Articles - Examining cyber security risks in a volatile environment

 By Dr. Joanne Cracknell, Director - PI FINEX Legal Services and Stephen Hill, Business Support Specialist, WTW

 In April 2024 the findings of a three year intensive research study by the University of Oxford and UNSW Canberra to compile the first ‘World Cybercrime Index was published, which identifies global cybercrime geographical hotspots. The index ranked the UK eighth behind Russia, Ukraine, China and the United States.

 The Department for Science Innovation and Technology (DSIT) published its latest annual report in April 2025 (DSIT Report) following a survey examining the threat of cyber security breaches in businesses, charities and educational institutions (the DSIT Report). The survey conducted during August 2024 to December 2024 involved 2,180 UK businesses, 1,081 UK registered charities and 574 education institutions. This article explores the key findings from the DSIT Report concentrating on businesses.

 Findings from the DSIT Report
 43% of businesses surveyed experienced a cyber security incident within the last 12 months, which is a slight decrease from 50% for 2024. It was suggested that the decrease was driven by a reduction in phishing attacks on micro and smaller businesses. It is worthy of note that the prevalence of cyber security incidents for medium and large businesses remained high, at 67% and 74% respectively out of the 43% who experienced an incident.

 Managing the risk
 72% of businesses reported that cyber security was a high priority for their senior management, particularly for professional services sectors and financial and insurance sectors. Cyber security risk management should be integrated within the overall organisational risk profile and appetite. Boards and senior management are expected to take ownership of managing cyber security risk and set the tone in promoting a positive cyber security culture, whereby people are encouraged to raise concerns or make suggestions without fear of retribution.

 The report suggests that engagement from boards and senior management can help secure buy-in and adherence from others. The findings from the DSIT Report shows that board level responsibility for cyber security has been steadily declining amongst businesses since 2021. This is concerning as the average annual cost to businesses for dealing with the most disruptive cyber security incidents ranges between £500 to £3,110. The costs incurred included recovering stolen monies, upgrading IT software and systems, legal fees, insurance excess, fines and compensation.

 DSIT in conjunction with the National Cyber Security Centre has recently published The Cyber Governance Code of Practice[10], which has been produced for medium to large businesses to support boards and directors understand their responsibilities governing cyber risk. It deals with managing the risk, strategy, people, incident planning, response and recovery and assurance and oversight.

 Attacks are becoming faster and more sophisticated, particularly in respect of CEO fraud

 The data from the Information Commissioner’s Office suggests that human error continues to be the most common cause for a cyber security incident, whether it be from sending an email to an incorrect recipient or falling victim to a phishing campaign.

 People are an integral cog in the risk management wheel and businesses need to ensure that all policies controls and procedures are practical and effective. Education and awareness consisting of a continuous programme of training and communications, using case studies from lessons learned, was the most common preventative measure being adopted by 32% of businesses being surveyed. Training was provided annually by a fifth of businesses which included mechanisms to test knowledge, particularly pertaining to data protection and regulatory obligations.

 Cyber insurance
 Almost half of businesses reported having some form of insurance cover in place against cyber security risks as part of a wider insurance policy with only 7% having specific cyber security insurance. Larger businesses were more likely to have a specific policy in place. Alarmingly one fifth of businesses did not know if they had any form of cyber security insurance in place.

 7% of businesses having reported on having specific cyber security insurance

 This year’s survey asked organisations who did not have cyber insurance, why they did not have cover in place. The largest barriers cited were:

 37% lack of awareness of cyber insurance
 34% it was not a budgetary priority
 28% a lack of interest from leadership
 13% was down to cost and it being too expensive.

 Interestingly, when interviewed during the study businesses who held cyber insurance rarely claimed on their policy despite being eligible to do so because they felt it was not worthwhile financially due to the payment of policy excesses and increased premiums. Larger businesses considered it was more beneficial to invest in cyber controls and recovery rather than insurance. However, those businesses who did have insurance saw the benefits as it encouraged more robust cyber security protocols, increased accountability and provided access to expert advice.

 Conclusion
 What is clear is that businesses are operating in a complex, volatile and evolving cyber security landscape. Due to the complexities, frequencies and severities of this risk there is no single security solution and businesses need to adopt a multi layered approach to protect themselves.

 By adopting a robust cyber strategy, businesses can minimise the financial, operational and reputational impact from a cyber security incident. The strategy should reflect the size, nature and needs of the business and be able to respond to changes to the business, technological advancements and regulatory and legislative obligations to ensure they remain resilient in a volatile cyber security landscape.