Let’s start by being clear on what we mean by UK cyber attacks. It’s any electronic or online intervention by a malicious source. It’s designed to restrict business, reduce access, steal data or intellectual property. Often, the aim is to extract funds by direct fraud or ransom demand.
Probably yes. 39% of UK businesses were subject to at least one cyber attack they knew about in 2022*. Of these, the most common (83%) was a phishing attack, where innocuous-looking communications dupe staff into taking actions that allow malicious access to sensitive data and/or financial instruments.
The remainder were more sophisticated attacks, such as a denial of service, malware, or ransomware attack, where the perpetrators demand funds to allow the target business to continue trading or to prevent the malicious use of their (and their customers’) sensitive data.
Due to reputational damage, many such attacks go unreported unless customer data is compromised, so the figures are probably much higher.
20% of these businesses directly lost funds or data. Over 35% experienced some form of impact. That included making provision for tighter security, diverting staff from other tasks, repair and recovery costs. It also included the loss of goods or services, loss of reputation, revenue or share value, customer complaints. Plus compensation, fines, legal costs and direct payment of ransom.
For businesses that report a material outcome, nearly 40% took over 24hrs to recover, and 8% took up to a week.*
Where a breach caused an identifiable outcome, the mean cost to small businesses was £3,080, rising to £19,400 for larger firms. Add to that the average indirect costs of £3,770 for the most disruptive breach (time when staff could not work, lost files or intellectual property and the cost of devices or equipment that needed replacing).
Here’s the concluding paragraph from the UK Government Report ‘UK Cyber Security Breaches Survey 2022’:
“…there is room for improvement in many elements of organisations’ cyber hygiene. It is clear that cyber resilience is highly influenced by board behaviours.
Though the high-level prioritisation of cyber security amongst boards is high, this does not translate into high expertise. Furthermore, cyber and IT staff are unable to justify the business case for cyber security, which impacts the ability to make effective cyber security decisions.
This means investments are often not made into key areas that enhance organisations’ cyber security. This leads to a reactive approach to cyber incidents as opposed to a proactive approach in limiting cyber risk.”
This attitude among boards has meant that just over half of businesses (54%) have acted in the past year to identify risks from cyber security attacks and to put precautions in place. Security monitoring tools were the most common at 35%.
Limited understanding resulted in board members often passing responsibility for risk to insurance companies (the ‘horse has bolted’ option, so no reduction of reputational damage). Alternatively, it was given to an internal cyber colleague (as shown above, this was only sometimes subject to high expertise) or outsourced to cyber providers.
Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time, respectively. They cite access to more significant expertise, resources, and cyber security standards. And with good reason. The arguments for outsourced cyber security are unequivocal for all but the largest businesses…
Before you upgrade your internal cyber threat resources, consider the benefits of outsourcing so you can concentrate on your core business and your IT team can focus on more productive projects. Give someone else the headache of dealing with UK cyber attacks.
*Figures sourced from Gov.UK Cyber Security Breaches Survey 2022