A recent survey conducted by the U.K. government revealed that cybercriminals launched over 7.78 million attacks against businesses and nearly 1 million against charity organizations. However, less than half of these organizations reported the incidents to authorities, which is a concerning trend. Many organizations are hesitant to report cyber incidents due to fears of hefty fines and reputational damage. Reporting obligations depend on the severity of the attack and the number of affected customers.
Nicholas Ryder, a professor of law at Cardiff University, noted that smaller organizations and charities tend to avoid reporting cyber incidents due to the voluntary nature of reporting for less severe attacks. Not having an incident response plan in place is considered a red flag regardless of the scale of the attack. Organizations that rely on informal and loose understanding of attack mitigation strategies often end up suffering more serious attacks. Ryder suggested making reporting mandatory for cyberattacks and cyber fraud to address this issue.
The survey indicated that small to midsized organizations were the primary targets of cyberattacks, with most attacks involving phishing schemes and online impersonation. Only 3% of the surveyed organizations were targeted by ransomware, despite earlier warnings from the National Cyber Security Center about potential ransomware attacks on British charities. Many organizations reported a lack of resources and cybersecurity expertise, leading to a lower priority on areas such as supply chain risk management, staff training, and patching vulnerabilities.
Ryan McConechy, the CTO of Barrier Networks, emphasized the importance of using the National Cyber Security Center’s guidance to improve cybersecurity defenses, especially for smaller organizations struggling with cybersecurity. While the guidance is voluntary, organizations are not required to follow it, leading to potential gaps in cybersecurity practices. McConechy warned that organizations with informal attack mitigation strategies are more likely to waste time and suffer more serious attacks. Implementing mandatory reporting for cyber incidents could help address these vulnerabilities and improve overall cybersecurity posture.
In conclusion, the survey highlights the prevalence of cyberattacks targeting small to midsized organizations and charities, with many organizations lacking adequate resources and cybersecurity expertise. The voluntary nature of incident reporting for less severe attacks often leads to underreporting and insufficient regulatory scrutiny. Implementing mandatory reporting for cyber incidents and following cybersecurity best practices, such as the NCSC guidance, could help organizations strengthen their defenses and better protect against cyber threats.