We asked nearly 1,000 UK employees about their cybersecurity priorities for 2024 and how their company is adapting to the changing threat landscape.
In this article
- The cyberthreat landscape is dominated by human factors
- Many experienced ransomware attacks, but most didn’t pay up
- Most have seen attempted phishing attacks at work in 2023
- 61% of companies spent more on cybersecurity in 2023 than in 2022
- AI supports cybersecurity in three-quarters of surveyed orgs
- Cybersecurity priorities for 2024
Cybersecurity is constantly evolving to mirror the changes we see in society. Attackers are always on the lookout for new vulnerabilities, and companies must find ways to defend against them while maintaining business as usual.
To discover how UK organisations view IT security going into 2024, we surveyed 995 employees who have at least some familiarity with the cybersecurity tools that their company uses. We also explore in detail how AI is used in cybersecurity. 86% of participants in the survey are either involved in security decision-making or have full awareness of their company’s cybersecurity measures, while the rest said they only have partial awareness of the measures in place. In these articles, we refer to groups of ‘more cyber-aware’ and ‘less cyber-aware’ employees accordingly.
You can scroll down to the bottom of this article for a full methodology.
The cyberthreat landscape is dominated by human factors
Robust protection begins with a proper understanding of an organisation’s vulnerabilities and threats. The more cyber-aware respondents in our survey believed that the primary cybersecurity struggle for their company is human-centric, but technological shortcomings also pose problems. The top five current vulnerabilities, according to these respondents, were:
- Careless employees (40%)
- Cyber supply chain vulnerabilities (35%)
- Susceptibility to phishing/social engineering schemes (31%)
- Insufficient network security (30%)
- Unencrypted data (29%)
The same respondents also have their eye on multiple external threats going into the next 12 months, but the ones they are most concerned about tend to target people rather than infrastructure. AI-enhanced attacks, advanced email phishing attacks, and advanced ransomware attacks topped the list.
Despite the acknowledged threat and risk landscape, most people surveyed (54%) said their organisation didn’t experience a data breach in the 12 months prior to the survey. However, another 11% weren’t sure.
Of the 35% who did suffer a data breach (or breaches), 50% said the cause was external (a hacker or other outsider maliciously accessing systems) and 42% said one of their data repositories was accidentally left unsecured. Theft by insiders was a factor in 30% of cases.
Ransomware and phishing were major factors in data breaches. When we exclude these two attack types, the percentage of cyber-aware respondents who said their company has ever been the victim of a cyberattack stands at 17%. As the following sections explore, the percentages that have seen ransomware and attempted phishing attacks this year alone are comfortably twice as high.
Many experienced ransomware attacks, but most didn’t pay up
Ransomware remains an ever-present threat, and responses from the more cyber-aware employees in our survey reflect this. One-quarter said that their organisation had been subject to an attack in the previous 12 months, which involved computers being locked down until a ransom was paid. Another 17% said this had happened more than once.
In most of these cases, however, the victims never ended up paying a ransom. In fact, a ransom was only paid out in just over a quarter of cases. The rest of the time, the victims were able to recover data or simply accepted the fact that it was lost.
Criminals use ransomware to lock or otherwise block access to victims’ computer systems, accounts, or data. Attackers might also threaten to leak or delete critical information. They demand a ransom to unlock the systems, which may be in cryptocurrency so it’s harder to trace. In 40% of the cases reported in our survey, the ransom demand was over £25,000.
The National Cyber Security Centre (NCSC) gives comprehensive advice to businesses for protecting against ransomware. As well as good practices like backing up data, keeping software up to date, and training employees to use IT systems responsibly, good network security is also vital.
Most have seen attempted phishing attacks at work in 2023
Phishing is a major concern for more cyber-aware employees, and respondents as a whole reported that these attacks are very common. 74% said they’re aware of people within their company (including themselves) receiving phishing emails in the past 12 months. And 56% of these said that people within their company have clicked on malicious links in these emails in the past.
Phishing is a technique that cyberattackers use to gain access to victims’ systems. They send messages (often via email, but increasingly using social media and other communication platforms) that aim to trick victims into giving away confidential data or downloading malicious software. Phishing is often the first step in a ransomware attack.
Email security software often includes features to defend against phishing attacks, but hackers’ techniques are evolving all the time. It’s important to have a comprehensive strategy against phishing that includes education, awareness, and simulations.
These attacks also seem to be on the rise. In GetApp’s 2023 Phishing Attacks Survey over half (53%) of respondents thought phishing attempts had increased by more than 20% over the previous three years.
As well as deploying cybersecurity tools, companies can mitigate the risks of phishing attacks by ensuring that their employees can spot the signs of a phishing attempt and respond accordingly. They can run simulation campaigns where employees receive a (safe) email that looks like a phishing attempt as a test to see if anyone will click on the link or open an attachment. 43% said their company has run such a test in the past.
61% of companies spent more on cybersecurity in 2023 than in 2022
The more security-aware respondents to our survey —those who are either involved in security decision-making or who have full knowledge of their company’s tooling and policies— report that their companies employ a range of tactics to defend against threats. Formal risk assessments, data classification, and a zero-trust policy all rank highly.
Most employees as a whole (including less cyber-aware ones) said their company has fundamental protective measures in place when accessing IT systems and buildings. Almost all people surveyed use two-factor authentication at work to access business applications (33% for all applications and 55% for some) and just under half said their company has some form of biometric security in place.
Companies have many complementary cybersecurity solutions in place, and the trend seems to be towards greater investment. 61% of more cyber-aware employees said their company spent more on IT security in 2023 than in 2022, and only 2% reported a decrease. But most companies seem to concede that all the protection in the world won’t make them immune to attacks. Well over half (61%) also buy cyber insurance to cover their backs if an incident does occur. Policies in this area might include coverage for preventative measures, direct losses as a result of a breach, post-incident recovery, and liability cover if an attack affects third parties.
AI supports cybersecurity in three-quarters of surveyed orgs
Artificial intelligence (AI) offers new possibilities to defend companies against cyberthreats. AI-powered tools can monitor network traffic, analyse behaviour patterns, and detect malicious activities in real-time, enabling companies to proactively respond to potential threats. AI is integrated into many commonly available cybersecurity software products, while some are even sold as specific AI tools.
More than three-quarters (77%) of the more cyber-aware respondents in our survey said that their companies use AI-powered cybersecurity tools.
According to those who work for companies that use AI systems for cybersecurity, the biggest factors driving this investment are human-related. AI tools can often spot threats that target humans, but which human users might miss themselves. Phishing, social engineering, and ransomware attacks were important drivers of investment here.
However, these same respondents said that their future AI investment priorities are more likely to be in protecting infrastructure. Network security (48%), cloud security (48%), and email security (43%) will be the biggest areas of focus going forward.
AI investment set to grow in 2024
Companies’ confidence in AI as part of their cybersecurity defences is clear from their investment. The more cyber-aware respondents with experience of AI report that these systems can spot threats in real time, detect anomalies that indicate risky behaviour, and draw insight from multiple data sources.
But AI is not without its challenges. For one thing, many of the technologies are relatively new in the market, and they’re not immune to manipulation by skilled hackers. The major challenges, as reported by those with some knowledge of AI security, were false positives and negatives, as well as the quality and quantity of data.
Cybersecurity priorities for 2024
Participants in our survey remain vigilant against attacks that target people (such as phishing and social engineering) and have multiple solutions in place to mitigate the risks. These include awareness and training, but also extend to technology, where AI has an important role to play.
In part two, we will dig deeper into how individual employees fit into an organisation’s cybersecurity strategy and how companies can engage them in their security operations efforts.
Methodology:
The data for GetApp’s 2023 Data Security Survey was collected between November 10th and 26th 2023 and comprises answers from 995 respondents. We selected our survey sample based on the following criteria:
- UK resident
- Aged between 18-65 years-old
- Full-time employee
- Works for a company which uses cybersecurity software tools for protection and has some awareness of which tools are used