back to article UK businesses shockingly unaware of how to handle security threats

UK businesses' response to security breaches has "astounded" experts following the release of the government's official cybercrime stats for 2024. The report from the Department for Science, Innovation and Technology (DSIT), released today, painted security as more of an afterthought for UK businesses, especially when …

  1. Eclectic Man Silver badge
    Joke

    Progress

    So, no change there then, that most businesses do not have an incident response plan. After all that would require thinking about your business risks, and making a mature, cost-based decision on how to prepare and what to do, instead of - doing whatever the business was set up to do to make money.

    Reminds me of a joke from the Goon Show :

    Major Bloodknock: What's happening back in England?

    Minnie Bannister: Nothing's happening back in England.

    pause

    Major Bloodknock; Well, there's progress for you.

    1. Yet Another Anonymous coward Silver badge

      Re: Progress

      > financial hit of £1,206

      So the dopey mysognistic term on reception clicks on a dodgy link and we have to get her a new PC from Currys until your nephew can come in and reinstall windows

      or

      We must immediately shut down all operations at Bert's windows cleaners, contact National-Super-Secret-Police-Super-Secret-Super-Cyber-Super-Unit, NAFO, MI4 (the one they don't talk about) and the MMB and implement plan Gotterdamerung from our secret backup data center on a secret island somewhere

    2. NeilPost

      Re: Progress

      After all the strong FUD talk of new GDPR legislation and penalties, reputational damage etc as ever with UK Regulators they pussied out.

      One of the defining cases was British Airways data breach and customers info share.

      https://www.mayerbrown.com/en/insights/publications/2020/10/british-airways-ultimately-fined-20m-for-personal-data-breach-by-the-uk-ico-under-the-gdpr

      Fined £183m. In the end reduced to £20m.

      British Airways pleaded COVID and got let off with chump change to them. The deal should have been defer the fine until business stabilised and returned to profitability … and then 20% of global profits over 20 years (inc interest) until paid off reflecting the short-term Covid cash flow challenges.

      Inadequate enforcement, now just a relatively insignificant cost of doing business and no C-Level jail time.

      I didn’t get my tax bill from HMRC permanently reduced to 11% of the original value ‘because of Covid’ and it’s existential threat to my financial viability.

      Fuckers.

      Nice spending money that could have been punative damages on the all (34,000) staff uniform Oliver Boateng change last year. Double fuckers.

  2. elsergiovolador Silver badge

    Shocker

    SMEs can barely keep their head above water, having yet another thing to add to the pile of things would likely have sunaked them.

    So most just predictably decide to wing it and hope it will all somehow work itself out.

    In the meantime policymaker just ticked another box.

    Happy clappy Britain.

  3. Gene Cash Silver badge

    "Wot? Cybersecurity? Incident response?"

    "We weren't taught anything about this in business school!"

    1. Version 1.0 Silver badge
      Alert

      Re: "Wot? Cybersecurity? Incident response?"

      Every business has always been run by people determined to make the business work well ... that's been the business environment for hundreds of years with very little security threats until recent years. "Easy" data access everywhere has changed the safety world everywhere, currently data security is pretty much like "vaccinations" ... total effective this week, but the risks then evolve to cause problems again.

      The environment has had a huge change so we need to make a tremendous change in the way everything is done ... it a bit like the pandemic, we're all wearing masks but we get infected occasionally.

      1. elsergiovolador Silver badge

        Re: "Wot? Cybersecurity? Incident response?"

        that's been the business environment for hundreds of years with very little security threats until recent years.

        Really? What about having to pay protection money to the local gangs or competitors getting corrupt government to close you down or let your business experience mysterious fire.

        Today is even worse, as common crimes against business are pretty much legal. Anyone can go to your company, take whatever they want and leave. If you are SME, all you can do is get crime ref number (and if officer has a bad day you will probably have to explain to him why you think any crime happened at all and that you have not imagined it) and frame it.

        Then you have cyber crime on top of all that.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Wot? Cybersecurity? Incident response?"

          I think “cyber security threats” rather than “security threats - as for security threats, think in terms of thousands of years “the vikings are coming”?

          As for cyber, stuff has been happening since the 1990’s. It’s just that both the stuff is getting worse, plus we have become more and more dependent on digital solutions and simply haven’t realised.

          In the 90’s you would have fallen back on your rolodex if your machine had been compromised. What happens to your contact list today if your phone/computer gets compromised?

          1. NeilPost

            Re: "Wot? Cybersecurity? Incident response?"

            From memory Anti-Virus for Exchange Server 5.5 used to filter out the spam and knobbled the virus/malware.

            I’m not seeing that much these days, with the exception of overly agressive sent to Junk folder. Indeed if I cc myself, Apple will send it to junk

  4. Pascal Monett Silver badge
    Windows

    "It flies in the face of common sense"

    Yup.

    Time to redefine "common" sense, 'cause it ain't so common no more.

    1. Doctor Syntax Silver badge

      Re: "It flies in the face of common sense"

      Never was.

  5. 42656e4d203239 Silver badge
    Mushroom

    why bother doing anything...

    When the worst that happens is a slap on the wrist and a public telling off... especially when a mealy-mouthed "Sorry we got caught with our pants down, security is really our top priority, honest guv!" press release seems to be a get out of jail free card.

  6. Doctor Syntax Silver badge

    "Businesses will always have a plan in case of a fire"

    It probably extends to having fire doors, a designated rendezvous point, extinguishers, evacuating the building, dialling 999 and having a roll-call. Beyond that it's hard to plan, partly because the extent of damage would be unknown.

    If a business can't plan for something unknown but physical that the managers can understand, how can it plan for an unknown that most of the business managers don't understand?

    I've certainly had the experience of a workplace fire. Any advance planning would have been above my pay grade but I doubt there was any at all. AFAICS the response was improvised based on the actual damage and the circumstances. My wing of the building was burned to a crisp but we needed to be in the security perimeter. The occupants of the surviving wing who didn't need the security were decanted to other premises - how they coped I've no idea. Space allocation had to be based on what was available and what could be found by getting in portacabins.

    Individual groups took their own decisions as to what to do - one group gathered their surviving equipment in their allocated space and, as far as I could make out, just sat there for some days waiting to be told what to do next. Personally, I spent part of the Sunday* on the phone to our Leitz contact getting some microscope deliveries prioritised and on the Monday a couple of us drove up to the local laboratory supplier and went round the warehouse with lab. trolleys rather like a supermarket and buying in supplies on the principle that "We'll need some of those and some of that and that one, there". Someone else got in touch with other labs to rebuild the methods notes etc that we'd lost. Each group rearranged their allocated space as best they could with the help of builders brought in to tidy up the gap left by the missing wing. I managed to turn a section of corridor which now went nowhere into a microscope room so successful that we replicated it in the rebuilt wing.

    Has anyone else had to deal with the aftermath of a fire and how did it differ in essentials?

    * The fire happened on a Friday night and, as I was taking an OU field trip on the Saturday, didn't immediately find out about it.

    1. Yet Another Anonymous coward Silver badge

      >The fire happened on a Friday night and, as I was taking an OU field trip on the Saturday, didn't immediately find out about it.

      A likely story. Better arrest him just in case, yes sarge

      1. Doctor Syntax Silver badge

        I don't think a cause was established, surprising in view of some of the circumstances but possibly it would have embarrassed either the R\UC or Army if it had been. It came at the end of a spate of fake incendiaries being planted in Belfast. They'd have been brought in for examination. Not my speciality but my suspicion is that there was one that wasn't fake & that that had been missed.

  7. yetanotheraoc Silver badge

    How to improve the survey results

    "Awareness of the information campaigns run by the NCSC has also been in continued decline for the past two to three years, according to today's survey."

    ## Survey 2025

    Please check the correct box:

    [ ]True [ ]False - I have heard of Cyber Aware, the general online safety advice book from the NCSC ( https://www.ncsc.gov.uk/cyberaware/home ).

    [ ]True [ ]False - I have heard of the 10 Steps to Cyber Security guide from the NCSC ( https://www.ncsc.gov.uk/collection/10-steps ).

    [ ]True [ ]False - I have heard of the Cyber Essentials assessment from the NCSC ( https://www.ncsc.gov.uk/cyberessentials/overview ).

  8. ecofeco Silver badge

    To the surprise of...

    ... no one.

  9. Pete 2 Silver badge

    Answers own question

    > The median cost of these breaches, both in the short and long term, stands at £0

    Which tells us why the small businesses that make up the majority of cases, took no action.

    However this figure is suspect, since the median of a set of values is the middle value. That would imply that while some victims took a financial hit: a cost, others must therefore have made a profit, in irder for the median to be zero.

    Another explanation is that there was a typo, or that the analysis, or report, is wrong. Which makes people question what else could be incorrect.

  10. Ball boy Silver badge

    Hardly surprising

    My business subcontracts to an estate manager - the kind that look after residential apartments and the like. They hold not only physical keys to the premises they manage but have full access to the bank account operated by the company that gets created to deal with shared costs: maintenance and repairs, etc. I've seen staff log into some of these bank accounts and any credentials not cached locally in the browser were looked-up...in an email from the MD! So far as I can work out, no one has ever mentioned these as potential risks and there's never been any formal IT training. Ever.

    Their tech. support is run by a IT shop three doors down. I really do mean 'shop': I'm not using the term as a slang reference to an IT services house; they sell hardware and custom-build PC's to the general public. Nice enough chap, though, has a background in IT services and tries his best. He says he has no control over what the MD in the estate management biz. decides to buy and link into the network (mobile phones, his home computer setup and so on) and I'm told the 'backup' is a RAID pairing of the SSD's in their office server: he wouldn't pay for anything beyond that. So basically, no backups: just some insurance against a single drive failing (don't even ask what happens if one SSD suffers bit rot: I have doubts the motherboard would believe the right drive and no confidence it'd get investigated unless warnings were writ large and often!).

    I can't imagine this kind of setup is by any way unique. IT systems, the data contained within and the security surrounding all this is very much an afterthought for, I suggest, most businesses below about 20 people because the costs of doing it anything like 'right' would be horrific.

  11. pimppetgaeghsr

    It's been quite visible to me for quite some time. All the security professionals seem to just walk into very highly paid jobs due to a lack of qualified people in that niche field, it's impressive and a lot have converted to that career path in recent years. Still, it only seems to improve companies abilities to figure out they have had security incidents retrospectively. I think a lot of legacy companies (so most of the UK economy) would rather just not hire security folks and pretend all is well.

  12. Al fazed
    WTF?

    Why SME's and not for profits DO NOT bother

    In my role as director of a very small not for profit working in the community, I have experienced PHISHING attempts - like any other eMail User.

    As a university educated IT pro, (BSc Information Technology) I have done the right thing.

    I found the time and sought out the correct organisation to report the SCAM to and dutifully sent off the report, as advised on:

    https://www.gov.uk/report-suspicious-emails-websites-phishing "Forward suspicious emails to report@phishing.gov.uk"

    I received shortly after a very nice eMail notifying me that they did not read my message because it had something nasty attached to it...........................

    Way to go ?

    What a waste of my time and effort. It did not inspire confidence in the Governments ability to receive suspect eMails - forwarded as directed......

    The result indicates to me quite clearly that in future I shouldn't bother wasting my time or effort, if no one at the receiving end is capable of reading/receiving the FORWARDED message.

    Up yours UK Gov.

    ALF

  13. Anonymous Coward
    Anonymous Coward

    Cognitive dissonance is strong here

    Not quite sure how this story squares with pages and pages of job ads for IT security professionals all sporting a alphabet of certificates.

  14. Roundtuit

    No reference to the original research source?

    No point pondering or pontificating then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like