Since the Department for Science, Innovation and Technology (DSIT) released its annual Cyber Security Breaches Survey last month, there’s been time to digest what its findings mean for the cyber resilience of the UK’s businesses and charities, and for the profession as a whole. Overall, there are positive trends, but still warnings that organisations cannot let themselves become complacent. For instance, roughly 612,000 fewer companies suffered breaches in 2024 compared to 2023 – 43% of the total vs. 50% – which is more than welcome. And in line with the last two years’ surveys, security is a high priority for senior management and directors in 72% of companies – and 96% of large businesses.
But if we were to take a more negative view, that 72% is still a fall from 2022’s peak of 82%. And more than four-in-ten companies suffering breaches is still a large proportion. Perhaps most worryingly, the report also highlights upcoming dangers that could see the number of breaches increase, and will almost certainly push security back up the priority list. The question then becomes, where are these dangers coming from? And how can we raise security’s importance now, instead of after the fact?
Looking at the breaches, phishing is by far the most prevalent form of attack, making up 85% of successful intrusions. This is backed up by other sources. The ICO’s summary of data security incident trends shows that phishing was the most common vector in 2024, phishing was the most common vector in 2024, with reports almost double those of ransomware incidents.
Perhaps the most alarming prospect the survey highlights is that AI will supercharge phishing attacks. They’ll become more frequent, more accurate, more dangerous and easier to launch. Untargeted, scatter gun attacks will increase in volume, with AI able to autonomously launch campaigns 24/7 without the need for many specialist cybercrime skills. Lower-volume, personalised, more targeted attacks will also increase in sophistication, with AI able to monitor targets and craft more convincing messages to lure victims in.
As a profession, what can we do to address the threat of AI supercharged phishing, and to make sure security remains a priority? Educating our colleagues remains the best course of action, particularly when budgets can be tight (our most recent survey of the profession shows that 80% believe budgets aren’t meeting threat levels). However, more broadly organisations also need to be sure they are receiving information and guidance: not just on how to educate colleagues, but on the threats that they’re facing, and how to mitigate them. Looking at the Cyber Security Breaches Survey it seems either organisations, or the survey makers themselves, are missing a trick.
The survey investigates sources such as external cyber security and IT consultants or cyber security providers (used by 25% of businesses), internal sources such as colleagues (5%), government and public sector sources (3%) and general online searching (also 3%). These are all valid sources, and have benefitted many, but there is a glaring omission: peers within the security profession itself.
This can be as simple as informal networking, but professional bodies such as CIISec have a huge role to play in supplying this guidance. Our members’ knowledge and experience help create in-depth whitepapers on topics such as Training & Awareness and driving Security Culture.
As a profession, we need to remember that we have multiple opportunities to learn from experts in the field. Guides, resources, and events that are run by peers who are or have been in the exact same situation offer much more cost-effective opportunities than many other avenues. And will enable cyber security professionals to prepare for more advanced threats and raise the importance of cyber security before events force their organisation’s hand.
