Nearly half of UK businesses pwned last year as phishing keeps doing the job like it's 2005

Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support'

Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page.

The UK government's latest Cyber Security Breaches Survey, released on Thursday, puts the hit rate at 43 percent of businesses and 28 percent of charities reporting a cyber incident in the past year, equating to approximately 612,000 UK businesses and 57,000 UK charities, numbers that have barely budged since the last time it asked.

Most of these breaches do not start with anything especially cutting-edge. Phishing leads "by far," usually via impersonation emails that send staff to fake login pages or get them to click links, open attachments, or hand over sensitive information.

Everything else barely gets a look-in. Around 85 percent of businesses that reported a breach or attack said it involved phishing, leaving malware, ransomware, and unauthorized access trailing some distance behind.

Among businesses that report break-ins, about a quarter say they occur at least once a week, with a smaller share reporting daily occurrences. Charities are seeing attacks land more often, with the share reporting weekly incidents rising from 18 percent to 26 percent over the past 12 months. 

Against that backdrop, there are signs that organizations are trying to get a grip of the problem. Around six in ten medium and large businesses report having a formal cybersecurity policy in place, and incident response planning and cyber insurance have both ticked up year on year. Larger organizations are consistently more likely to have these measures in place than smaller ones.

Policies on ransomware are still a bit of a mixed bag. Around half of businesses (49 percent) and a third of charities (34 percent) say they have a rule not to pay up, about the same as last year. Plenty are still in the dark, with roughly a quarter of businesses and a fifth of charities saying they do not know what their policy is.

Most are covering the basics – at least two-thirds of organizations say they have things like updated malware protection, cloud backups, password rules, firewalls, and restricted admin access in place – but after that, it starts to tail off. Fewer report using measures such as two-factor authentication, formal data backup rules, policies on personal data storage, VPNs, or user monitoring.

What's more, among small businesses, some of the basics have slipped compared with last year. The proportion carrying out cyber security risk assessments has dropped to around four in ten, reversing earlier gains and suggesting those improvements have not stuck.

Supply chains remain another weak spot. Only around one in seven businesses say they review the risks posed by their immediate suppliers, and fewer go any further. The survey puts it at 15 percent checking direct suppliers and just 6 percent looking at the wider chain. Charities are lower again, at 9 percent and 4 percent, respectively.

Then there is the data itself. Around 14 percent of businesses and 22 percent of charities say they hold personal data that is not protected by measures like encryption or anonymization, which means if someone does get in, there is a decent chance they will find something useful.

Overall, breach rates remain high, and phishing continues to do most of the work. The basics exist, they're just not applied everywhere they should be. ®