Introduction
Twenty years ago, during a security conference, Bill Gates predicted the death of passwords and a rise of alternative authentication methods that would keep our data more secure. We’ve certainly seen alternative authentication methods (such as biometrics) being created, but two decades later, the password remains the default method of authentication for most services.
In fact, with the ongoing surge of new smart devices and online services, password use has increased considerably. Studies show that the average person is now responsible for keeping track of 168 passwords.
In 2024, passwords are therefore ubiquitous, and password security is crucial. New UK legislation, including a recent bill outlawing smart devices with weak passwords, suggests the government is taking notice of increases in cyberattacks and the importance of strong passwords. But how much attention is the average business paying to them?
We analysed cybersecurity data released by the UK government in the past eight years and here’s what we found:
A Single Cyberattack Could Cost a Business as Much as £40,400
According to cybersecurity survey data released by the UK Government between 2017-2024, even though the majority of UK businesses have strong password policies in place, there is still a huge number that don’t take password security seriously.
The data shows that over the last eight years, an average of 27% of UK businesses did not have a password policy in place.
For instance, in 2017, 31% of organisations didn’t offer employees guidance on acceptably strong passwords and, since then, the number hasn’t improved much. In 2024, 28% of UK businesses still do not enforce strong password policies.
The fact that 3 in 10 businesses in the UK don’t take password safety seriously should be alarming, considering that the government’s latest report revealed the cost of a disruptive cybersecurity attack without data loss could be as much as £10,830. This amount includes just operational costs, such as payments to specialists to fix the problem, new software or systems, any legal fees or staff time. If there is an actual outcome to the attack, such as a loss of assets or data, the total cost could be as much as £40,400.
This cost is significant considering:
4 in 10 UK Businesses Have a Cybersecurity Breach or Attack Each Year
Over the last eight years, an average of 40.88% of UK businesses have been affected by a cybersecurity breach or attack.
Just in the last 12 months, 50% of businesses in the United Kingdom have had some sort of cybersecurity problem, which is an 18% increase over the previous year.
In other words, the number of cybersecurity attacks that have hit UK businesses in the last year is the highest number ever registered, according to government data.
The Most Common Types of Cyberattacks on Businesses
The most common types of breaches or attacks suffered by UK organisations between 2017 and 2024 were:
1. Phishing attacks – attempts to extract information such as passwords or personal data, usually through fraudulent emails or invitations to fill in forms on different websites. In the last eight years, phishing attacks have been the most common type of attack, affecting 80% of UK businesses.
2. Impersonation of organisations in emails or online – the second most common problem experienced by 29% of businesses in the last eight years.
3. Viruses, spyware, or malware – installed by criminals on devices and then used to steal financial information or perform other malicious activities. This is the third most common type of attack and has affected 18% of businesses annually.
4. Ransomware – an attack in which cybercriminals steal and encrypt a business’s data and then threaten to destroy or publicly reveal that data unless a payment is made. This affected 9% of businesses over the last eight years.
5. Hacking attempts of online bank accounts – impacted 9% of businesses.
6. Denial-of-service attacks – this form of cyber aggression aims to slow or take down a business’s website or applications and make their services inaccessible and affected 8% of businesses over the past eight years.
7. Takeovers of organisation or user accounts – this type of attack has affected 8% of businesses.
8. Unauthorised accessing of files or networks by outsiders — impacted 6% of business.
9. Unauthorised accessing of files or networks by staff – a type of breach that has impacted 3% of businesses.
10. Unauthorised listening into video conferences or instant messages — impacted 1% of business.
11. Other – other forms of breaches or attacks impacted around 4% of businesses.
How to Keep Your Business (Especially Your Password) Safe
Cyber Hygiene Tips from Payset’s Security Specialist
Since the most common cyber threats are relatively unsophisticated, government guidelines advise businesses to protect themselves using a set of “cyber hygiene” measures, such as updated malware protection, cloud back-ups, regularly-updated passwords, restricted admin rights, using a password manager and network firewalls.
We discussed cyber hygiene with Payset’s security specialist, Fabio Rahamim, who insisted it is crucial to take cyberattacks and breaches seriously.
He suggested every business should adhere to the following guidelines:
1. Strong Passwords
Employees must create strong passwords that are at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters (e.g., !, @, #, $). Avoid common words, sequences, repeated characters, and personal information like names or birthdays.
2. Two-Factor Authentication (2FA)
Enhance security by enabling two-factor authentication, which requires both a password and a second form of verification (e.g., a mobile device or security token) to access company systems.
3. Unique Passwords for Each Account
Use distinct passwords for each service to avoid a single point of failure. This practice helps safeguard personal and professional accounts separately.
4. Regular Training and Awareness
Conduct phishing simulations and training sessions to keep employees informed about the importance of password security and updates on emerging threats.
5. Conditional Access Based on Geolocation
Access to company systems is restricted based on geographic location. Logins are only permitted from approved locations where the company operates or where business travel is expected, with automatic blocks on access from unauthorised areas.
6. No Password Sharing
Password sharing should be strictly prohibited. Employees are responsible for the security of their passwords and must use approved secure sharing tools for accessing shared systems or information.
7. Checking for Data Breaches
Regularly check email addresses and passwords against the “Have I Been Pwned” database (https://haveibeenpwned.com/) to see if they have been compromised in data breaches.
8. Closing Unused Accounts
Promptly close all unused, dormant, or unnecessary company accounts to minimise security risks and reduce the attack surface for potential cyber threats.
9. Regular Review of User Access and Privileges
Regularly audit user access rights and privileges to ensure they are appropriate for each employee’s role and responsibilities. This review helps prevent unauthorised access and reduces the risk of internal threats by ensuring that only necessary permissions are granted and maintained. Implement an automated system to flag any anomalies or excessive permissions for immediate review and adjustment.
Methodology
To prepare this article, we analysed the Cybersecurity Breaches Surveys released by the UK Government between 2017-2024 and gathered the data for each year, focusing on the:
– percentage of UK businesses that experienced some form of cybersecurity breach or attack in the last 12 months.
– types of breaches or attacks suffered among the businesses that have identified breaches.
– percentage of businesses that have password policies in place (except for 2019, where data wasn’t available), so we can appreciate the number of the remaining businesses that don’t.
After collecting the data, we calculated:
– the average of UK businesses that have been affected by a cybersecurity breach or attack over the last eight years, by averaging the data between 2017-2024.
– the average of UK businesses that did not have a password policy in place in the last eight years, by averaging the data between 2017-2024.
– the most common types of cyberattacks suffered by UK organisations between 2017-2024 by averaging the data for each type of attack. We sorted them from most to less common, keeping in mind that a business could have been hit by multiple types of attacks.
The estimated nowadays cost of a cybersecurity breach or attack was taken from the 2024 Cybersecurity Breaches Survey and reflects the average (mean) total cost of the most disruptive breach or attack from the last 12 months across businesses that identified any breaches or attacks and across organisations identifying breaches with an outcome (for medium/large businesses).
You can see the data HERE.
Sources
CyberSecurity Breaches Surveys 2017-2024
Cybersecurity in the Remote Work Era: A Global Risk Report, Ponemon Institute
