安全的哀歌：2023-24年英國網(wǎng)絡安全狀況（英）

Security’s

Lament:The

state

ofcyber

security

in

the

UK2“Organisations

thatestablish

a

robust

cybersecurity

frameworkaligning

with

their

strategyare

well

positioned

toshape

the

future”3iomart

Cyber

Security

ReportOctober

2023Welcome

from

LucyThe

second

iteration

of

a

research

report

is

often

the

most

interesting

–

having

set

a

benchmark

thefirst

time

around,

it’s

always

very

useful

to

be

able

to

see

how

things

have

changed

and

developed.We’ve

worked

again

this

year

with

Oxford

Economics,

an

independent

research

expert,

to

gather

theopinions

of

500

senior

cyber

security

leaders

and

find

out

about

their

experiences

over

the

last

12months.Many

of

the

key

issues

we

unearthed

last

year

remain.

Cyber

leaders

report

a

near-constant

batteryof

attacks

from

online

threat

actors,

compounded

by

increasing

costs

and

tightening

budgets.

Theyface

the

unenviable

balancing

act

of

keeping

their

organisations

safe,

often

with

fewer

resources.The

noisy

landscape

of

technology

solutions,

including

the

breakaway

star

of

2022/23

–

generativeAI

–

can

make

it

difficult

to

know

how

to

optimise

cyber

defences.What’s

concerning

is

that

our

research

found

an

increase

in

the

number

of

attacks

over

the

last

12months.

The

news

headlines

are

still

too

frequently

occupied

by

another

household

name

which

hassuffered

a

successful

breach.

And

for

every

one

of

these

high-profile

attacks,

there

are

many

morewe

don’t

hear

about.Our

intention

with

this

research

is

to

help

cyber

decision-makers

better

understand

the

biggerpicture

of

the

threat

environment

and

how

others

are

approaching

this

pernicious

challenge.By

working

together

and

learning

from

each

other,

we

can

reduce

our

risk

of

falling

victim

todetermined

criminals

–

and

more

confidently

take

advantage

of

the

growing

benefits

of

a

connectedworld.We

hope

this

report

helps

make

those

tough

decisions

a

little

easier.Best

wishes,Lucy

Dimes,CEOiomart

Group

plc1ContentsIntroduction..................................................................................................................

3Part

1

-

Balancing

threats

and

budgets....................................................................

4Part

2

-

Tech

has

become

increasingly

integral

to

a

strong

cyber

strategy........

6Part

3

-

Talent

is

crucial

in

combatting

threats

......................................................

8Part

4

-

How

does

my

industry

stack

up?

..............................................................10Conclusion

.................................................................................................................122iomart

Cyber

Security

ReportOctober

2023IntroductionOrganisations

that

establish

a

robust

cyber

securityframework

aligning

with

their

business

and

IT

strategiesare

well

positioned

to

shape

the

future.

This

alignment

notonly

improves

their

resilience

against

today’s

inevitable,

andoften

costly,

cyber

threats,

but

also

fosters

an

environmentfavourable

to

innovation

and

revenue

generation.

Cybersecurity

strategy

has

become

integral

to

both

the

day-to-day

functioning

of

business

operations

and

thedetermination

of

potential

growth.To

take

the

pulse

of

cyber

security,

Oxford

Economicsand

iomart

surveyed

500

executives

responsible

fortheir

organisation’s

cyber

strategy.

The

sample

includesexecutives

from

a

range

of

industries—most

with

more

than1,000

employees—all

based

in

the

UK.The

survey

revealed

these

key

takeaways:?

Budgetary

constraints

hamstring

cyber

strategies

in

theface

of

increased

incidents.

A

majority

have

an

inadequatebudget

to

fully

protect

their

organisations

at

a

time

whenmany

cite

the

increased

cost

of

remediation

as

a

majorchallenge.

Rising

insurance

premiums

can

add

to

alreadystrained

budgets.Yet

organisations

are

operating

in

an

unpredictablelandscape,

with

their

efforts

muddled

by

inflation,geopolitical

tension,

a

cost-of-living

crisis,

and

evenadvances

in

technology,

such

as

generative

AI.

Bad

actorsare

taking

advantage

of

these

circumstances—the

past

yearsaw

a

sharp

rise

in

the

average

number

of

attacks

over

theyear

before.

To

make

matters

worse,

despite

upticks

in

thefrequency

and

intensity

of

cyber

attacks,

many

organisationscyber

security

strategies

are

still

in

their

infancy,

remainingat

the

periphery

of

their

business

processes.

For

companiesto

remain

competitive

or

outperform

their

rivals,

thosestrategies

will

have

to

mature

rapidly.

And

they

mustovercome

a

cyber

security

talent

pool

that

is

running

dry,

aswell

as

budgetary

constraints,

as

cyber

security

competesfor

allocation

against

an

abundance

of

other

challenges.?

There

is

a

promising

future

for

cloud

and

automationwithin

cyber

strategies.

Businesses

are

increasinglyinvesting

in

such

technologies

to

bolster

cyber

security.With

many

concerned

by

shortages

in

their

internal

cyberskills

and

awareness,

these

technologies

are

seen

asparticularly

pertinent

given

their

importance

to

emailscreening

and

automated

resolutions.The

cyber

security

industry

is

also

undergoing

significantchanges—as

many

new

players

enter

the

market

andmergers

and

acquisitions

consolidate

suppliers.

Despitethe

industry’s

complexity,

though,

organisations

areeager

to

engage

with

it

to

get

on

top

of

their

cyber

woes,acknowledging

the

potential

profit,

reputation,

cost,

andefficiency

benefits.

To

that

end,

many

organisations

have

atleast

taken

initial

steps:?

While

deploying

the

appropriate

technology

is

crucial,effectively

leveraging

it

requires

the

right

people.

Thesecurity

skills

gap

yawns

large

and

remains

the

biggestchallenge

for

most

cyber

strategies.

With

internal

skillsand

resources

lacking,

organisations

face

a

major

hurdle.To

combat

these

obstacles

and

get

the

most

from

theirtech

investments,

executives

plan

to

invest

in

employeetraining

while

also

hiring

in-house

specialists

and

third-party

consultants.?

Invested

in

cyber

security

services

and

products

tounderstand

points

of

vulnerability

and

manage

threats;?

Introduced

cyber

hygiene

and

multi-factor

authenticationto

create

a

culture

of

security;

and?

Focused

on

employees,

procuring

training,

and

upskilling.Methodology/demographicsandkeyde?nitions?

Sample:

Cybersecuritystrategydecision-makers(n=500)?

Executivetitles:CTO,

CIO,

CISO,

CFO,

COO,

ChiefDigitalOfficer,CEO,

ChiefRiskOfficer,ChiefDataOfficer?

Sectorscovered:Software,Professionalservices,Legal,Finance,Not-for-Profit,Government,Insurance,Healthcare,Manufacturing,Retail,Transportation,Consumerproducts?

Companysizesrepresented:Mostrespondentshave

morethan1,000

employees.20%have

￡250mto￡499minrevenue,20%have

￡500mto￡999minrevenue,20%have

￡1bnto￡4.99bninrevenue,20%have

￡5bnto￡9.99bninrevenue,20%have

morethan￡10bninrevenue.?

Locationscovered:

RespondentsareallfromtheUK?

Datesfielded:

July20233Part

1:

Balancing

threats

and

budgetsPhishingMalware56%

55%remain

the

threats

of

greatest

concern

to

executives

for

thesecond

year

in

a

rowThreats

are

constantly

evolving.More

than

a

third

of

decision-makerssay

keeping

up

with

the

pace

ofevolving

threats

is

a

top

challenge.Over

the

last

year,

organisationsexperienced

an

average

of

30

cyberincidents,

which

represents

anannual

increase

of

six

incidents

overthe

24

reported

last

year.

And

theseare

the

ones

organisations

knowabout.handling

them

(49%

phishing,

48%malware).

Fewer

still

(one

quarter)are

sure

of

their

ability

to

deal

withransomware—a

threat

that

continuesto

dominate

headlines

globally.

Notto

mention

disruptions

from

the

pastthree

years

continue

to

complicatetheir

ability

to

protect

themselves—executives

are

struggling

withmanaging

increased

volumes

ofdata,

the

pace

of

technology,

andsupply

chain

disruptions

within

theirsecurity

strategy.Not

surprisingly,

phishing

(56%)

andmalware

(55%)

remain

the

threatsof

greatest

concern

to

executivesfor

the

second

year

in

a

row,and

less

than

half

are

confidentin

their

organisation’s

ability

inKeeping

pace

with

threats

is

moreimportant

than

ever.

To

respond,or

even

become

more

proactive,organisations

are

looking

to

improveApproximatelyhowmanycybersecurityincidentshasyourorganisationexperiencedoverthelastyear?4iomart

Cyber

Security

ReportOctober

2023Whatimpactsdidyourorganisationexperienceasaresultofcybersecurityincidents?Disruptedoperations61.8%53.8%48.0%IncreasedcoststoremediateNegativereputationalimpactLossofcompetitiveness36.6%32.0%30.2%SignificantbusinessdowntimeNegativefinancialimpactTheftofdata18.2%9.4%Finesfrom

industryregulators(e.g.,ICO,FCA)their

cyber

postures,

allocating

anaverage

of

￡40,190

to

vulnerabilityassessments,

penetration

testing,or

red

team

engagements.

However,they

are

also

fully

aware

thesemeasures

alone

are

not

sufficient,and

they

need

more

money

tounderpin

their

plans.

More

than

aquarter

(27%)

of

organisations

thinktheir

current

cyber

security

budgetis

inadequate

to

fully

protect

themfrom

emerging

threats.decrease.

The

uptick

in

pricing

onlyadds

to

the

cost

of

remediation,

withthe

majority

(54%)

of

respondentssuggesting

it

is

the

second

greatestimpact

of

cyber

security

incidents,well

above

more

traditional

factorssuch

as

theft

of

data

(18%)

andnegative

financial

impact

(30%).And

the

tightening

of

budgetscreates

blind

spots.

With

41%of

organisations

being

forced

tosacrifice

cyber

security

to

keepthe

lights

on

during

the

pandemic,it

is

no

wonder

cyber

securityinitiatives

are

not

evenly

appliedacross

businesses.

Only

37%

ofrespondents

agree

that

security

isembedded

into

all

their

businessprocesses

and

functions,

while

14%admit

that

security

is

addressed

onan

ad-hoc

or

as-needed

basis.But

budgets

hamstring

efforts.Tightbudgets

continue

to

be

a

top

barrierin

meeting

cyber

security

goals,

andrising

cyber

insurance

premiumsonly

stress

budgets

further.

Theincrease

in

cyber

premiums

is

rankedas

the

top

change

over

the

pasttwo

years,

with

70%

of

respondentsnoting

a

rise

and

just

4%

seeing

a70%say

rising

cyber

premiums

is

the

topranked

change

over

the

past

two

years5Part

2:

Tech

has

become

increasingly

integral

to

astrong

cyber

strategy67%say

private

cloud

has

strengthened

theirsecurityLeveraging

existing

technology.Executives

may

be

feeling

thecrunch,

but

creating

a

strong

cyberstrategy

on

a

tight

budget

is

notimpossible

because

some

of

thegroundwork

has

been

laid.

Manyorganisations

already

have

thetechnology

to

help

them

keep

up.Cloud

has

become

foundational

tocyber

strategies—almost

three-quarters

(74%)

of

organisations

relyon

private

cloud,

with

67%

sayingit

has

strengthened

security.

Andnearly

two-thirds

(65%)

lean

hardon

automation.

More

than

half

(53%)will

use

automated

responses

overthe

next

two

years,

while

51%

planto

employ

both

SIEM

monitoring

andautomated

resolution

of

securityincidents.Emerging

tech

comes

into

play.Despite

a

focus

on

well-establishedtechnologies,

many

executives

alsoplace

considerable

faith

in

emergingtechnologies.

Well

over

one-third(38%)

believe

the

increased

use

ofAI

and

ML

in

threat

detection

andresponse

will

be

a

significant

trendin

cyber

security

over

the

next

twoyears.

In

particular,

they

cite

emailscreening

(78%)

and

contextualanalytics

(69%)

as

dominant

usecases

for

AI

and

automation.However,

budgetary

concerns(31%),

compliance

and

regulatoryrequirements

(23%),

and

a

lack

ofskilled

workers

(23%)

are

obstaclesto

successfully

implementingnascent

technologies

such

as

AI

andautomation.38%believe

the

increased

use

of

AI

and

ML

inthreat

detection

and

response

will

be

asignificant

trend

in

cyber

security6iomart

Cyber

Security

ReportOctober

2023Hasyourorganisationimplemented,ordoesitplantoimplementanyofthefollowingtechnologiestoincreasecybersecurity?Cloud-privateAutomation74.0%65.4%63.0%59.4%AIDataanalyticsCloud-public50.0%DLP(datalossprevention)37.4%ZTNA(zerotrustnetworkaccess)IDS(intrusiondetectionsystem)MDR(manageddetectionandresponse)SIEM

(securityinformationandeventmanagement)EDR(endpointdetectionandresponse)SOC(securityoperationscentre)IPS(intrusionpreventionsystem)XDR(extendeddetectionandresponse)26.6%24.6%22.4%22.0%21.6%21.0%19.4%17.0%For

whichofthefollowingcybersecuritytasksdoyoucurrentlyuseAIorautomation?Emailscreening77.6%69.1%ContextualanalyticsAutomatedresolutionofsecurityincidents/Reducingalertfatigue42.1%39.7%TobridgesecurityskillsgapsAutomatedresponsesPlaybookimplementationSIEMmonitoring38.6%38.2%32.9%Noneoftheabove0.2%Managing

the

tech

shift.Figuringout

where

to

start

investinghas

proven

difficult.

Our

surveyfound

that

executives

havenew

products

—

only

half

saytheir

investments

have

beeneffective.

Purchasing

tech

andcyber

security

products

without

aclear

strategy

and

people

who

canleverage

it

effectively

diminishesits

potential.

To

maximise

the

valueof

their

investments,

executivesneed

guidance

on

navigating

theshift

to

an

increasing

reliance

ontechnology.trouble

sorting

through

the”noise”

created

by

the

tsunamiof

offerings

and

security

playersin

the

market

to

find

the

bestfit

for

their

organisations

needsand

budgets—nearly

two

in

five(38%)

struggle

with

this.

Whilemost

are

generally

enthusiasticabout

tech

adoption—almost

allrespondents

have

invested

in7Part

3:

Talent

is

crucial

in

combatting

threats53%say

cyber

security

culture

and

regularemployee

training

to

prevent

human-related

breaches

will

be

crucialPeople

are

key

to

cyber

success.As

important

as

tech

is

to

cybersecurity,

executives

are

looking

totheir

employees

to

be

the

first

line

oftheir

cyber

defence.

More

than

half(53%)

say

cyber

security

culture

andregular

employee

training

to

preventhuman-related

breaches

will

becrucial,

indicating

the

continuationof

a

significant

trend.

In

the

past

twoyears,

63%

of

organisations

haveinvested

in

employee

training.Whatstepshasyourorganisationtakentoprotectitselffromcyberattacks?12.20%Investedin

cyber

security

services77.4%13.40%Investedin

cyber

security

products72.8%40.80%Employee

awarenesstraining47.0%28.6%Introduced

basic

cyber

hygiene(e.g.,password

management)45.2%29.4%28.2%Implemented

multi-factor

authentication40.0%Developed

and

enforced

approvedlistofIoT

devices

andconnections39.2%50.4%Hired

third-party

consultantsImplementeda

regular

patch

management

programIncreased

vetting/audits

of

vendors/suppliers37.8%33.6%34.8%37.8%33.8%23.6%Conducted

regular

system

auditsto

detectvulnerabilitiesBolstered

cyber

security

infrastructure30.6%43.6%25.8%32.2%Hired

in-house

specialists23.2%PlantoadoptAdopted8iomart

Cyber

Security

ReportOctober

2023Whatarethetopchallengestomeetingyourorganisation’scybersecuritygoals?Lackofinternalskillsandresources(e.g.,nodedicatedfunctionor24/7capability)44.6%41.0%ToomanycybersecurityproductsandservicesonthemarketKeepingupwiththepaceofevolvingthreatsBudget/costlimitations35.8%35.0%DifficultyintegratingcybersecurityintoinfrastructureDifficultyfindingtherightcybersecurityproviderLackofusecases/perceivedROIforcybersecurityIncreasingpaceofmergersandacquisitions31.4%30.6%22.0%20.2%Lackofinteroperabilitybetweencybersecuritysolutionsandlegacytechnology13.2%But

getting

people

in

place

takeseffort.

Putting

the

right

people

inplace

is

complicated

by

skills

gapsand

a

continuing

shortage

of

skilledworkers.

Decision-makers

say

alack

of

internal

skills

and

resourcesconstitutes

the

biggest

challenge

inmeeting

their

cyber

security

goals.With

burnout

among

cyber

securitystaff

on

the

rise—30%

believe

theirteams

are

suffering

from

it—gettingthe

right

talent

(and

the

rightGetting

the

right

people.

To

closesome

gaps—outside

of

upskillingand

reskilling

employees—almosta

third

of

organisations

(32%)will

hire

in-house

cyber

securityspecialists

in

the

next

two

years,and

a

full

half

(50%)

will

do

thesame

for

third-party

consultants.Executives

also

are

eyeing

non-traditional

talent

sources

toovercome

skills

shortages—75%plan

to

hire

from

less-traditionalpools

of

job

candidates,

such

asgamers

and

ex-military.

And

morethan

half

(55%)

plan

to

expandcyber

fluency

to

the

top

of

thecorporate

ladder

by

stocking

boardswith

people

who

have

specificcyber

security

experience

.

Evenmore

(72%)

will

create

internshipsand

apprenticeships.

These

stepsare

important

to

creating

a

morecyber

security

literate

workforcethat

can

successfully

implementcyber

strategy

and

leverage

thetechnology

investments

associatedwith

it.technology

to

support

them)

is

moreimportant—but

harder—than

ever.Flexible

and

hybrid

work,

a

well-established

work

lifestyle

formany

office

employees,

has

alsointroduced

new

challenges

andvulnerabilities.

Almost

half

ofrespondents

(46%)

say

the

bumpin

remote

and

flexible

work—anda

more

geographically

distributedworkforce

(36%)—have

complicatedtheir

organisation’s

ability

to

protectagainst

cyber

threats.

It

is

nowonder

then

that

few

feel

confidentin

tackling

their

greatest

cybersecurity

threats

and

that

reducingcyber

risks

created

by

employeeshas

therefore

become

a

priority

forcyber

security

decision-makers.55%plan

to

expand

cyber

fluency

to

the

top

of

thecorporate

ladder

by

stocking

boards

with

peoplewho

have

specific

cyber

security

experience9Meet

the

cyber

security

strategy

leadersWe

isolated

a

group

of

survey

respondents

who

are

using

technology

and

talent

to

get

the

most

from

their

cybersecurity

investments.

This

elite

group

(n=126,

approximately

25%

of

the

sample)

is

defined

by

the

following:?

Respondents

in

the

first

quartile

who

have

already

implemented

initiatives

like

employee

awareness

training,introducing

basic

cyber

hygiene,

hiring

third-party

consultants,

using

managed

service

providers,

using

technologieslike

AI

and

automation,

and

aligning

their

strategy

with

business

and

IT.?

They

have

implemented

a

stronger

talent

strategy,

like

improving

employee

skills,

using

managed

service

providersand

professional

services,

and

bringing

on

board

members

with

specific

cyber

security

experience.

They

are

far

lesslikely

to

say

their

internal

cyber

security

teams

are

suffering

from

burnout.?

They

experience

better

results

from

their

efforts.

They

are

more

likely

than

others

to

say

initiatives

like

employeeawareness

training,

introducing

basic

cyber

hygiene,

investing

in

the

right

products

and

services,

and

bolsteringcyber

security

infrastructure

have

been

effective.?

They

manage

data

better

than

other

respondents—almost

all

are

confident

in

keeping

up

with

data

regulations,preventing

data

security

breaches,

and

sharing

data

internally

with

partners.?

They

have

made

purposeful

investments

in

technology—most

have

invested

in

cloud

and

updated

infrastructure,

aswell

as

AI

and

automation,

potentially

to

close

some

skills

gaps.?

They

are

less

likely

to

say

their

budget

is

inadequate

to

fully

protect

their

organisation.?

They’re

already

reaping

the

benefits

of

their

efforts—they’ve

already

seen

improved

profitability

and

cost

savings,internal

efficiency,

and

revenue,

and

increased

innovation

potential.The

takeaway:

balancing

tech

and

talent

like

our

Leaders

could

give

organisations

a

leg

up

when

setting

cyberstrategy.Part

4:

How

does

my

industry

stack

up?Finance

and

Insurance

are

stillworking

out

the

kinks.There

arestark

differences

between

industrieswhen

comparing

the

number

ofcyber

incidents

they

experienceannually.

On

the

high

end

of

thespectrum

sits

Insurance,

Finance,Not-for-profit,

Healthcare,

andGovernment,

all

seeing

at

least

31incidents

a

year.

Insurance,

withthe

second

highest

number

ofincidents

last

year,

reported

thehighest

number

of

incidents

thisyear,

despite

spending

the

secondhighest

amount

on

cyber

testing

andassessments

(￡46,100

on

averagevs.

￡40,190

total).

Finance

fell

fromfirst

place

last

year

in

the

numberof

incidents

they

experience

butis

still

comparable

to

Insurance.Organisations

in

this

space

facesimilar

challenges,

such

as

budgetlimitations,

and

agree

there

are

toomany

cyber

security

products

andservices

on

market.

Consequently,like

those

in

many

other

industries,the

Finance

sector

emphasisesthe

increasing

importance

ofcyber

security

culture

and

regularemployee

training

to

prevent

human-related

breaches.The

Public

Sector

is

strugglingto

keep

up.

UK

Public

Sectororganisations

in

Healthcare

andGovernment

are

in

a

similar

boat.Both

are

more

likely

to

say

cybersecurity

threats

have

increasedin

frequency

over

the

last

twoyears

(56%

of

Healthcare,

55%

ofGovernment

vs.

48%

of

the

surveytotal).

In

recent

months,

the

UKPublic

Sector

has

been

battling

awave

of

ransomware

attacks,

withcritical

infrastructure

like

the

NHSTrusts,

Ofcom,

and

pension

services,all

being

targeted.

Ransomwarereasonably

is

by

far

their

topconcern,

much

higher

than

any

otherindustry.10iomart

Cyber

Security

ReportOctober

2023The

Public

Sector

is

also

feeling

theeffects

of

cyber

skills

shortages

athigher

rates

than

the

Private

Sector,a

potential

explanation

of

why

itis

struggling

to

mitigate

threats.Executives

in

this

space

are

morelikely

to

say

it

is

harder

and

moreexpensive

to

find

and

retain

cyberstaff

(38%

of

Healthcare,

48%

ofGovernment,

vs.

34%

survey

total).Going

forward,

however,

the

PublicSector

plans

to

invest

in

employeeawareness

training

over

hiring

third-parties,

in-house

specialists,

orpurchasing

insurance.ones.

Strategically,

Manufacturingexecutives,

compared

to

those

inother

industries,

are

significantlymore

likely

to

have

embeddedsecurity

into

critical

infrastructureand

aligned

cyber

security

and

ITstrategies.

Tactically,

they

have

goneto

greater

lengths

to

mitigate

cyberrisk

by

investing

in

cyber

securityproducts,

outsourcing

intelligence,introducing

basic

cyber

hygiene,

andpurchasing

comprehensive

cyberinsurance.

Finally,

operationally,

theyare

more

likely

to

conduct

employeeawa