Go To Home

6 takeaways from GOV.UK’s 2021 cybersecurity breaches survey

by Amir Moin

Cyber Security Breaches Survey 2021

UK’s Department for Digital, Culture, Media and Sports has published the 6th edition of its annual cybersecurity breaches survey on GOV.UK.

We sifted through this year’s report to compile the top 6 takeaways. Let’s go.

1. COVID-19 has impacted security measures

Fewer businesses are now deploying security monitoring tools (35% vs. 40% last year) or undertaking any form of user monitoring (32% vs. 38%).

2. The move to work from home has made cybersecurity harder

  • Only 35% of businesses are deploying monitoring tools compared to 40% in 2020.
  • 32% of large businesses have unsupported versions of Windows.
  • 83% of businesses say they have up-to-date malware protection compared to 88% in 2020.

3. Fewer businesses are detecting breaches

Compared to 46% of businesses in 2017, only 39% said that they detected any breach or attack. This can be attributed to fewer organizations deploying security controls and their limited ability to monitor remote employees. 

4. Phishing remains the most common threat vector

83% of attacks on businesses and 79% on charities were in the form of phishing. These are consistent with the attack vectors reported in 2019 and 2020.

5. Despite the pandemic, threat actors have been relentless

4 in 10 businesses and 1 in 4 charities were hit by a security breach/attack in the last 12 months.

6. Prime targets are attacked more frequently

Of the businesses and charities that reported a security breach/attack, a quarter of them were hit at least once a week,

The data from this survey reinforces what we’re seeing globally:

  • Growing mid-market companies are being increasingly targetted. These organizations have lean security teams and not enough bandwidth to sift through voluminous logs and identify early signs of targeted threats.
  • Large organizations continue to be targeted with sophisticated ransomware and supply chain attacks.

You can read the full report here.


There’s no silver bullet. We can recommend four easy-to-implement active defense strategies that address security challenges around phishing and remote work access. These deception-based active defense recommendations are easy to implement, do not require complex tooling, and detect threats early.

Defend against phishing attacks with ‘Email Decoys’

Email decoys are fake email accounts that intercept attackers attempting to mount social-engineering/spear-phishing attacks on high-value personnel. 

Seed these decoys on social media and other Internet-facing assets where attackers scour for spear-phishing targets. These email decoys are enumerated by hackers and added to their target lists for sending spear-phishing emails. There is no reason for anyone to send any emails to the decoy email addresses. Therefore, any email sent to these addresses is a high-fidelity indication of an attack.

You can integrate these with your SIEM to find other targets. Additionally, you can integrate with proxies to block access to spear-phishing domains.

Detect threats targeting remotely accessible services

Enabling employees to work from anywhere requires security teams to use VPNs, Citrix servers, and expose applications to the Internet.

Attackers target vulnerabilities in these remote access services to get into your network. Use that against them.

Deploy Internet-facing decoys that resemble vulnerable applications, databases, and servers. E.g., you can easily set up decoys that have the recent Citrix and ManageEngine vulnerabilities, making them attractive targets for the attackers. 

Attackers looking for these assets during recon will discover and engage with the decoys as well. Any attempt to seek out these assets will alert you of incoming threats with low alert volume.

Stop attackers using stolen credentials

Attackers use credential stuffing and stolen credentials to break into organizations. These are hard to detect because the activity seems legitimate. You have two simple active defense plays here:

  • Create a couple of Internet-facing VPN decoy portals. Attackers logging into them with stolen credentials will be detected instantly. 
  • Plant decoys of web apps that you use to detect credential stuffing.

Build visibility into remotely distributed endpoints

As you’ve seen in the survey finding, fewer organizations have visibility into endpoints because now they are outside the perimeter. Consider using endpoint deception to build this visibility, detect attacks early, and stop lateral movement.

Plant endpoint decoys like fake files, processes, passwords, and cookies on the work machines of all your remote employees. 

An attacker on your employees’ machines will encounter these decoys and will be caught.

Endpoint deception follows the end-user, so even when they’re working from home, your ability to detect threats is not diminished. You gain visibility into home networks that are compromised without having to deploy appliances or network traffic monitoring choke-points.

Closing thoughts

Active defense is emerging as a viable approach to dealing with advanced attacks. MITRE has a new knowledge base dedicated to active defense. If you want to understand why this approach is gaining prominence in infosec circles, read this.

For more on using active defense and deception for remote work security, check out the white paper.

#Active Defense#deception#industry

Continue Reading

Have you tried out IllusionBLACK yet?
  • Detect zero-days, APTs, and insider threats
  • 10x the detection capabilities with 1/2 the team
  • Get started in minutes, fully functional in hours
Schedule a demo
Go to home

Simple solutions for detecting and containing threats. Working with us does not break the bank or your spirit. We’re the company of choice for offensive security teams with a Net Promoter Score of 70+.

© 2015-2021 Smokescreen. All rights reserved.

Solutions For
Web Application AttacksLateral MovementRansomware AttacksTargeted ThreatsSocial EngineeringMalware-less Attacks