RSM UK | THE REAL ECONOMY
CYBER SECURITY
Q1 | 2024
Heightened awareness translating into action
Awareness of the risks around cyber security is at an all-time high after a series of high-profile attacks have helped build an appreciation of the risks of getting cyber security wrong. The organisations we surveyed reported feeling both prepared to respond to an attack and to having cyber insurance in case of a successful attack. Indeed, the Bank of England’s Systemic Risk survey found that 70% of their respondents considered cyber attacks as the most challenging risk to manage as a firm, above geopolitical risk and inflation.
of our survey respondents feel prepared to respond to a cyber-attack.
carry a cyber insurance policy, up from 62% when we asked in 2022.
Do you believe that your business has sufficient cyber security capacity and skills to manage your cyber security risks?
Yes we have the right skills in place
No, we tried to recruit the specialist cyber security resources we need but have had challenges doing so
No, but we have not tried to recruit the specialist cyber security resources that we need
Not sure
Changing attack types
The market is witnessing variation in the types of attacks being utilised. When asking our respondents about the types of attacks they have fallen victim to, ransomware, previously a major concern, is now less prominent, with phishing/impersonation and direct data exfiltration taking the top two spots.
Which of the following cyber-attacks did your business fall victim to?
Phishing/impersonation (manipulative emails, or emails purporting to be from a trusted party)
Account takeover (use of leaked or legitimate credentials to access systems)
Data leak (intentional or unintentional data leak by an authorised user)
Direct data exfiltration (data stolen directly from your systems)
Ransomware and extortion
Data exfiltration due to a supplier being compromised
Third parties targeted
Third-party or supply chain attacks continue to offer cyber criminals with attack paths to exploit, often resulting in vulnerability blind spots in a business’s cyber security programme. Third parties are an attractive target to threat actors due to the aggregate value and natural economies of scale that a single compromise may provide. This type of targeting is proving extremely fruitful for cyber criminals, with the ability to gain access to multiple businesses environments or the ability to exfiltrate data at scale though which they can hold businesses to ransom.
of our respondents suffered an attack on a key third-party service provider that impacted their business financially, reputationally or operationally.
of the businesses that had experienced an attack in the past year reported that a supplier or third-party was targeted by a threat actor.
Which of the following, if any, does your business need to comply with?
GDPR or similar data protection regulations
FCA/PRA or similar financial services regulations
PCI DSS for payment systems
DORA or similar operational resilience regulations
Legislative landscape evolving constantly
The legislative landscape, both in the UK and internationally, is complex and rapidly evolving. The variation of regulatory expectations between industries is significant. Industries such as financial services and critical national infrastructure are heavily regulated, while others have broader industry agnostic regulations, such as GDPR, as well as specific industry standards, such as PCI DSS in consumer markets. Organisations that have a global footprint in particular have to be aware of the variance in regulation between the jurisdictions in which they operate, including compliance to regulations across their supply chain. Due to the extent and evolving nature of the cyber threat landscape including rapid development of technologies like artificial intelligence, governments and authorities are naturally playing catch up as they set out minimum standards for cyber protection through directives, legislation and regulation.
of the businesses we asked do not currently have plans in place to prepare to comply with NIS2.
Which of the following statements, if any, applies to your business? Please select all that apply.
We have a full list of suppliers that is actively managed
We have a mechanism to monitor the cyber footprint (presence over the internet) of our business
We currently have a third-party risk management framework in place
We carry out annual questionnaires in order to evaluate our key suppliers’ cyber security considerations
Looking forward… AI changing the game
We asked our panel about their key areas of concern and their priorities for the coming year. Ensuring that cyber security foundations are implemented came out as the most popular focus area, with AI enabled cyber attacks coming in only second.
The impact of artificial intelligence in the cyber crime landscape is still relatively low profile, but inevitably the more businesses see sophisticated AI engineered attacks, the higher up the priority list AI will rise.
AI will dramatically increase the level of sophistication, volume and scale of cyber attacks, at the same time as lowering the barrier to entry for cyber criminals to execute common attacks. Threat actors are unlikely to move away from successful attack vectors. However, they will leverage AI to bring these attacks to new levels through the use of deepfake voice and video, impersonation attacks, and increased ability to evade detection.
In the not-too-distant future we also expect threat actors to focus more on attacks against AI. This will lead to a new variety of ransomware and extortion attacks by leveraging inherent flaws in the technology through methods such as prompt injection and data poisoning.
Looking forward to 2024 and beyond, which of the following are key concerns/priorities for your business? Please select all that apply.
Ensuring the foundations of cyber security are implemented and robust
AI enabled cyber-attacks
Ransomware and extortion attacks
Supply chain attacks (suppliers of services and software)
METHODOLOGY
The research was carried out by The Harris Poll for RSM. 408 senior executives from UK middle market businesses defined as companies with a turnover between £10m and £750m or financial institutions with assets under management of £200m to £7.5bn were surveyed for the research.
Data for this survey was collected between 8 January and 30 January and between 1 March and 7 March 2024. Information was collected online or via telephone from 408 executives meeting the set criteria. All individuals qualified as executive level decision makers working across all regions and a broad range of industries. Responses have been weighted to ensure a true representation of the UK economy.
Chart percentages may not equal 100 per cent due to rounding.