安全的哀歌：2023-24年英国网络安全状况

stateofcyber2023/24

Security’sLament:

Thestateof

cybersecurityintheUK

mart

mart2

。iomartCyberSecurityReportOctober2023

“Organisationsthat

establisharobustcyber

securityframework

aligningwiththeirstrategyarewellpositionedto

shapethefuture”

mart1

WelcomefromLucy

Theseconditerationofaresearchreportisoftenthemostinteresting–havingsetabenchmarkthefirsttimearound,it’salwaysveryusefultobeabletoseehowthingshavechangedanddeveloped.

We’veworkedagainthisyearwithOxfordEconomics,anindependentresearchexpert,togathertheopinionsof500seniorcybersecurityleadersandfindoutabouttheirexperiencesoverthelast12

months.

Manyofthekeyissuesweunearthedlastyearremain.Cyberleadersreportanear-constantbatteryofattacksfromonlinethreatactors,compoundedbyincreasingcostsandtighteningbudgets.Theyfacetheunenviablebalancingactofkeepingtheirorganisationssafe,oftenwithfewerresources.

Thenoisylandscapeoftechnologysolutions,includingthebreakawaystarof2022/23–generativeAI–canmakeitdifficulttoknowhowtooptimisecyberdefences.

What’sconcerningisthatourresearchfoundanincreaseinthenumberofattacksoverthelast12

months.Thenewsheadlinesarestilltoofrequentlyoccupiedbyanotherhouseholdnamewhichhassufferedasuccessfulbreach.Andforeveryoneofthesehigh-profileattacks,therearemanymorewedon’thearabout.

Ourintentionwiththisresearchistohelpcyberdecision-makersbetterunderstandthebigger

pictureofthethreatenvironmentandhowothersareapproachingthisperniciouschallenge.

Byworkingtogetherandlearningfromeachother,wecanreduceourriskoffallingvictimto

determinedcriminals–andmoreconfidentlytakeadvantageofthegrowingbenefitsofaconnectedworld.

Wehopethisreporthelpsmakethosetoughdecisionsalittleeasier.

Bestwishes,

LucyDimes,

CEO

iomartGroupplc

Contents

Introduction

3

Part1-Balancingthreatsandbudgets

4

Part2-Techhasbecomeincreasinglyintegraltoastrongcyberstrategy

6

Part3-Talentiscrucialincombattingthreats

8

Part4-Howdoesmyindustrystackup?

10

Conclusion

12

2iomartCyberSecurityReportOctober2023

3

Introduction

Organisationsthatestablisharobustcybersecurity

frameworkaligningwiththeirbusinessandITstrategies

arewellpositionedtoshapethefuture.Thisalignmentnotonlyimprovestheirresilienceagainsttoday’sinevitable,andoftencostly,cyberthreats,butalsofostersanenvironment

favourabletoinnovationandrevenuegeneration.Cybersecuritystrategyhasbecomeintegraltoboththeday-to-dayfunctioningofbusinessoperationsandthe

determinationofpotentialgrowth.

Yetorganisationsareoperatinginanunpredictablelandscape,withtheireffortsmuddledbyinflation,

geopoliticaltension,acost-of-livingcrisis,andeven

advancesintechnology,suchasgenerativeAI.Badactors

aretakingadvantageofthesecircumstances—thepastyearsawasharpriseintheaveragenumberofattacksoverthe

yearbefore.Tomakemattersworse,despiteupticksinthe

frequencyandintensityofcyberattacks,manyorganisationscybersecuritystrategiesarestillintheirinfancy,remaining

attheperipheryoftheirbusinessprocesses.Forcompaniestoremaincompetitiveoroutperformtheirrivals,those

strategieswillhavetomaturerapidly.Andtheymust

overcomeacybersecuritytalentpoolthatisrunningdry,aswellasbudgetaryconstraints,ascybersecuritycompetesforallocationagainstanabundanceofotherchallenges.

Thecybersecurityindustryisalsoundergoingsignificantchanges—asmanynewplayersenterthemarketand

mergersandacquisitionsconsolidatesuppliers.Despite

theindustry’scomplexity,though,organisationsare

eagertoengagewithittogetontopoftheircyberwoes,

acknowledgingthepotentialprofit,reputation,cost,and

efficiencybenefits.Tothatend,manyorganisationshaveatleasttakeninitialsteps:

•Investedincybersecurityservicesandproductsto

understandpointsofvulnerabilityandmanagethreats;

•Introducedcyberhygieneandmulti-factorauthenticationtocreateacultureofsecurity;and

•Focusedonemployees,procuringtraining,andupskilling.

Totakethepulseofcybersecurity,OxfordEconomicsandiomartsurveyed500executivesresponsiblefor

theirorganisation’scyberstrategy.Thesampleincludes

executivesfromarangeofindustries—mostwithmorethan1,000employees—allbasedintheUK.

Thesurveyrevealedthesekeytakeaways:

•Budgetaryconstraintshamstringcyberstrategiesinthe

faceofincreasedincidents.Amajorityhaveaninadequatebudgettofullyprotecttheirorganisationsatatimewhenmanycitetheincreasedcostofremediationasamajor

challenge.Risinginsurancepremiumscanaddtoalreadystrainedbudgets.

•Thereisapromisingfutureforcloudandautomation

withincyberstrategies.Businessesareincreasingly

investinginsuchtechnologiestobolstercybersecurity.Withmanyconcernedbyshortagesintheirinternalcyberskillsandawareness,thesetechnologiesareseenas

particularlypertinentgiventheirimportancetoemailscreeningandautomatedresolutions.

•Whiledeployingtheappropriatetechnologyiscrucial,

effectivelyleveragingitrequirestherightpeople.The

securityskillsgapyawnslargeandremainsthebiggestchallengeformostcyberstrategies.Withinternalskills

andresourceslacking,organisationsfaceamajorhurdle.Tocombattheseobstaclesandgetthemostfromtheirtechinvestments,executivesplantoinvestinemployeetrainingwhilealsohiringin-housespecialistsandthird-partyconsultants.

Methodology/demographicsandkeydefinitions

•Sample:Cybersecuritystrategydecision-makers(n=500)

•Executivetitles:CTO,CIO,CISO,CFO,COO,ChiefDigitalOfficer,CEO,ChiefRiskOfficer,ChiefDataOfficer

•Sectorscovered:Software,Professionalservices,Legal,Finance,Not-for-Profit,Government,Insurance,Healthcare,Manufacturing,Retail,Transportation,Consumerproducts

•Companysizesrepresented:Mostrespondentshavemorethan1,000employees.20%have£250mto£499min

revenue,20%have£500mto£999minrevenue,20%have£1bnto£4.99bninrevenue,20%have£5bnto£9.99bn

inrevenue,20%havemorethan£10bninrevenue.

•Locationscovered:RespondentsareallfromtheUK

•Datesfielded:July2023

Part1:Balancingthreatsandbudgets

Malware

55%

Phishing

56%

remainthethreatsofgreatestconcerntoexecutivesforthesecondyearinarow

Threatsareconstantlyevolving.

Morethanathirdofdecision-makerssaykeepingupwiththepaceof

evolvingthreatsisatopchallenge.Overthelastyear,organisations

experiencedanaverageof30cyberincidents,whichrepresentsan

annualincreaseofsixincidentsoverthe24reportedlastyear.Andthesearetheonesorganisationsknow

about.

Notsurprisingly,phishing(56%)and

malware(55%)remainthethreatsofgreatestconcerntoexecutivesforthesecondyearinarow,

andlessthanhalfareconfidentintheirorganisation’sabilityin

handlingthem(49%phishing,48%

malware).Fewerstill(onequarter)

aresureoftheirabilitytodealwith

ransomware—athreatthatcontinues

todominateheadlinesglobally.Not

tomentiondisruptionsfromthepast

threeyearscontinuetocomplicate

theirabilitytoprotectthemselves—

executivesarestrugglingwith

managingincreasedvolumesof

data,thepaceoftechnology,and

supplychaindisruptionswithintheir

securitystrategy.

Keepingpacewiththreatsismore

importantthanever.Torespond,

orevenbecomemoreproactive,

organisationsarelookingtoimprove

Approximatelyhowmanycybersecurityincidentshasyourorganisationexperiencedoverthelastyear?

4iomartCyberSecurityReportOctober2023

Whatimpactsdidyourorganisationexperienceasaresultofcybersecurityincidents?

Disruptedoperations Increasedcoststoremediate Negativereputationalimpact LossofcompetitivenessSignificantbusinessdowntimeNegativefinancialimpact

Theftofdata

Finesfromindustryregulators(e.g.,ICO,FCA)

61.8%

53.8%

48.0%

36.6%

32.0%

30.2%

18.2%

9.4%

theircyberpostures,allocatingan

averageof£40,190tovulnerabilityassessments,penetrationtesting,

orredteamengagements.However,theyarealsofullyawarethese

measuresalonearenotsufficient,andtheyneedmoremoneyto

underpintheirplans.Morethana

quarter(27%)oforganisationsthinktheircurrentcybersecuritybudgetisinadequatetofullyprotectthemfromemergingthreats.

Butbudgetshamstringefforts.Tightbudgetscontinuetobeatopbarrierinmeetingcybersecuritygoals,andrisingcyberinsurancepremiums

onlystressbudgetsfurther.The

increaseincyberpremiumsisrankedasthetopchangeoverthepast

twoyears,with70%ofrespondentsnotingariseandjust4%seeinga

decrease.Theuptickinpricingonly

addstothecostofremediation,with

themajority(54%)ofrespondents

suggestingitisthesecondgreatest

impactofcybersecurityincidents,

wellabovemoretraditionalfactors

suchastheftofdata(18%)and

negativefinancialimpact(30%).

Andthetighteningofbudgets

createsblindspots.With41%

oforganisationsbeingforcedto

sacrificecybersecuritytokeep

thelightsonduringthepandemic,

itisnowondercybersecurity

initiativesarenotevenlyapplied

acrossbusinesses.Only37%of

respondentsagreethatsecurityis

embeddedintoalltheirbusiness

processesandfunctions,while14%

admitthatsecurityisaddressedon

anad-hocoras-neededbasis.

70%

sayrisingcyberpremiumsisthetoprankedchangeoverthepasttwoyears

mart5

Part2:Techhasbecomeincreasinglyintegraltoastrongcyberstrategy

67%

sayprivatecloudhasstrengthenedtheirsecurity

Leveragingexistingtechnology.

Executivesmaybefeelingthe

crunch,butcreatingastrongcyberstrategyonatightbudgetisnot

impossiblebecausesomeofthegroundworkhasbeenlaid.Manyorganisationsalreadyhavethe

technologytohelpthemkeepup.

Cloudhasbecomefoundationalto

cyberstrategies—almostthree-

quarters(74%)oforganisationsrelyonprivatecloud,with67%saying

ithasstrengthenedsecurity.And

nearlytwo-thirds(65%)leanhard

onautomation.Morethanhalf(53%)willuseautomatedresponsesover

thenexttwoyears,while51%plan

toemploybothSIEMmonitoringandautomatedresolutionofsecurity

incidents.

Emergingtechcomesintoplay.

Despiteafocusonwell-established

technologies,manyexecutivesalso

placeconsiderablefaithinemerging

technologies.Welloverone-third

(38%)believetheincreaseduseof

AIandMLinthreatdetectionand

responsewillbeasignificanttrend

incybersecurityoverthenexttwo

years.Inparticular,theyciteemail

screening(78%)andcontextual

analytics(69%)asdominantuse

casesforAIandautomation.

However,budgetaryconcerns

(31%),complianceandregulatory

requirements(23%),andalackof

skilledworkers(23%)areobstacles

tosuccessfullyimplementing

nascenttechnologiessuchasAIand

automation.

38%

believetheincreaseduseofAIandMLin

threatdetectionandresponsewillbeasignificanttrendincybersecurity

6iomartCyberSecurityReportOctober2023

Hasyourorganisationimplemented,ordoesitplantoimplementanyofthefollowing

technologiestoincreasecybersecurity?

Cloud-privateAutomation

AI

DataanalyticsCloud-public

DLP(datalossprevention)ZTNA(zerotrustnetworkaccess)

IDS(intrusiondetectionsystem)MDR(manageddetectionandresponse)

SIEM(securityinformationandeventmanagement)EDR(endpointdetectionandresponse)SOC(securityoperationscentre)

IPS(intrusionpreventionsystem)XDR(extendeddetectionandresponse)

74.0%

65.4%

63.0%

59.4%

50.0%

37.4%

26.6%

24.6%

22.4%

22.0%

21.6%

21.0%

19.4%

17.0%

ForwhichofthefollowingcybersecuritytasksdoyoucurrentlyuseAIorautomation?

Emailscreening

Contextualanalytics

Automatedresolutionofsecurityincidents/Reducing

alertfatigueTobridgesecurityskillsgaps AutomatedresponsesPlaybookimplementation

SIEMmonitoring

Noneoftheabove

77.6%

69.1%

42.1%

39.7%

38.6%

38.2%

32.9%

0.2%

Managingthetechshift.Figuring

outwheretostartinvesting

hasprovendifficult.Oursurveyfoundthatexecutiveshave

troublesortingthroughthe

”noise”createdbythetsunamiofofferingsandsecurityplayersinthemarkettofindthebest

fitfortheirorganisationsneedsandbudgets—nearlytwoinfive(38%)strugglewiththis.Whilemostaregenerallyenthusiasticabouttechadoption—almostallrespondentshaveinvestedin

newproducts—onlyhalfsay

theirinvestmentshavebeen

effective.Purchasingtechand

cybersecurityproductswithouta

clearstrategyandpeoplewhocan

leverageiteffectivelydiminishes

itspotential.Tomaximisethevalue

oftheirinvestments,executives

needguidanceonnavigatingthe

shifttoanincreasingrelianceon

technology.

7

Part3:Talentiscrucialincombattingthreats

53%

saycybersecuritycultureandregular

employeetrainingtopreventhuman-

relatedbreacheswillbecrucial

Peoplearekeytocybersuccess.

Asimportantastechistocyber

security,executivesarelookingto

theiremployeestobethefirstlineoftheircyberdefence.Morethanhalf(53%)saycybersecuritycultureand

regularemployeetrainingtoprevent

human-relatedbreacheswillbe

crucial,indicatingthecontinuation

ofasignificanttrend.Inthepasttwo

years,63%oforganisationshave

investedinemployeetraining.

Whatstepshasyourorganisationtakentoprotectitselffromcyberattacks?

Investedincybersecurityservices

Investedincybersecurityproducts

Employeeawarenesstraining

Introducedbasiccyberhygiene(e.g.,passwordmanagement)

Implementedmulti-factorauthentication

DevelopedandenforcedapprovedlistofIoTdevicesandconnections

Hiredthird-partyconsultants

Implementedaregularpatchmanagementprogram

Increasedvetting/auditsofvendors/suppliers

Conductedregularsystemauditstodetectvulnerabilities

Bolsteredcybersecurityinfrastructure

Hiredin-housespecialists

12.20%

77.4%

13.40%

72.8%

40.80%

47.0%

28.6%

45.2%

29.4%

40.0%

28.2%

39.2%

50.4%

37.8%

33.6%

34.8%

37.8%

33.8%

23.6%

30.6%

43.6%

25.8%

32.2%

23.2%

PlantoadoptAdopted

8

iomartCyberSecurityReportOctober2023

Whatarethetopchallengestomeetingyourorganisation’scybersecuritygoals?

Lackofinternalskillsandresources(e.g.,nodedicatedfunctionor24/7capability)

ToomanycybersecurityproductsandservicesonthemarketKeepingupwiththepaceofevolvingthreats

Budget/costlimitations

DifficultyintegratingcybersecurityintoinfrastructureDifficultyfindingtherightcybersecurityprovider

Lackofusecases/perceivedROIforcybersecurity

Increasingpaceofmergersandacquisitions

Lackofinteroperabilitybetweencybersecuritysolutionsandlegacytechnology

44.6%

41.0%

35.8%

35.0%

31.4%

30.6%

22.0%

20.2%

13.2%

Butgettingpeopleinplacetakes

effort.Puttingtherightpeoplein

placeiscomplicatedbyskillsgapsandacontinuingshortageofskilledworkers.Decision-makerssaya

Gettingtherightpeople.Toclose

somegaps—outsideofupskilling

andreskillingemployees—almost

athirdoforganisations(32%)

willhirein-housecybersecurityspecialistsinthenexttwoyears,andafullhalf(50%)willdothe

sameforthird-partyconsultants.Executivesalsoareeyeingnon-traditionaltalentsourcesto

overcomeskillsshortages—75%

plantohirefromless-traditional

poolsofjobcandidates,suchas

gamersandex-military.Andmore

thanhalf(55%)plantoexpand

cyberfluencytothetopofthe

corporateladderbystockingboardswithpeoplewhohavespecific

cybersecurityexperience.Evenmore(72%)willcreateinternshipsandapprenticeships.Thesestepsareimportanttocreatingamorecybersecurityliterateworkforcethatcansuccessfullyimplement

cyberstrategyandleveragethe

technologyinvestmentsassociatedwithit.

lackofinternalskillsandresources

constitutesthebiggestchallengein

meetingtheircybersecuritygoals.

Withburnoutamongcybersecurity

staffontherise—30%believetheir

teamsaresufferingfromit—getting

therighttalent(andtheright

technologytosupportthem)ismore

important—butharder—thanever.

Flexibleandhybridwork,awell-

establishedworklifestylefor

manyofficeemployees,hasalso

introducednewchallengesand

vulnerabilities.Almosthalfof

respondents(46%)saythebump

inremoteandflexiblework—and

amoregeographicallydistributed

workforce(36%)—havecomplicated

theirorganisation’sabilitytoprotect

againstcyberthreats.Itisno

wonderthenthatfewfeelconfident

intacklingtheirgreatestcyber

55%

securitythreatsandthatreducing

cyberriskscreatedbyemployees

hasthereforebecomeapriorityfor

cybersecuritydecision-makers.

plantoexpandcyberfluencytothetopofthe

corporateladderbystockingboardswithpeople

whohavespecificcybersecurityexperience

mart9

Meetthecybersecuritystrategyleaders

Weisolatedagroupofsurveyrespondentswhoareusingtechnologyandtalenttogetthemostfromtheircybersecurityinvestments.Thiselitegroup(n=126,approximately25%ofthesample)isdefinedbythefollowing:

•Respondentsinthefirstquartilewhohavealreadyimplementedinitiativeslikeemployeeawarenesstraining,

introducingbasiccyberhygiene,hiringthird-partyconsultants,usingmanagedserviceproviders,usingtechnologieslikeAIandautomation,andaligningtheirstrategywithbusinessandIT.

•Theyhaveimplementedastrongertalentstrategy,likeimprovingemployeeskills,usingmanagedserviceprovidersandprofessionalservices,andbringingonboardmemberswithspecificcybersecurityexperience.Theyarefarlesslikelytosaytheirinternalcybersecurityteamsaresufferingfromburnout.

•Theyexperiencebetterresultsfromtheirefforts.Theyaremorelikelythanotherstosayinitiativeslikeemployeeawarenesstraining,introducingbasiccyberhygiene,investingintherightproductsandservices,andbolsteringcybersecurityinfrastructurehavebeeneffective.

•Theymanagedatabetterthanotherrespondents—almostallareconfidentinkeepingupwithdataregulations,preventingdatasecuritybreaches,andsharingdatainternallywithpartners.

•Theyhavemadepurposefulinvestmentsintechnology—mosthaveinvestedincloudandupdatedinfrastructure,aswellasAIandautomation,potentiallytoclosesomeskillsgaps.

•Theyarelesslikelytosaytheirbudgetisinadequatetofullyprotecttheirorganisation.

•They’realreadyreapingthebenefitsoftheirefforts—they’vealreadyseenimprovedprofitabilityandcostsavings,internalefficiency,andrevenue,andincreasedinnovationpotential.

Thetakeaway:balancingtechandtalentlikeourLeaderscouldgiveorganisationsalegupwhensettingcyberstrategy.

Part4:Howdoesmyindustrystackup?

FinanceandInsurancearestill

workingoutthekinks.Thereare

starkdifferencesbetweenindustrieswhencomparingthenumberof

cyberincidentstheyexperience

annually.OnthehighendofthespectrumsitsInsurance,Finance,Not-for-profit,Healthcare,and

Government,allseeingatleast31incidentsayear.Insurance,withthesecondhighestnumberof

incidentslastyear,reportedthe

highestnumberofincidentsthis

year,despitespendingthesecond

highestamountoncybertestingandassessments(£46,100onaverage

vs.£40,190total).Financefellfromfirstplacelastyearinthenumberofincidentstheyexperiencebut

isstillcomparabletoInsurance.

Organisationsinthisspaceface

similarchallenges,suchasbudgetlimitations,andagreetherearetoomanycybersecurityproductsandservicesonmarket.Consequently,

likethoseinmanyotherindustries,

theFinancesectoremphasises

theincreasingimportanceof

cybersecuritycultureandregular

employeetrainingtopreventhuman-

relatedbreaches.

ThePublicSectorisstruggling

tokeepup.UKPublicSector

organisationsinHealthcareand

Governmentareinasimilarboat.

Botharemorelikelytosaycyber

securitythreatshaveincreased

infrequencyoverthelasttwo

years(56%ofHealthcare,55%of

Governmentvs.48%ofthesurvey

total).Inrecentmonths,theUK

PublicSectorhasbeenbattlinga

waveofransomwareattacks,with

criticalinfrastructureliketheNHS

Trusts,Ofcom,andpensionservices,

allbeingtargeted.Ransomware

reasonablyisbyfartheirtop

concern,muchhigherthananyother

industry.

10iomartCyberSecurityReportOctober2023

ThePublicSectorisalsofeelingtheeffectsofcyberskillsshortagesathigherratesthanthePrivateSector,apotentialexplanationofwhyit

isstrugglingtomitigatethreats.

Executivesinthisspacearemore

likelytosayitisharderandmore

expensivetofindandretaincyber

staff(38%ofHealthcare,48%of

Government,vs.34%surveytotal).Goingforward,however,thePublicSectorplanstoinvestinemployee

awarenesstrainingoverhiringthird-parties,in-housespecialists,or

purchasinginsurance.

Manufacturingforgesahead.On

theotherendofthespectrumis

Manufacturing,which,forthesecondyear,hasreportedoneofthelowestratesofcybersecurityincidents,at

anaverageof25peryear.Despite

digitalisationdeeplytransformingtheindustry—andopeningituptocyberthreats—executivesinthisarenaareslightlylesslikelytosayincidents

haveincreasedinfrequencyoverthelasttwoyears(44%vs.48%total).

Thereasonsbehindtheindustry’sseemingsuccessrangefromthe

high-levelstrategicdecisionsto

lower-leveltacticalandoperational

ones.Strategically,Manufacturing

executives,comparedtothosein

otherindustries,aresignificantly

morelikelytohaveembedded

securityintocriticalinfrastructure

andalignedcybersecurityandIT

strategies.Tactically,theyhavegone

togreaterlengthstomitigatecyber

riskbyinvestingincybersecurity

products,outsourcingintelligence,

introducingbasiccyberhygiene,and

purchasingcomprehensivecyber

insurance.Finally,operationally,they

aremorelikelytoconductemployee

awarenesstrainingandimplement

multi-factorauthentication.

Thesefactorsmayallbeunderpinned

bythebenefitsaccruedfromhiring

fromlesstraditionaltalentpools

(29%vs21%average).Despite

currentsuccess,Manufacturing

fullyacknowledgesthetargetsthey

haveontheirbacksandarenot

complacent.Theindustryisalso

moreli