Despite the number of cyber attacks in the UK increasing dramatically year-on-year, two-thirds of UK organisations still don’t operate with round-the-clock cybersecurity, according to a new report, “Unfunded and Unaccountable” by Trend Micro. The report claims to have found evidence of “major security gaps and lack of board accountability in many companies.” The results cast the UK economy’s cyber readiness in a worrying light.
Bharat Mistry, Technical Director at Trend Micro argues that the issues are having dire consequences for UK businesses. “A lack of clear leadership on cybersecurity can have a paralysing effect on an organisation—leading to reactive, piecemeal and erratic decision making,” he says, especially as the frequency and severity of cyber attacks in the UK rises once again year-on-year.
Cybercrime rising in the UK
Cybercrime cost the average business in the UK £4,200 in 2022. All told, cybercrime costs the UK approximately £27 billion per year. The average cost of a cyber-attack to a medium-sized UK business was £10,830 in 2024. While that’s a necessarily larger figure than the overall average, the data still indicates a meaningful upward trend.
This year, the UK Government’s Cyber Security Breaches Survey found that half of UK businesses had suffered a cyber attack or security breach in the preceding 12 months — an increase from the previous year.
Trend Micro’s research, which surveyed 100 UK cybersecurity leaders as part of a global study, found that concerns over both the ubiquity of attacks, and the UK economy’s lack of preparedness to combat the threat. As noted by twenty-four IT, this year only 31% of businesses and 26% of charities undertook a cyber security risk assessment, suggesting that many businesses are not adequately prepared for the threat of cyber crime.
Trend Micro’s report backs up that data. The overwhelming majority (94%) of cybersecurity leaders surveyed reported concerns about their organisation’s attack surface. Over one third (36%) are reported being worried about having a way of discovering, assessing and mitigating high-risk areas. Additionally, 16% said they weren’t able to work from a single source of truth.
Communication, clarity, and cooperation
Trend Micro’s data pins the blame for UK companies’ failure to achieve these cybersecurity basics squarely on a lack of leadership and accountability at the top of the organisation. Emphasising this, almost half (48%) of global respondents claimed that their leadership doesn’t consider cybersecurity to be their responsibility. On the other hand, only 17% disagreed strongly with that statement.
When asked who does or should hold responsibility for mitigating business risk, respondents returned a variety of answers, indicating a lack of clarity on reporting lines. Nearly a third (25%) of UK respondents said the buck stops with organisational IT teams.
This lack of clear direction on cybersecurity strategy may be resulting in widespread frustration. Over half (54%) of UK respondents complained that their organisation’s attitude to cyber risk was inconsistent. Some noted that their organisation’s attitude to cyber risk “varies from month to month.”
“Companies need CISOs to clearly communicate in terms of business risk to engage their boards. Ideally, they should have a single source of truth across the attack surface from which to share updates with the board, continually monitor risk, and automatically remediate issues for enhanced cyber-resilience,” argues Mistry.
- Cybersecurity