Cyber Security Breaches Survey

What’s New in Cyber Security?

Published by the Department for Digital, Culture, Media & Sport, the annual Cyber Security Breaches Survey 2020 seeks to help inform organisations about developments, trends and attitudes regarding cyber and information security across the UK.

As essential reading for all those involved with information security, this authoritative report is rarely without surprising, interesting and valuable results and findings; this year being no exception.

In the following, we examine some of the most informative changes and developments in the world of cyber and information security, hopefully allowing you to better understand the threat landscape and how to defend you and your organisation, with help from the Cyber Security Breaches Survey 2020.


In the latest Cyber Security Breaches Survey, we found that just under half of all businesses (46%) and over a quarter (26%) of charities have reported cyber security attacks or breaches in the last twelve months.

This is an increase from the findings of the 2019 survey, which reported a respective 32% (businesses) and 22% (charities), but not a significant departure from 2018 or 2017. In fact, the fall in cyber attacks and breaches reported in 2019 is more anomalous, in terms of trends, than the rise we see this year.

Any optimism felt in 2019 towards this fall in cyber attacks was likely premature and though, in many ways, organisations are potentially better equipped to defend themselves, the sustained profitability of cyber crime continues to fuel this increase in attacks.

Medium and Large Businesses Hardest Hit

Like previous years, it is medium and large businesses which are being hardest hit with these incidents, with three quarters (75%) of all large businesses surveyed reporting breaches and attacks. Perhaps seen as more potentially profitable targets for scammers, high-income charities also suffer from an above average rate of attack/breach reporting (57%).

On the specific topic of breaches, what stands out most from the Cyber Security Breaches Survey is the data relating to attack frequency. A shocking 32% of businesses and 22% of charities report experiencing breaches or attacks at least once a week, with many forced to defend themselves every day.

When comparing this frequency with previous surveys, we see a significant change. For example, only 22% of businesses reported this high level of attacks in 2017, meaning those experiencing attacks or breaches at least once a week has risen 10% in just three years. Concerning statistics for all.

Phishing Attacks Increase

One of the most important topics we have in information security is phishing. Though it may seem relatively basic, phishing is involved in a significant proportion of all successful security attacks, just going to show, that without the foundations of security awareness in place, a secure culture is impossible.

This years Cyber Security Breaches Survey reports that phishing is still on the rise, with 86% of those businesses suffering attacks reporting fraudulent emails and phishing. Rising from 72% in 2019, the startling number goes to show how prevalent this information security threat still is.

What’s more, the survey also reports that 67% of the afflicted businesses reporting phishing attacks as the most disruptive breach or attack that they’ve had to respond to. Data that emphasises not only the frequency of phishing attacks, but the ability of fraudulent emails to effectively disrupt businesses.

As the threat of phishing attacks continues to grow, we also see that the relatively small number of targeted organisations reporting ransomware as a part of their reported breach or attack; only 8% amongst businesses and 10% for charities.

Though often thought of as a persistent and all-too-common threat, the frequency of ransomware attacks appears relatively minimal in comparison to the frequently underestimated risk of phishing attacks.

Higher Board Engagement

One significant and positive finding of the survey is the increase with which members of senior management are engaging with matters of cyber and information security. 80% of surveyed businesses now say that cyber security is a high priority for their boards, up 11% since 2016.

Likewise, charities are appreciating the need for senior management engagement, seeing a respective increase of 21% since only 2018.

Strong Password Policies

Though the Cyber Security Breach Survey 2020 primarily deals with attacks and breaches, the survey also looks at the policies of organisations and surrounding data relating to information security.

We learnt this year, for example, that a worrying 19% of UK businesses do not have a password policy to ensure users set strong passwords. Join this fact with the persistent threat coming from phishing attacks, it’s little surprise that hackers, scammers and cyber criminals continue to find their nefarious work profitable.

The survey also reports that a majority (53%) businesses have staff using personally owned devices to carry out regular work-related activities. Including phones, laptops, tablets, etc., this finding once again shows that businesses are failing to do all they can to protect and secure their information.

Moving Forward

Although there are certainly some positive trends and statistics shown within the Cyber Security Breaches Survey 2020, there are also plenty to suggest that not only are cyber threats, such as phishing attacks, still a significant and costly risk to organisations, but also organisations need to be doing more to properly defend against information security threats.

When the most common and effective attack vector is fraudulent emails, it would be wise to recognise that giving staff the tools and skills to mitigate this easily avoidable risk needs to be an essential for any businesses wishing to evade the rising costs of enduring a breach or attack.

Information Security Awareness Training

As with many preventative security measures, key to defending against information and cyber attacks is education. With robust information security awareness training an organisation can reliably reduce the risks associated with suffering a breach or attack. Minimising the frequency of human errors and helping to build a secure culture from within.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Data Protection Act Punishment

What is the Punishment for Breaking the Data Protection Act?

What is the Punishment for Breaking the Data Protection Act? Blog by Information Security Awareness Training provider Hut Six Security

Coronavirus Cyber Attacks

How Cyber Criminals are Exploiting the Coronavirus

How Cyber Criminals are Exploiting the Coronavirus - From Critical Infrastructure to Leaked Video Conferences. Blog by Hut Six Security

Insider Threat Breach at Morrisons

Morrisons Found Not Liable for Insider Threat Breach

UK supermarket Morrisons found not guilty for insider threat data breach. Blog by information security awareness training provider Hut Six Security

Phishing Text Message Examples

What is a Phishing Text Message?

What is a phishing text message? "smishing" is still a significant threat. Blog by Information Security training provider Hut Six Security.

Opportunist Cyber Criminals

Cyber Criminals Always There to Exploit a Crisis

It has been reported that a significant cyber attack has been launched against the World Health Organisation. Information Security blog by Hut Six Security.

6 SME Security Tips For SMEs

6 Business Critical Information Security Tips for SMEs

Information security tips to help safeguard any organisation. Blog by Information Security Awareness Training Provider Hut Six Security.

Anti-Phishing Training for Small Businesses

The Essential Anti-Phishing Training Guide for SMEs

What is phishing and how can you avoid it? The essential Anti-Phishing Training Guide from information security awareness platform Hut Six Security.

Business Continuity Plan

What to Do if you Don’t Have a Business Continuity Plan

In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential. But what should you do if you don't have one?

COVID-19 Phishing Attacks

Phishers Exploiting COVID-19 Coronavirus

Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.

Small Business Security Basics

SME Security is No Picnic

SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.

Speak to us about your Cyber Awareness