Each year, the Department for Digital, Culture, Media and Sport releases the Cyber Security Breaches Survey as part of its wider National Cyber Strategy. The results of the survey are used to “inform government policy on cyber security, making the UK cyber space a secure place to do business”.

The most recent survey found that in the last 12 months 39% of UK businesses had experienced a cyber attack (remaining consistent with previous years of the survey). Below, we summarise some of the main findings of this survey.

Type of attacks

Phishing attacks are the most common type of cyber incident. Amongst the businesses that suffered a cyber incident in the past year, 83% of said they had experienced some form of phishing attack. 21% identified a more sophisticated attack such as a denial of service, malware, or ransomware attack.

Frequency of attacks

Unsurprisingly, during the first year of COVID-19, the number of attacks on UK businesses soared, the survey figures for that year showed 46% of UK businesses identified a cyber attack.

The decline to 39% is a welcome start, but demonstrates that more than a third of UK businesses are still experiencing cyber attacks. Of the organisations that reported cyber attacks, 31% of businesses and 26% of charities estimate they were attacked at least once per week and one in five business and charities experienced a negative outcome as a direct consequence of a cyber attack, illustrating just how many organisations are impacted by cyber incidents.  

Cost of attacks

The average estimated cost of all cyber attacks in the past year was £4,200, although this figure rises to £19,400 per incident for medium and large businesses.

Limitations around incident management

It appears that organisations take an informal approach to incident management, with the survey recognising that only 19% of businesses have a formal incident response plan, whilst 39% have assigned roles should a cyber incident occur. There is a clear priority in proactively maintaining business operations as opposed to reactively managing cyber risk. Additionally more than 80% of senior management within UK businesses rate cyber security as a high priority item.

Next steps

Cyber attacks clearly do not discriminate and affect both small and large British businesses. Experiencing a cyber attack can have very costly and wide-reaching consequences, including legal fines due to data breaches (particularly where personal data is involved) and the associated indirect costs such as the diminution in reputation and value of lost files or intellectual property, as well as the lost time where employees are focused on dealing with the attack and are unable to carry out their usual day to day roles.

Businesses should ensure prevention of cyber attacks is a board level priority, as well as implementing and maintaining cyber-security training for employees, in order to train employees to spot the signs of a security breach and recognise the potential threats of cyber attacks.

We would advise organisations, as a first step, to undertake a cyber risk assessment to allow for the identification, analysis and evaluation of cyber threats. We would recommend our article – “You’ve discovered a cyber or data breach – what should you do next?”  for more information. 

By identifying and mitigating any risks relating to cyber security with proper security procedures and policies in place, businesses can avoid the potentially disastrous consequences of cyber attacks.

If you would like further assistance with your cyber incident response preparations, please contact our Data Protection and Cyber Security team.

Written by Noel Hung and Liz Smith