Half of UK businesses have reported a cyber incident or data breach in the past 12 months, according to the UK Government’s Cyber Security Breaches Survey 2024.
Around a third (32%) of charities also experienced a cybersecurity breach or attack over this period. This represents an increase compared to last year’s survey, when 32% of businesses and 24% of charities suffered some form of cyber-attack or breach.
The annual report, which surveyed 2000 UK businesses and 1004 charities, found that large businesses were most likely to be hit (74%), followed by medium-sized (70%) and small businesses (58%).
Micro businesses, defined as having one to nine employees, were least likely to have been impacted by a cyber-attack (48%).
Phishing messages were the cause of most cyber-attacks – 84% for businesses and 83% for charities.
This was followed by attackers impersonating their organization or staff in emails online (35% businesses, 37% charities), and malware attacks (17% businesses, 14% charities).
Just under half of these businesses (46%) and charities (45%) only experienced phishing and no other kinds of breaches or attacks.
Incidents occurred once a month or more often for 53% of businesses and 45% of charities that identified breaches or attacks in the previous 12 months.
Businesses Response to Cyber-Attacks
Over nine in 10 businesses (92%) and charities (91%) that experienced an attack or breach said they were able to restore their operations within 24 hours of the incident.
Among these businesses, just 13% reported at least one negative outcome following identified breaches or attacks. The most common outcome was their website or online services being taken down or made slower (4%), followed by temporary loss of access to files or networks (4%), money stolen (3%) and lost access to third-party services (2%).
Large businesses were more likely to experience a negative outcome from an attack, with 32% who experienced an incident admitting they had a least one of these issues.
A significant proportion of businesses (24%) were impacted in other ways from cyber incidents. These included:
- Added staff time to deal with breach or inform others (14%)
- New measures needed for future attacks (14%)
- Staff prevented from carrying out daily work (7%)
- Other repair or recovery costs (3%)
- Complaints from customers (2%)
- Loss of revenue or share value (2%)
The study also calculated the financial cost of breaches or attacks on victim organizations. These short-term costs included external payments that were made when the breach was being dealt with, such as payments to external IT consultants or contractors, and money paid to, or stolen by, the attackers.
It found the mean short-term direct cost of such incidents in the past 12 months was £510 ($646) across all businesses.
The financial damage was higher for medium/large businesses, at £4670 ($5923) per incident, compared to micro/small businesses, which was £330 ($418) per incident.
Mean long-term costs, which included the cost of new or upgraded software or systems and legal fees and fines post incident, reached £240 ($304) across all businesses in the past 12 months. Again, such costs were higher for medium/large businesses, at £3550 ($4503), compared to micro/small businesses, at £90 ($114).
How UK Businesses Approach Ransomware Incidents
Nearly half of businesses (48%) and over a third of charities (37%) confirmed they have a rule or policy to not pay ransomware demands.
This is a lower than the 2023 Cyber Security Breaches Survey, which found that 57% of businesses and 43% of charities had such a policy.
Around a fifth of businesses (20%) and charities (23%) said they do not know what their organization’s policy is in this area.
Small businesses are more likely than large businesses to have a policy not to pay ransomware attackers (54% versus 42%).
Limited Focus on Risk Management and Incident Response
Another area highlighted in the report was a worrying lack of focus on cybersecurity risk management and supply chain security. Just 11% of businesses said they review the risks posed by their immediate suppliers, although this was far higher for large businesses (48%).
Additionally, under a third of businesses (31%) and charities (26%) have undertaken cybersecurity risk assessments in the past year.
Only 22% of businesses and 19% of charities have formal incident response plans, although this rises to 55% of medium and 73% of large businesses.
External reporting of breaches also remains uncommon, with just 34% of businesses reporting their most disruptive breach outside their organization. In many of these cases, the organization simply reports breaches to their external cybersecurity of IT providers and no-one else, the report noted.
Industry Reaction to the UK Government Breaches Survey
Responding to the survey, Del Heppenstall, Partner and Head of Cyber at KPMG, said it was unsurprising that phishing remains such a popular attack method for attackers, as it is cheap and can reach millions of people.
“Implementing security controls to prevent, detect and mitigate cyber threats and attacks, in addition to regular cybersecurity awareness training for employees, can dramatically reduce the success of these attacks," he advised.
Other experts discussed the substantial increase in cyber attacks and breaches in the past year. Dale Waterman, Solution Designer in Strategic Market Solutions at Diligent, said the scale of incidents highlights the importance of prioritizing compliance with the increasing range of cybersecurity regulations.
“Developments such as the EU's NIS2 Directive and Digital Operations Resilience Act (DORA) present an opportunity for UK businesses to raise the bar in relation to cyber risk management and digital resilience,” he noted.
Given the prevalence of supply chain attacks, Tom Henson, Managing Director at Emerge Digital, said it was concerning that such a small proportion of businesses review the risks posed by their immediate suppliers.
“A vast number of breaches which occur are caused by supply chain attacks, and gaining visibility of supplier risk should be a top priority for all businesses,” he outlined.