Print Article

Experts react to worrying findings in Government’s Cybersecurity Breaches Survey


Government figures show UK businesses are doing little to prevent, detect or respond to data breaches.

Cybersecurity experts have reacted with dismay to figures published by the Government that show UK businesses are doing little to prevent, detect or respond to data breaches.

The UK Government has published data from its Cybersecurity Breaches Survey for 2024, which is aligned with the National Cyber Strategy. It suggests that few businesses report a breach, and more than a third (39 percent) said that no action was taken in response to their most disruptive breach in the last 12 months.

Andy Kays, CEO of threat detection and response business, Socura, whose clients include NHS trusts, said:-

  • “It is incredibly disappointing to see such disregard for cybersecurity among the UK’s small business community. Despite years of warnings from experts, countless data breach headlines, and increased regulatory action, this issue still isn’t on their radar,”
  • “Only a fraction of UK businesses have any kind of formalised incident response plan, which I find astounding.
  • Businesses will always have a plan in case of a fire, but will not apply the same due care for a data breach – which is statistically much more likely. It flies in the face of common sense.”
  • A lot of firms’ responses “seem stuck in the past.”
  • “Most businesses’ experience with cyber incidents seems limited to phishing attempts, and their default response is to conduct security awareness training if they do anything at all. In the event of a breach, businesses are not keeping records, not informing the police or regulators, not assessing the scale and impact of the incident.
  • They are failing to do the bare minimum. It’s also important to note that businesses are doing very little to prevent or detect breaches in the first place,”

An accident waiting to happen

Elsewhere, Richard Staynings, chief security strategist for Cylera said

  • Organisations’ failure to protect their supply chains “is an accident waiting to happen.”
  • Just over one in ten businesses say they review the risks posed by their immediate suppliers (11 percent, vs. nine percent of charities). More medium businesses (28 percent) and large businesses (48 percent) review immediate supplier risks.
  • “Organisations in the public and private sector need to do a much better job of managing third parties and in assessing third party risk.
  • They must understand what exactly is connected to their networks and what risk each of these systems presents. This is especially a concern given the significant growth in IoT devices, which often lack cyber security and are rarely patched,”
  • “Most industries tend to do a terrible job of managing the security of their supply chain. Any third party vendors, whether those supplying goods in your café or your external accountant, they all need to be held to the same security standards and policies as your own organisation.
  • “The trouble is few businesses enforce this within their contracts with third parties, making it a prerequisite to ensure that they have policies and procedures that meet our own standards, that they have quality assurance in place, staff training and access controls set up, and that they provide ISO/IEC 27001 certification – the world’s best-known standard for information security management systems (ISMS).
  • “We can’t have third party vendors winning contracts for critical industry sectors such as healthcare and hospitals based simply on the lowest bid.”

Leadership buy-in on cybersecurity

The report shows that board engagement and corporate governance approaches towards cybersecurity tend to be more sophisticated in larger organisations.

Three-quarters of businesses (75 percent) report that cybersecurity is a high priority for their senior management. This proportion is higher among larger businesses (93 percent of medium businesses and 98 percent of large businesses, vs. 75 percent overall).

Shankar Haridas, UK head of business development at ManageEngine, the enterprise IT division of Zoho Corp., said

  • It is imperative leadership teams – particularly in medium and large businesses who are at higher risk – understand the threat landscape today
  • “Navigating a rapidly changing realm of cyberthreats requires organisations to have a defence in depth approach to cybersecurity,”
  • “Vigilant measures include constantly monitoring networks for unusual activity, implementing access control mechanisms, vulnerability scanning and patching of endpoints, and training users on good security hygiene. It is essential for organisations to bring the People, Process, Policy and Partners together and keep cyber security an integral part of their goal.
  • Well prepared organisations will go even further and plan for the worst – introducing services that allow them to recover their data and systems in the event of a successfully cyberattack.”


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email