Cyber Security Breaches Survey 2023

The definitions below refer to how we determine whether the cyber breach you experienced was a criminal incident or not. It would be beneficial if you had these definitions open in front of you when asked questions that explore the breaches you experienced in more detail.

Final event in sequence

Several incidents or breaches may form part of the same event in which several different types of breach happen. In these incidents we would only like you to consider the final event in a sequence. For instance, if you were victim of a phishing attack that led to your computer becoming infected in a virus, we would only like you to consider the virus when being asked these questions.

Deliberate targeting

Some events might be accidental whereas for others you might be deliberately targeted. We’d like you to only consider events where your organisation has been deliberately targeted. Below are some examples of what may constitute an incident where your organisation was deliberately targeted.

Denial of Service attack
By being targeted deliberately we mean that you are certain the attack was carried out with malicious intent specifically at your organisation. For instance, where the website service is denied because it is experiencing high traffic, this would not count as a targeted denial of service attack. However, where a group or an individual has deliberately overloaded your systems to cause them to crash, this would count as a targeted denial of service attack.

Unauthorised access
By your organisation being deliberately targeted we mean events where your organisation’s files or networks, were hacked into in a targeted manner. For instance, if an employee has accidentally used a machine or accessed a file they did not have permission to use this would not count. However, where someone has knowingly gained unauthorised access into your network drives by getting login details via a phishing attack this would count.

Cost of criminal incident

In order for a cyber incident to be considered criminal it needs to be  the final event in a sequence and your organisation must have been deliberately targeted.

Think about the following types of incident your organisation has experienced in the last twelve months where it was deliberate and the final event in a sequence:

• Ransomware attacks
• Other malware attacks, such as viruses or spyware
• Denial of service attacks, i.e. attacks that try to slow or take down your website, applications or online services
• Unauthorised accessing of files or networks by staff, even if accidental
• Unauthorised accessing of files or networks by people outside your organisation
• Unauthorised listening into video conferences or instant messaging
• Takeovers or attempts to take over your website, social media accounts or email accounts
• Cyber enabled fraud
• Phishing attacks, i.e. staff receiving fraudulent emails, or arriving at fraudulent websites

Before the interview we would like you think about how much each of these cost your organisation in the last twelve months. It will make the interview quicker and more efficient if you prepare these figures in advance.

How much do you think each specific incidents cost your organisation financially?

Please include any costs such as legal fees, staff time spent on recovery and investigation, lost revenue, costs of any external contractors to help resolve issue, insurance excess, or any costs related to damaged files or software or purchasing any new software.

Please exclude any incidents that led to any subsequent events.

Cost of cyber breaches

The definitions below refer to how you should calculate the costs your most disruptive cyber breach or incident. This does not have to be a criminal incident.