32% Of Businesses Identified Cyber Security Breaches or Attacks in The Last 12 Months


CYBER security breaches and attacks have become pervasive in today’s interconnected world, and the indicators all point towards a considerable rise in security incidents (and associated costs) in the years to come. As we transfer information between business and personal devices, malicious actors will continue to take advantage. Companies of all shapes, sizes, and sectors can experience a breach or attack if they become digitalised and deal with sensitive data. The Cyber Security Breaches Survey revealed that approximately 32% of businesses have recalled security incidents in the last 12 months. The percentage is much higher for medium firms (59%) and large companies (69%). While this may be hard to swallow, it could be a game-changer for some organisations. 

Cyber threats are unsophisticated, yet malicious actors manage to exploit vulnerabilities because businesses aren’t aware of them or don’t bother to address the security pitfalls. Malware and phishing are the most prolific threats. A malicious software, program, or file damages or disrupts a system – it can be a virus, worm, or Trojan horse. By phishing, computer users are fooled into revealing personal/financial information via phone calls, emails, or websites. Attention must be paid to the fact that the extrapolated figures in the research are based on estimates of the overall population of businesses.  

Scotland, Like Everyone Else, Is Experiencing an Alarming Surge in Cyber Security Breaches and Attacks 

According to The Herald, local authorities have recorded more than 10 000 security incidents in the past few years, of which mention can be made of unauthorised access of data by staff, procedural failures, and the disclosure of personal data to third parties. Not that long ago, the South Lanarkshire Council published employee data online by accident, the data breach coming after the administrative body responded to a Freedom of Information (FOI) request. Of course, the incident was reported to the Information Commissioner. Local authorities must collect, store, use, share, and dispose of information in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). 

In 2021/22, roughly 14 280 cybercrimes were recorded by the police in Scotland, smaller than the estimated 14,860 security incidents recorded in 2020/21. Notwithstanding, it represents a vital augmentation. The increase in cybercrimes can be explained by the impact of the COVID-19 pandemic and government instructions to promote social distancing. Equally important is to take note of the procedural change to the recording of the international crime of April 2020, whereby cases undertaken by a perpetrator outside the UK are to be included. In 2021/22, most security incidents were related to sextortion, a broad category of sexual exploitation involving individuals being threatened (or coerced) to send explicit images online. Any case of sextortion can jeopardise a brand’s trust, as the safety and reputation of one of its staff members are on the line. 

Businesses Can Protect Themselves Using Cyber Hygiene Measures 

With increasingly wired and wireless connections (and devices) on networks, it shouldn’t come as a surprise that malicious activities and interruptions have risen. Failure to comply with the GDPR or DPA may result in penalties, but there are other aspects to consider that can contribute to financial loss due to a data breach. For example, an individual can bring a private claim for compensation for the damage suffered. Some cases offer legal precedents for people to sue businesses that haven’t enacted adequate protections to prevent sensitive information from being leaked. For more information, please consult the following page: https://www.databreachcompensationexpert.co.uk/data-breach-compensation/. It’s crucial to comply with data protection principles and take technical and organisational measures to protect the data you hold and process. 

The concept of cyber hygiene works similarly to that of personal hygiene. To be more precise, businesses maintain their health by taking precautionary measures to help ensure it. It’s about adopting a security-centric mindset and habits that help the organisation mitigate online threats and protect end-users’ sensitive data. Some of the most common cyber hygiene measures include but aren’t limited to: 

  • Malware protection 
  • Cloud back-ups
  • Passwords
  • Restricted admin rights
  • Network firewalls

As the Cyber Security Breaches Survey highlights, some areas of cyber hygiene have experienced a considerable decline, namely the use of password policies, the use of network firewalls, restricting admin rights, and policies to apply software security updates within 14 days. Nevertheless, these trends are indicative of the macro business population, not necessarily small and medium-sized businesses. 

The Question Now Is: Do the Statistics Mask Widespread Underreporting? 

The number of cyber security breaches and attacks against UK organisations seems to have dropped, and the new data looks like encouraging news, but it’s hardly cause for celebration. The numbers haven’t changed drastically as far as preparedness, response, and investment in cyber security are concerned, which means that companies still operate thinking “it won’t happen to me”. Underreporting is an issue worth taking into consideration. Due to the reputational risk and financial implications, a significant proportion of incidents are never disclosed, so it’s difficult, if not impossible, to obtain a clear picture of the true rate of cyber security breaches and attacks. 

Companies are reluctant to report security incidents because it can directly impact their businesses by causing a loss of reputation or deterring potential prospects. Moreover, entrepreneurs strongly believe that malicious actors will never be caught, so incident reporting becomes a waste of time. Correcting underreporting in data sets of publicly reported cyber security breaches and attacks is, therefore, vital. At times, underreporting might not be deliberate, as firms are ignorant of malicious activity. Defending against cyber threats is no longer sufficient, meaning that IT security must focus on response rather than protection. It’s not a matter of if an enterprise will fall victim to a cyber breach or attack, but when. 


All in all, cyber security breaches and attacks cost less in the UK than anywhere else in the world, yet security budgets are smaller. Malicious actors exploit publicly disclosed vulnerabilities to gain access to systems and networks, which is why regular updates are of the essence. In light of the new survey, companies are urged to protect themselves.

The latest stories