Geo Focus: The United Kingdom , Geo-Specific

Cybersecurity in the UK: Government Sees Improvements Slow

Survey Finds Too Many Under-Engaged Boards, Reactive Attitudes, Low Appetite for AI
Cybersecurity in the UK: Government Sees Improvements Slow
The pace of cybersecurity improvements in the United Kingdom has stalled. (Image: Shutterstock)

The pace of cybersecurity improvements has stagnated for numerous organizations in Britain over the past year, driven in part by budget and staffing challenges.

See Also: Two Years of Active Cyber Defense: A Summary

That's a top-line finding from the third annual Cyber Security Longitudinal Survey conducted by the British government, which reviewed practices across more than 1,000 medium and large businesses and high-income charities in the United Kingdom.

The survey examines a range of attributes, including cybersecurity resilience practices, recordkeeping, internal and external reporting capabilities, supply chain risk assessments and ownership of security. It also looked at uptake of Cyber Essentials, a government-backed program that allows organizations to certify themselves against benchmarks designed to ensure they're prepared to counter basic cybersecurity threats.

The survey shows some improvements since 2021, including more organizations having some type of insurance policy that touches on cybersecurity rising from 53% to 69% of businesses and from 66% to 79% of charities. This includes both "cyber-specific insurance policies and broader policies that covers cyber security risk," the survey says.

Also increasing from 2021 to 2023 was the proportion of businesses with: procedures in place to identify cybersecurity risks, from 82% to 90%; a business continuity plan, from 69% to 79%; a regularly updated, written list of the IT estate and vulnerabilities, from 54% to 61%; and a risk register, from 48% to 55%.

Very large organizations are most likely to have sophisticated policies and practices in place, which likely reflects "their higher budgets and ability to maintain specific cybersecurity staff," the survey says. Even so, "for many organizations, the board is under-engaged and many of the processes that are in place are less proactive."

That's despite the digital estate in many organizations changing significantly during the survey's time frame, as remote work surged, along with adoption of cloud computing as part of digital transformation programs, followed by the rise in use of artificial intelligence tools.

The survey finds only 23% of businesses report being "likely to use AI or machine learning as a means to improve their cyber resilience," a figure that is unchanged since 2021. "This suggests that organizations have not moved toward taking on cutting-edge technology to help improve their cyber resilience," the survey says. "Further, given the potential for these technologies to help organizations to act proactively, it is indicative of organizations' reactive mindset."

The research, the conducted by the U.K. Department for Science, Innovation and Technology, is part of the government's National Cyber Strategy 2022, which aims in part to improve domestic business resilience and the country's overall cybersecurity defensive posture.

The British economy could be partly to blame for the challenges the DSIT report identifies. The first two waves of the survey were conducted in 2021 and 2022, while the third wave was conducted between March and June 2023, with supporting qualitative interviews through last July. From 2021 to 2023, on a quarterly basis, the U.K.'s gross domestic product remained largely stagnant, sometimes showing minimal gains or losses, reflecting the country's tenuous economic state.

Poor cybersecurity savvy at the top of the organization may also be to blame for shortcomings the report identifies.

The latest results show that "only half of U.K. board members have had security training, only a quarter of businesses are assessing suppliers for possible security risks, and a fifth of U.K. boards failed to discuss cybersecurity even once," said Andy Kays, CEO of Cardiff, Wales-based managed security services provider Socura. "Only 17% of businesses are Cyber Essentials certified, which is one of the lowest bars for measuring security best practice. These figures are all far from perfect."

David Stubley, a British incident response expert who advises boards and C-level executives on cybersecurity matters, said more organizations appear to be at least realizing that "cybersecurity is not merely a technical issue, it is a business risk that requires strategic attention," although they often falter in the next steps.

"Having someone responsible is not the same as have someone who can effectively challenge and support the board," he said. "Real improvement can only be made through the appointment of specialist non-executives that innately grasp the intricate and nuanced nature of cybersecurity."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.