More than four in every ten businesses in the UK experienced a cyber breach in 2017, according to a survey carried out for the Department of Culture, Media and Sport.
Researchers at Portsmouth University found 43 per cent of firms had been affected, as had 19 per cent of charities.
The study also found that awareness of and preparedness against cyber attacks was higher in commercial entities than in the charity sector, which may reflect the expectation – justified by the data – that companies are more likely to be targeted.
It found that 27 per cent of businesses have a cyber security policy in place, compared with 21 per cent for charities, although in the case of businesses this is a drop from the 33 per cent seen in the last survey in 2016.
This is despite the fact that 74 per cent of business respondents say cyber security is a high priority for senior management, while just over half (53 per cent) of charities said the same.
Overall, however, this still meant that many organisations – whether commercial or not – have not made cyber security a priority, despite 98 per cent of firms and 93 per cent of charities having at least an element of digital function in their operations, ranging from the use of email to extensive e-commerce facilities.
Although there is a significant overall difference between the number of firms attacked and charities targeted, the distinction almost vanishes when it comes to larger organisations; 72 per cent of the largest firms and 73 per cent of the biggest charities – those with annual incomes of £5 million or more – were targeted last year.
In addition, organisations that hold personal data, used cloud computing or allowed staff to use their own devices for work were more likely to be targeted. Some 56 per cent of businesses and 44 per cent of charities fall into these categories and of these, 47 per cent of businesses and 30 per cent of charities, were attacked.
This is a clear sign that the cyber criminals are not simply seeking to maliciously compromise the operations of businesses, but are engaged in deliberately targeting what they know to be vulnerable and abundant sources of personal data that can then be used in fraudulent activity.