Wave 2 of the Cyber Security Longitudinal Survey (CSLS) published


DCMS commissioned the Cyber Security Longitudinal Survey (CSLS) as a three-year study to follow the same medium and large businesses and high-income charities.

The aim of the research is to better understand cyber security policies and processes within these organisations and how they have changed over time. Wave 1 was published in January 2022 and Wave 3 is expected to be published in late 2023/ early 2024.

Please note, for overall statistics on cyber security, results from theCyber Security Breaches Survey should be used (as the Breaches survey covers all sizes of businesses, charities, and educational institutions).

Key findings:

  • Over the last twelve months, 74% of businesses and 81% of charities have experienced some form of cyber security incident (including phishing). The figures for businesses are similar to Wave 1 but represent an increase for charities. This increase for charities is driven by a reported increase in the number of phishing attacks.
  • Cyber security incidents tend not to be one-off events. Where organisations experienced a cyber security incident in the last 12 months, more than 8 in 10 organisations (84% of businesses and 82% of charities) say such incidents occurred more than once. These figures are similar to Wave 1.
  • In the last twelve months, 85% of businesses and 86% of charities have taken some action to expand or improve their cyber security. This represents an increase for businesses from Wave 1 (79%) and is consistent for charities (84%).
  • Around three-quarters of organisations (72% of businesses and 75% of charities) have a Business Continuity Plan that covers cyber security. This is consistent with Wave 1.
  • Around four in ten organisations (40% of businesses and 36% of charities) confirm having a cyber security certification (such as Cyber Essentials). This is an increase from Wave 1 (32% of businesses and 29% of charities).
  • Around six in ten organisations (58% of businesses and 62% of charities) carried out cyber security training or awareness sessions over the past year. This represents an increase from 48% of businesses and 55% of charities in Wave 1.
Find the full report here