Three in Ten UK Businesses Don't Take Password Security Seriously
On the occasion of World Password Day (the first Thursday of May), we wanted to see how seriously UK businesses take password security and how at risk they are of cyberattacks. To find the answers, we analysed the last eight years of cybersecurity data released by the UK government.
Introduction
Twenty years ago, during a security conference, Bill Gates predicted the death of passwords and a rise of alternative authentication methods that would keep our data more secure. We’ve certainly seen alternative authentication methods (such as biometrics) being created, but two decades later, the password remains the default method of authentication for most services.
In fact, with the ongoing surge of new smart devices and online services, password use has increased considerably. Studies show that the average person is now responsible for keeping track of 168 passwords.
In 2024, passwords are therefore ubiquitous, and password security is crucial. New UK legislation, including a recent bill outlawing smart devices with weak passwords, suggests the government is taking notice of increases in cyberattacks and the importance of strong passwords. But how much attention is the average business paying to them?
We analysed cybersecurity data released by the UK government in the past eight years and here’s what we found:
A Single Cyberattack Could Cost a Business as Much as £40,400
According to cybersecurity survey data released by the UK Government between 2017-2024, even though the majority of UK businesses have strong password policies in place, there is still a huge number that don’t take password security seriously.
The data shows that over the last eight years, an average of 27% of UK businesses did not have a password policy in place.
For instance, in 2017, 31% of organisations didn’t offer employees guidance on acceptably strong passwords and, since then, the number hasn’t improved much. In 2024, 28% of UK businesses still do not enforce strong password policies.
The fact that 3 in 10 businesses in the UK don’t take password safety seriously should be alarming, considering that the government’s latest report revealed the cost of a disruptive cybersecurity attack without data loss could be as much as £10,830. This amount includes just operational costs, such as payments to specialists to fix the problem, new software or systems, any legal fees or staff time. If there is an actual outcome to the attack, such as a loss of assets or data, the total cost could be as much as £40,400.
This cost is significant considering:
4 in 10 UK Businesses Have a Cybersecurity Breach or Attack Each Year
Over the last eight years, an average of 40.88% of UK businesses have been affected by a cybersecurity breach or attack.
Just in the last 12 months, 50% of businesses in the United Kingdom have had some sort of cybersecurity problem, which is an 18% increase over the previous year.
In other words, the number of cybersecurity attacks that have hit UK businesses in the last year is the highest number ever registered, according to government data.
The Most Common Types of Cyberattacks on Businesses
The most common types of breaches or attacks suffered by UK organisations between 2017 and 2024 were:
1. Phishing attacks – attempts to extract information such as passwords or personal data, usually through fraudulent emails or invitations to fill in forms on different websites. In the last eight years, phishing attacks have been the most common type of attack, affecting 80% of UK businesses.
2. Impersonation of organisations in emails or online – the second most common problem experienced by 29% of businesses in the last eight years.
3. Viruses, spyware, or malware – installed by criminals on devices and then used to steal financial information or perform other malicious activities. This is the third most common type of attack and has affected 18% of businesses annually.
4. Ransomware – an attack in which cybercriminals steal and encrypt a business’s data and then threaten to destroy or publicly reveal that data unless a payment is made. This affected 9% of businesses over the last eight years.
5. Hacking attempts of online bank accounts – impacted 9% of businesses.
6. Denial-of-service attacks – this form of cyber aggression aims to slow or take down a business’s website or applications and make their services inaccessible and affected 8% of businesses over the past eight years.
7. Takeovers of organisation or user accounts – this type of attack has affected 8% of businesses.
8. Unauthorised accessing of files or networks by outsiders — impacted 6% of business.
9. Unauthorised accessing of files or networks by staff – a type of breach that has impacted 3% of businesses.
10. Unauthorised listening into video conferences or instant messages — impacted 1% of business.
11. Other – other forms of breaches or attacks impacted around 4% of businesses.
How to Keep Your Business (Especially Your Password) Safe
Cyber Hygiene Tips from Payset’s Security Specialist
Since the most common cyber threats are relatively unsophisticated, government guidelines advise businesses to protect themselves using a set of “cyber hygiene” measures, such as updated malware protection, cloud back-ups, regularly-updated passwords, restricted admin rights, using a password manager and network firewalls.
We discussed cyber hygiene with Payset’s security specialist, Fabio Rahamim, who insisted it is crucial to take cyberattacks and breaches seriously.
He suggested every business should adhere to the following guidelines:
1. Strong Passwords
Employees must create strong passwords that are at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters (e.g., !, @, #, $). Avoid common words, sequences, repeated characters, and personal information like names or birthdays.
2. Two-Factor Authentication (2FA)
Enhance security by enabling two-factor authentication, which requires both a password and a second form of verification (e.g., a mobile device or security token) to access company systems.
3. Unique Passwords for Each Account
Use distinct passwords for each service to avoid a single point of failure. This practice helps safeguard personal and professional accounts separately.
4. Regular Training and Awareness
Conduct phishing simulations and training sessions to keep employees informed about the importance of password security and updates on emerging threats.
5. Conditional Access Based on Geolocation
Access to company systems is restricted based on geographic location. Logins are only permitted from approved locations where the company operates or where business travel is expected, with automatic blocks on access from unauthorised areas.
6. No Password Sharing
Password sharing should be strictly prohibited. Employees are responsible for the security of their passwords and must use approved secure sharing tools for accessing shared systems or information.
7. Checking for Data Breaches
Regularly check email addresses and passwords against the “Have I Been Pwned” database (https://haveibeenpwned.com/) to see if they have been compromised in data breaches.
8. Closing Unused Accounts
Promptly close all unused, dormant, or unnecessary company accounts to minimise security risks and reduce the attack surface for potential cyber threats.
9. Regular Review of User Access and Privileges
Regularly audit user access rights and privileges to ensure they are appropriate for each employee’s role and responsibilities. This review helps prevent unauthorised access and reduces the risk of internal threats by ensuring that only necessary permissions are granted and maintained. Implement an automated system to flag any anomalies or excessive permissions for immediate review and adjustment.
Methodology
To prepare this article, we analysed the Cybersecurity Breaches Surveys released by the UK Government between 2017-2024 and gathered the data for each year, focusing on the:
- percentage of UK businesses that experienced some form of cybersecurity breach or attack in the last 12 months.
- types of breaches or attacks suffered among the businesses that have identified breaches.
- percentage of businesses that have password policies in place (except for 2019, where data wasn’t available), so we can appreciate the number of the remaining businesses that don’t.
After collecting the data, we calculated:
- the average of UK businesses that have been affected by a cybersecurity breach or attack over the last eight years, by averaging the data between 2017-2024.
- the average of UK businesses that did not have a password policy in place in the last eight years, by averaging the data between 2017-2024.
- the most common types of cyberattacks suffered by UK organisations between 2017-2024 by averaging the data for each type of attack. We sorted them from most to less common, keeping in mind that a business could have been hit by multiple types of attacks.
The estimated nowadays cost of a cybersecurity breach or attack was taken from the 2024 Cybersecurity Breaches Survey and reflects the average (mean) total cost of the most disruptive breach or attack from the last 12 months across businesses that identified any breaches or attacks and across organisations identifying breaches with an outcome (for medium/large businesses).
You can see the data HERE.
Sources
CyberSecurity Breaches Surveys 2017-2024
Cybersecurity in the Remote Work Era: A Global Risk Report, Ponemon Institute
Password administration for system owners
Frequently asked questions
What is a multi-currency account/virtual IBAN?
A Payset multi-currency account allows you to receive money in 34 different currencies and send money in up to 38 currencies, all within the same account.
You can deposit and withdraw funds, convert currencies at competitive exchange rates, and hold your chosen currencies to capitalize on market movements.
A Payset multi-currency account allows startups and business owners to receive payments from clients virtually anywhere in the world and pay suppliers, staff, and contractors quickly and affordably in their chosen currency.
- Funds can be deposited and withdrawn from the account for a small fee.
- Account holders can send and receive money with other Payset users for free.
- Depending on your region, you can use various payment networks from your Payset account, including SWIFT, SEPA, ACH, Fedwire, Faster Payments, BACS, and CHAPS.
- Once you register an account, you will be provided with a Virtual IBAN (International Bank Account Number), which makes all of these transfers easy.
- We provide you with local payments and collections. For example, transactions in USD, EUR, CAD, and GBP are processed through the local payment networks, which is far cheaper and takes minutes as opposed to days
Are there limits on the amount of money I can send and receive?
No, there are no transaction limits on Payset multi-currency accounts.
However, higher-volume transactions may require additional anti-fraud verification. If you plan to make a large transaction, contact us in advance to avoid verification delays.
How is Payset regulated?
Payset is regulated as an authorized Electronic Money Institution by the UK Financial Conduct Authority. Our activities are also regulated by the Payment Services Regulation 2017 and the Electronic Money Regulation 2011 (SI 2011/99).
How do I add money to my account?
How do I send money from my account?
Once you have opened your verified IBAN account and added money to a balance, transferring funds is simple.
Simply log in into your account and add a beneficiary, then simply “make a transfer” in your preferred currency to that beneficiary.
Information contained in this publication is provided for general education and information purposes only and should not be construed as legal, tax, investment or other professional advice or recommendation, or an offer of, or solicitation for, any transactions or any other actions (or refraining therefrom); This material has been prepared without taking into account any particular recipient’s financial objectives or situation. We make no warranty, guarantee or representation, whether express or implied, as to the completeness or accuracy of the information contained herein or fitness thereof for a particular purpose; Use of images and symbols is made for illustrative purposes only and does not constitute a recommendation or advice to take or refraining from any action; Use of brand logos does not necessarily imply a contractual relationship between us and the entities owning the logos, nor does it represent an endorsement of any such entity by Pay Set Limited, or vice versa; Market information is made available to you only as a service, and we do not endorse or approve it; Any reference to past performance, predicted returns, or likelihood performance scenarios may not reflect actual future performance and certainly do not guarantee future outcomes.
