Average UK cyberattack cost £4,200 last year

Medium and large-sized businesses lost more than £19,000 on average

Image:
Medium and large-sized businesses lost more than £19,000 on average

Two in five UK businesses and one in three charities detected at least one cyberattack on their operations in the last 12 months, according to the UK government's new Cyber Security Breaches Survey 2022.

The Cyber Security Breaches Survey is a study that examines the policies, practises and approaches to cyber security for enterprises, charities and educational institutions in the UK. It also covers the impact of cyberattacks, and how organisations respond.

Thirty-nine per cent of organisations and 30 per cent of charities say they have been attacked in the last year. Almost one in three of those organisations (31 per cent) and one in four of the charities (26 per cent) said they face breaches or attacks at least once a week.

Of the businesses that identified attacks in last 12 months, phishing was the most prevalent attack vector (83 per cent). One-fifth (21 per cent) of those firms also reported more advanced attack types such as denial of service, malware, and ransomware.

Despite its low incidence, businesses see ransomware as a serious threat, with 56 per cent of enterprises having a policy not to pay ransoms.

One in five businesses (20 per cent) and charities (19 per cent) acknowledged suffering a negative outcome as a direct consequence of a cyberattack.

The average estimated cost of a cyberattack in the past 12 months was £4,200, taking into consideration the firms that reported a material outcome, such as loss of data or money. Excluding small firms, the average cost increased to £19,400.

Following a swathe of high-profile cyberattacks in the last year, including Kaseya and Colonial Pipeline, the survey found that UK firms are now paying more attention to the security of supply chains and digital services.

Cyber security is now a 'very high' or 'fairly high' priority for four out of five senior managers in UK organisations, up from 77 per cent in 2021.

Although the Government is not aware of any current specific cyber threat to UK organisations - unlike some Ukrainian firms - it encourages businesses to follow the basic procedures outlined in its recommendations to lower their risk.

The Government has made a commitment to improving security resilience in the UK in recent years, such as strengthening electronic supply chains and investing in cyber skills. Last year, it released a new National Cyber Security Strategy focusing on raising the country's cyber capabilities.

Following the publication of the NCSS, the Government released the 2022 Cyber Security incentives and Regulation Review in January, detailing the progress made in improving cyber resilience between 2016 and 2021. It also wants to revise the Network and Information systems (NIS) regulations, which applies to firms that provide essential services such as energy, transport, water and healthcare.