Cyberattacks cost British businesses £44bn in lost revenue

SMEs targeted only a little less than larger organisations

Insurer Howden publishes research on cyber resilience and finds that 52% of private sector companies have reported at least one attack.

Howden has published new research on cyber resilience amongst UK businesses, finding that half (52%) have suffered at least one cyber-attack in the past five years, equating to approximately £44bn of lost revenue.

Businesses with an annual revenue of over £100m were the most targeted group, with 74% of those surveyed having suffered a cyber-attack over the past five years. However, SMEs would be unwise to consider themselves beneath the radar of cyber criminals because almost half (49%) of SMEs with a revenue of £2m to £50m had also experienced a cyber-attack over the same period.

The most common causes of cyber-attacks were compromised emails (20%) and data theft (18%), with the average cost of these attacks equating to £2.1m and £2m respectively.

The cyber-attack which had cost the businesses surveyed the most was supplier compromise. This type of attack had been experienced by 16% of those surveyed but at a cost of £3.4m.

The insurance broker estimates that by implementing some basic cybersecurity measures, UK businesses could reduce cyber-attack costs by up to 75% (a total of £30bn from 2019-24.) The introduction of these measures could save the average UK business £3.5m over ten years.

However, many businesses, particularly smaller ones, seem reluctant to take responsibility for cybersecurity. It’s a low bar but only 61% of businesses actively use antivirus software and only 55% are employing network firewalls.

When those responding to the survey were asked why this is the case organisations cite obstacles such as cost (26%), insufficient knowledge (26%) and lack of internal IT resource (22%).

Sarah Neild, Head of UK Cyber Retail: “UK businesses are currently losing a significant amount of revenue to cyber-attacks, and the insurance industry is crucial to strengthening resilience and raising awareness of the security measures needed to help businesses protect their operations.

“Engagement with SMEs will be particularly important. This segment has been historically underserved by the cyber insurance market yet forms an important backbone of economic activity, both in terms of its size but also as an engine of growth. Through increased insurance penetration and education about implementation, we can help businesses improve their cyber resilience and protect against loss of revenue from these attacks.”

Businesses responding appear to want the taxpayer to subside their cybersecurity. 33% of those surveyed said that tax relief on cyber investment would be the most effective way of improving cyber resilience within businesses, followed by free access to cyber expertise and resources (32%), compulsory minimum cyber standards (31%) and compulsory cyber insurance (26%).

The NCSC Cyber Essentials scheme already ticks a lot of these boxes. It isn’t free but a few hundred pounds seems relatively small change for verification that an organisation is protected from the vast majority of common cyberattacks. It also provides basic cyber liability cover which will become prohibitive without certification as cyber insurance costs continue to rise in line with attack volumes and cost.

It's interesting to note that businesses think a degree of compulsion is the likely way forward. The Cyber Security and Resilience Bill will introduce some compulsion but only for certain sectors such as transport, energy, water, health and digital infrastructure and services. Most of the companies surveyed here would not be included in the scope.

Howden's findings were based on a survey of 905 UK private sector IT decision-makers conducted for the broker by YouGov in September.