DSIT Publishes Cyber Security Breaches Survey 2023

What happened

• The Cyber Security Breaches Survey is a research study which aligns with the National Cyber Strategy.
• It’s used to inform government policy on cyber security, to make UK cyberspace a secure place to do business
• Cyber security breaches and attacks remain a serious threat, but the survey has shown that smaller organisations are identifying them less than previously
• 32% of businesses and 24% of charities overall, recorded breaches or attacks in the last 12 months – and this represents a decrease from 39% of businesses and 30% of charities in 2022
• The drop relates to smaller organisations, as the results for medium and large organisations and high income charities remains similar
• The figures were higher for medium businesses (59%), large businesses (69%) and high income charities with £500k or more in annual income (56%)
• DSIT estimates that the single most disruptive breach from the last 12 months costs each business an average of £1,100. For medium and large businesses this is estimated at £4,960 and for charities, approximately £530
• Most common cyber threats are classed as ‘unsophisticated’ so DSIT are advising organisations to protect themselves using ‘cyber hygiene’ measures
• The most common hygiene measures include updated malware protection, cloud back- ups, strong passwords, restricted access and network firewalls. Certain areas of cyber hygiene have seen regular declines in organisations;

(i) use of password policies (79% in 2021, vs. 70% in 2023)

(ii) use of network firewalls (78% in 2021 vs. 66% in 2023)

(iii) restricting admin rights (75% in 2021, vs. 67% in 2023)

(iv) policies re: software security updates within 14 days (43% in 2021, vs. 31% in 2023).

Why it matters

• It is clear that the survey has been completed under different economic conditions that in previous years. Smaller organisations have been more affected by rising costs due to high inflation, higher energy prices and economic uncertainty. Cyber security has dropped down their priority lists
• Smaller organisations have identified less cyber breaches than in 2022, which might mean that senior managers in these organisations view cyber security as a lower priority than in previous years and are carrying out less monitoring
• There are new ways of working since the pandemic; businesses restricting access to business owned devices has dropped and fewer charities carry out monitoring of users than before
• This explains the fall in the number of businesses experiencing breaches or attacks since 2020; it might be due to a reduction in cyber attacks but alternatively it might be that smaller organisations are simply less capable of identifying breaches or attacks than three years ago

Further information

Details of the Cyber Security Breaches Survey 2023 can be found at Cyber security breaches survey 2023 – GOV.UK (www.gov.uk)

What happened

• The ICO recently published new guidance on the processing of biometric data
• Biometric data is unique. It’s defined as ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data’
• There are greater risks when this more sensitive type of personal data is processed and a greater level of care is needed
• The ICO has issued this guidance whilst simultaneously ordering a number of community leisure trusts to stop using facial recognition technology and fingerprint scanning, in monitoring their staff at work
• The ICO determined that the leisure trusts could have achieved the same purpose via much less privacy intrusive means

Why it matters

• The ICO’s guidance is a reminder of how important it is to make sure data protection compliance is considered early on when considering the use of a new system that processes personal data
• It’s important that a Data Protection Impact Assessment (DPIA) is completed, which will highlight the personal data risks and these can be addressed and mitigated where appropriate

Further information

Full details of the ICO’s guidance can be found at Biometric data guidance: Biometric recognition | ICO

What happened

• New data protection fining guidance was published by the ICO on 18 March 2024
• This followed a consultation process in 2023
• The factors that the ICO must consider are set out in Art 83(2) UK GDPR;
• The nature, gravity and duration of the infringement
• The intentional or negligent nature of it
• Any action taken by the data controller or processor to mitigate the damage
• The degree of responsibility of the controller or processor taking into account technical and organisational measures
• Any relevant previous infringements
• The degree of co-operation with the ICO
• The types of personal data involved
• The manner in which the infringement became known to the ICO
• Where measures in Art 58(2) were previously ordered against the controller or processor related to the same subject matter
• Adherence to approved codes of conduct
• Any other aggravating or mitigating factor

Why it matters

• The new guidance is relevant for new cases and also ongoing cases where the ICO has not already issued a notice of intent to impose a fine.
• The ICO wants its approach to be on a case by case basis rather than be mechanistic
• Fines are subject to a statutory maximum; The standard maximum amount is the higher of £8.7 million or 2% of the organisation’s global annual turnover in the preceding financial year. The higher maximum is the higher of £17.5 million or 4% of the organisation’s global turnover in the preceding financial year

Further information

Details of the ICO’s guidance can be found at

Data Protection Fining Guidance | ICO