Beyond the Hype: Why Cybersecurity Needs Reliable Data and Base Decisions on Facts, Not Fear
How the UK’s Cyber Security Breaches Survey sets a new standard, replacing myths with actionable insights
Hello Cyber Builders 🖖
Data is more than just numbers—it’s about making informed decisions. Do we have enough reliable data about the cybersecurity ecosystem in Europe? No. So, are we making the right informed decisions? Well, tell me.
Reliable statistics help us understand what’s happening: what types of attacks are most frequent, which industries are most at risk, and how significant the financial impact of these threats is. Yet, cybersecurity often lacks solid, transparent data that businesses and organizations can trust. Instead, the landscape is clouded by marketing-driven reports and unverified claims that can distort our perception of risks and solutions.
Why does this matter? We move beyond fear-driven decision-making when we base our cybersecurity strategies on credible data. We gain a clearer picture of natural threats and know where to focus our resources. Reliable statistics would benefit the cybersecurity economy by promoting better preparedness and resilience against cybercrime.
But for that to happen, we need more public, verified sources—data that doesn’t come from a vendor’s marketing team but from impartial, professional organizations, like government agencies or respected industry associations. That’s why we’re looking at the latest data from the UK government, which is leading the way with its Cyber Security Breaches Survey. Their approach to gathering and sharing transparent statistics is a model for what cybersecurity reporting should look like.
The Problem with Marketing-Driven Cybersecurity Statistics
It’s no secret that in cybersecurity, marketing often fills the gaps left by a lack of solid, public data.
But when marketing shapes the narrative, we’re left with fear-mongering statistics.
One example is the infamous claim that “60% of small businesses go out of business within six months of a cyber attack.” This statistic was repeated so often—in countless blogs, vendor whitepapers, and social media posts—that it became accepted. However, the National Cyber Security Alliance (NCSA) had to step in, pointing out that there was no credible basis for this claim.
There are many other examples. I think these marketing hacks create a long-term issue: security practitioners and experienced CISOs are increasingly reluctant to buy the stories heard by vendors. Tech journalists focus only on grounded stories with end-user use cases.
How do we get an unbiased picture of what’s at stake and where to focus security resources? Reliable data doesn’t just counteract myths; it gives companies the confidence to make decisions grounded in reality rather than marketing hype.
Small and medium businesses, which have zero resources to validate information are more impacted than others. It’s harder for them to make a rationale informed decision when few data is available.
In that context, we should hopefully praise the work done by the UK government to provide reliable cybersecurity statistics.
UK Cyber Security Breaches Survey 2024
If there’s a shining example of how reliable, unbiased data can change the narrative, it’s the UK government’s Cyber Security Breaches Survey. This annual survey, commissioned by the Department for Science, Innovation and Technology, gathers accurate data on cyber threats, attacks, and responses from businesses and charities across the UK. It’s free from the influence of vendors and offers businesses an accurate view of the current cybersecurity landscape.
Key Findings from the 2024 Survey
The 2024 survey sheds light on significant trends and challenges facing UK organizations:
High Prevalence of Attacks: Half of UK businesses (50%) reported experiencing a cyber attack or breach in the last year, rising to 74% for large companies. This data provides insight into how widespread cyber threats are, helping organizations of all sizes see the likelihood of an attack in a more realistic light.
Phishing Dominates the Threat Landscape: Phishing is the most common attack. This reinforces the need for companies to prioritize phishing defenses, helping to demystify where security investments should go.
Preparedness Gaps: Only 22% of UK businesses and 19% of charities have formal incident response plans. This data signals that while awareness of cyber threats is high, preparedness still lags, especially among smaller organizations. These numbers underscore the need for widespread improvement in incident response planning.
31% of businesses and 26% of charities have undertaken cyber security risk assessments in the last year - rising to 63% of medium companies and 72% of large companies.
UK Cyber Security Breaches Survey 2024
A Model for Credible, Public Data with Clear Separation Between “Breaches” and “Crimes”
The Cyber Security Breaches Survey exemplifies what unbiased, government-backed data can achieve. Presenting a grounded, realistic picture of the current threat landscape helps companies focus on real risks instead of marketing hype. The UK government demonstrates a transparent approach that all governments and industry associations should emulate.
This survey highlights the path forward. With precise, impartial data, organizations are better equipped to understand the landscape, prioritize spending, and take action where it’s most needed.
You can check out their full report here for more details. Still, perhaps the most valuable part of the survey is its clear separation between general breaches and prosecutable cyber crimes. Here’s a closer look at this essential distinction based on a key extract from the report:
Cyber crime
Some cyber security breaches and attacks do not constitute cyber crimes under the Computer Misuse Act 1990 and the Home Office Counting Rules. Therefore, the statistics on prevalence and financial cost of cyber crime differ from the equivalent estimates for all cyber security breaches or attacks (as described above). They should be considered as a distinct set of figures, specifically for crimes committed against organisations, so are a subset of all breaches and attacks.
….
An estimated 22% of businesses and 14% of charities have experienced cyber crime in the last 12 months, rising to 45% of medium businesses, 58% of large businesses and 37% of high-income charities. Looked at another way, among the 50% businesses and 32% of charities identifying any cyber security breaches or attacks, just over two-fifths (44% for businesses and 42% for charities) ended up being victims of cyber crime.
Phishing is by far the most common type of cyber crime in terms of prevalence (90% of businesses and 94% of charities who experienced at least one type of cyber crime). The least commonly identified types of cyber crime are ransomware and denial of service attacks (2% or less of businesses and charities who experienced cyber crime in each case). When removing phishing-related cyber crimes, we estimate that 3% of businesses and 2% of charities have experienced at least one non-phishing cyber crime in the last 12 months.
…
We estimate that UK businesses have experienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes in the last 12 months.
….
The average (mean) annual cost of cyber crime for businesses is estimated at approximately £1,120 per victim (this excludes crimes where the only activity was phishing).
Conclusion
Reliable, impartial data is the foundation of effective cybersecurity. Without it, we’re left navigating a landscape filled with hype, myths, and misplaced priorities. The UK government’s Cyber Security Breaches Survey sets a standard for transparency, offering clear, actionable insights into cyber threats' true nature and impact.
I wish EU ENISA, US MITRE, or professional organizations follow this model so businesses everywhere can make informed, confident decisions rooted in reality—not marketing.
Let’s push for data we, Cyber Builders, can trust, so we can build a stronger, more resilient cybersecurity ecosystem.
Laurent 💚