation of cybersecurity requirements in specific sectors. They designate organisations in scope of the NIS Regulations, work with the NCSC to produce sector-specific cybersecurity guidance, and monitor and enforce compliance. For each sector the competent authority is the relevant UK or devolved government department and/or regulator (for example Ofcom in the telecoms sector).

Information Commissioner’s Office (ICO)

The ICO is responsible for data protection rules and regulates Digital Service Providers under the NIS regulations.

National Cyber Force

The National Cyber Force is a partnership between the MoD and GCHQ. It is responsible for conducting covert operations to “counter, disrupt, degrade, and contest” cyber threats from terrorists, criminals, and state actors. The force has published information about how it approaches cyber operations in a “legal, ethical, and responsible” manner.

National Crime Agency

The National Crime Agency is the law enforcement agency responsible for combatting serious and organized crime. The agency’s National Cyber Crime Unit focuses on tackling cybercrime nationally and internationally.

UK Cyber Security Council

The UK Cyber Security Council is an independent body funded by DSIT that acts as the Charters Institute for the cybersecurity profession.

Critical National Infrastructure (CNI)

Most critical national infrastructure companies have cybersecurity responsibilities under the NIS Regulations. The two categories of organization are:

• Operators of essential services are qualifying operators in critical sectors (energy, water, transport, health, and telecommunications)
• Relevant digital service providers are qualifying providers of online search engines, online market places, and cloud services.

Guidance and Cyber Security Strategy Plans

NIS2 Directive

The NIS 2 Directive (Directive (EU) 2022/2555) aims to establish a high common level of cybersecurity across the EU. Member States must ensure essential and important entities implement appropriate measures to manage network and information system risks, minimising incident impacts, using an all-hazards approach.

National Cyber Security Strategy 2022

Taking over where the pioneering National Cyber Security Strategy of 2016 leaves off, the new National Cyber Strategy is a plan to ensure that the UK remains confident, capable and resilient in this fast-moving digital world; and continues to adapt, innovate and invest in order to protect and promote UK interests in cyberspace.

Cyber Security UK CNI

UK CNI toward has set resilience targets to be achieved by 2025, and what is needed to achieve those targets to make computer hardware architecture more secure by design to protect CNI. It will determine Government’s approach to standards and regulations for cyber resilience and preparedness, supply chain access, and trusted partners.

Counter Ransomware Initiative (CRI)

The work of the CRI supports the implementation of the endorsed UN framework for responsible state behaviour in cyberspace, specifically the voluntary norm that States should cooperate “to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats.”

Network and Information Systems (NIS) Directive

The EU’s NIS Directive (Directive on security of network and information systems) is the first piece of EU-wide cyber security legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure.

Telecoms Security Act 2021

The Telecoms Security Act requires UK telecom providers to have measures in place to identify and defend their networks from cyber threats, as well as prepare for any future risks.

UK Cyber Security Reforms in Progress

Resilience to supply chain attacks

Supply chain attacks have risen to prominence in the UK and proposals include imposing cybersecurity responsibilities on third party providers of certain B2B IT services or MSPs.

Critical sectors and subsectors

With increasing digitalisation additional critical sectors need to be added to NIS regulations who are becoming increasingly vulnerable to security threats, including education, manufacturing, and waste water.

Critical sectoral dependencies

Critical Network and Information Systems (NIS) sectors (energy, transport, health, drinking water, digital infrastructure, and financial services institutes (FSIs) are dependent on 3rd party services, without which they could not operate. These sectors need to fall under the definition of MSPs.

NIS2 Directive

New 2024 directing will bring sectors such as medical devices manufacturing, waste management, communications providers, food, and public administration into the NIS IT services and systems supply chain of essential services.

Digital Service Providers

Currently subject to reactive supervision, proposed legislation includes a risk-based approach, with the most critical providers subject to proactive supervision, meaning they would require to proactively demonstrate their compliance with NIS regulations.

Incident Reporting Duties

Currently organisations covered by NIS Regulations are required to report all cyber incidents that affect the continuity of services. Incidents that do not affect service continuity do not need to be reported, including unsuccessful attacks or attack where personal, rather than business-critical, files were affected. New reporting is being proposed covering any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threat to cause, substantial disruption to the service.

Cyber Duty to Protect

UK government would remove the cybersecurity burden from individual civilians by placing more responsibility on manufacturers, retailers, service providers and the public sector to raise cyber security standards.

In Conclusion

The 2024 cybersecurity landscape in the UK continues to evolve rapidly, driven by the increasing sophistication of cyber threats and the expanding digital footprint across critical sectors. Recent trends indicate a sharp rise in targeted attacks against key industries such as healthcare, finance, and critical infrastructure, underscoring the urgent need for robust cybersecurity measures. The UK government has responded by reinforcing its cybersecurity framework through updates to the Network and Information Systems (NIS) Regulations and the introduction of new guidelines for emerging threats. These measures are aimed at enhancing the resilience of organisations and ensuring the protection of essential services that underpin the nation’s economy and security.

Key to the UK’s cybersecurity strategy is the emphasis on proactive threat management and compliance with stringent standards. Organisations within critical sectors are now required to implement more comprehensive risk assessments, conduct regular security audits, and adopt advanced technologies such as artificial intelligence and machine learning for threat detection. Additionally, the UK’s Cyber Essentials scheme has been updated to include more rigorous controls, particularly around cloud security and third-party risk management, reflecting the growing complexities of the digital ecosystem.

The emphasis on continuous monitoring and incident response capabilities is particularly crucial, as it enables organisations to detect and mitigate threats before they cause significant harm.

As the UK looks to the future, it is clear that cybersecurity will remain a top priority for both public and private sectors. The government’s commitment to fostering a secure digital environment is evident in the ongoing investment in cybersecurity research, the development of public-private partnerships, and the expansion of training and education initiatives to build a skilled workforce. However, to stay ahead of evolving threats, organisations must not only comply with regulatory requirements but also cultivate a culture of cybersecurity awareness and resilience. By doing so, the UK can maintain its position as a leader in cybersecurity, safeguarding its critical infrastructure and ensuring the continued trust and confidence of its citizens and global partners.

Sources

• • Cyber security breaches survey 2024 – GOV.UK. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024.
  • Cyber security sectoral analysis 2024 – GOV.UK. https://www.gov.uk/government/publications/cyber-security-sectoral-analysis-2024/cyber-security-sectoral-analysis-2024.
  • Cyber security sectoral analysis 2024 – GOV.UK. https://www.gov.uk/government/publications/cyber-security-sectoral-analysis-2024.
  • The UK’s Cybersecurity: Where Is it and Where Is it Going?. https://www.tripwire.com/state-of-security/uks-cybersecurity-where-it-and-where-it-going.
  • Cyber Security Breaches Survey 2024 – GOV.UK. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024.
  • Cyber Security Breaches Survey 2021 – GOV.UK. https://assets.publishing.service.gov.uk/media/6065c36ad3bf7f401340b300/20-046099-01_CSBS_2021_medium_and_large_trends_infographic_310321.pdf.
  • Businesses urged to boost cyber standards as new data reveals … – GOV.UK. The UK’s Cybersecurity: Where Is it and Where Is it Going?. https://www.tripwire.com/state-of-security/uks-cybersecurity-where-it-and-where-it-going.
  • Cyber security breaches survey 2024 – GOV.UK. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024.
  • NCSC Annual Review 2023: https://www.ncsc.gov.uk/pdfs/reports/Annual_Review_2023.pdf

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know Your Risk. Contact BreachLock today!