01 June 2023 – Basingstoke, UK
Small and medium sized businesses (SMEs) in the UK have seen cyber security readiness and resilience decline in the last year, according to new research from Censornet. Over half (51%) of SMEs believe their cybersecurity posture requires development to be future-proofed, up from 40.5% the previous year.
Email attacks top the list of cyber incidents
The new findings are taken from Censornet’s 2023 SME Cyber Report – an annual survey gathering insights from 200 UK-based IT and security leaders. The research shows email attacks emerged as the top cyber security incident, with one in three organisations suffering a serious attack due to an employee opening a compromised email, up from 16% a year earlier.
Despite this, SMEs’ ability to prevent email attacks has declined. Just over one in three (37%) can block ‘dangerous’ attachments from reaching the email inbox of users, a 14% decrease since last year. Only 29% of organisations can successfully quarantine suspicious or malicious emails, down from 34.5% a year earlier. In the public sector, these figures fall even lower to 33% and 23% respectively.
“Small and medium-sized businesses play a vital role in the UK economy, accounting for three-fifths of employment and nearly half of turnover in the private sector,” said Ed Macnair, CEO of Censornet. “Given these businesses are responsible for storing and processing large volumes of the UK’s data, it’s imperative they are confident they can protect data adequately with an integrated security platform that ensures all bases are covered.”
Number of SMEs paying a ransomware payment increases
While email attacks are increasing, other types of cyber breaches and attacks are showing signs of falling. Only 17% of organisations suffered a ransomware attack, compared to 21% a year earlier. The average cost of a ransomware attack has also fallen by 37% from £144,000 to £91,000. However, the number of SMEs paying the ransom has jumped dramatically from 21% to 85%.
Less than a fifth (19%) of businesses suffered a significant outage lasting more than a day, down from 33% last year. While the number of SMEs experiencing data loss from a cyber-attack fell from 30% to 26%.
The cost of cyber-attacks also goes beyond the immediate cost of paying a ransom, leaving organisations facing reputational damage, poor moral and regulatory fines. Over a quarter (27%) of SMEs had a meaningful percentage of the workforce leave the company or change roles, 25% believe their customer service and support staff were negatively impacted, and 22% suffered damage to shareholder and customer confidence.
Signs of pressure
Nearly a quarter (22%) of cybersecurity professionals believe they are suffering from sleep deprivation due to cybersecurity concerns, significantly up from 9% in 2022. The average sleep for cybersecurity professionals has dropped from 5.7 to 5.4 hours per night in the last year – below the NHS recommended average of 7 hours per night. This puts cybersecurity professionals at risk of reduced alertness, poorer judgement, and slower reaction times.
The consolidation trend
Organisations are gradually shifting away from legacy technologies and recognise that there is a need for consolidation in the security stack. In the last year, one in six businesses (15%) have moved away from a reliance on legacy technologies designed for on-premise environments and re-architected for the cloud. While 63% of organisations reduced the number of security vendors, with 61% opting for a consolidated approach.
There is also a growing demand to simplify cyber security and for technologies to be made more accessible. More than four in 10 businesses (43%) want access to the cybersecurity innovation that is on offer to larger enterprises and 40% would like enterprise-grade security implementation to be made less complex. More than half (55%) also want security vendors to open traditionally closed point-products to enable automated responses to cyber threats, an increase of 20% year-on-year.
“As the UK’s growing businesses expand and extend their network boundaries, their attack surfaces expand dramatically. But buying more point products won’t keep them safe. So it’s reassuring that UK plc is moving away from individual point products and towards integrated security platforms,” added Macnair. “For businesses that typically have smaller budgets and fewer resources, there is a growing need to simplify security via a platform approach that offers automation, intelligence and integration.”