Cybersecurity breaches have become more costly for medium and large businesses across the UK, a new report from the Department for Culture, Media, and Sport (DCMS) has revealed.
Data gathered by the department has shown that for incidents with material outcomes – meaning money or sensitive information was lost – medium-sized and large firms lost an average of £19,400 in the past 12 months, up from £13,400 from the previous year. However, when taking into account businesses of all sizes, the amount dropped to £4,200 – a significant decrease from £8,460 in 2021.
But the DCMS also cautioned that due to “the lack of framework for financial impacts of cyberattacks,” the real value may be underreported.
The average short-term direct cost – which the report defined as any external payments made when the breach was being dealt with – was £1,650 for all businesses but went up to £6,490 for medium and large companies. Long-term direct costs, or external payments made in the aftermath of the breach, meanwhile, averaged £782 for all enterprises and reached £6,010 for bigger firms.
“The immediate direct costs of a cyber security incident tend to end up being much higher than the costs in the aftermath of an incident,” the report noted. “This could be because calculating immediate costs (e.g., paying a ransom) is easier and more tangible than accumulating the more long-term costs in the aftermath. However, this is the direct opposite of what was observed last year, where recency bias was suggested as a possible explanation.”
In terms of staff time costs – which included how much employees would have been paid for the time they spent investigating or fixing issues caused by the breach – businesses spent an average of £614, with medium-sized and large firms allocating £2,600. For indirect expenses – which included the value of lost data and the cost to replace equipment – companies were set back £1,050, while larger businesses spent £3,770 on average.
“The 2020 study on the full cost of cyber security breaches showed that organisations find it harder to consider the indirect costs. Therefore, this may be another area where organisations are significantly undervaluing the overall cost of breaches and attacks,” the research explained.
The DCMS surveyed 1,243 businesses, 424 registered charities, and 420 education institutions between 16 October 2021 and 21 January 2022. The department also carried out 35 in-depth interviews with participating organisations. The figures above did not include charities as their base number was “too few to analyse,” according to the report.
Here are the research’s other key findings about cybersecurity incidents encountered by UK firms in the past year.
1. The number of businesses experiencing cyberattacks did not change but the frequency has increased
Although the percentage of businesses that experienced a cybersecurity breach has remained the same as previous levels at 39%, the frequency of cyberattacks has jumped in the past 12 months.
Of all the organisations that reported a cyber incident, 31% of businesses and 26% of charities claimed they were targeted at least once a week, up from 27% and 23% from the previous year, respectively. For both groups, about one in five also said that they experienced a negative outcome because of the attack such as loss of money or data.
But if even the breach did not result in financial consequences or data loss, some organisations still felt its impact. About a third of businesses (35%) and almost four in ten charities (38%) claimed that a cyber incident affected certain aspects of their operations, including implementing new measures to mitigate future attacks and adding staff time to deal with a breach or inform others.
2. Phishing was the most common attack method used
Of the UK businesses that identified a cyberattack, 83% said they were targeted by a phishing attempt, making this the most common threat vector. About a fifth (21%) reported more sophisticated attack types, including denial of service, malware, or ransomware attack.
“One of the consistent lessons across this series of surveys has been the importance of staff vigilance, given that most cyber actors use social engineering techniques to gain access to the target organisation’s networks,” the report noted.
Despite its low prevalence, many organisations still see ransomware as a major threat. However, 56% of businesses said they have a policy in place preventing them from paying ransom.
3. Cybersecurity is a growing priority, but this may not be translating into improvements in cyber resilience
More than four-fifths (82%) of senior managers interviewed for the report said they viewed cybersecurity as a “very high” or “fairly high” priority, up from 77% in the previous year. The figure was the highest ever seen in any year that the survey has been conducted.
However, the DCMS said its findings “suggest a number of challenges about how to translate board engagement with cybersecurity into increased cyber resilience amongst businesses.”
The survey found that 54% of businesses have acted in the past 12 months to identify cybersecurity risks, taking a range of actions, including applying technology to monitor for threats. But interviews with senior management revealed “limited board understanding” of cyber risks as most rely on third-party providers, insurance companies, or internal cybersecurity experts to manage threats.
“Organisations spoke of challenge around creating a clear commercial narrative that can be used in internal budget conversations, to ensure that cybersecurity is given appropriate investment against other competing business demands,” the study noted. “[But] there is a lack of understanding of what constitutes effective cyber risk management, which is compounded by a lack of expertise and perceived complexity of cyber security matters at board level.”
4. Less than half of businesses have cybersecurity insurance
The study also found that only 43% of UK businesses have an insurance policy in place that protects them against cyber risks. Further, only a tiny fraction (5%) of these enterprises have specific cyber policies catered to their needs. Most companies with cyber protection benefit from coverage within more general policies.
According to the report, insurance policies helped organisations build a cybersecurity framework, often to gain accreditation.
“Some organisations took out insurance because it was necessary to comply with accreditations such as Cyber Essentials or ISO 27001,” the research explained. “For those who did not fully comply with accreditations, the checklist insurance companies demanded to be eligible for a policy acted as a framework to ensure good cyber hygiene.”
In previous surveys, organisations also mentioned protection against ransomware and assistance with payments as key reasons for getting insurance. This year, however, businesses said doing so had become more difficult with insurance companies raising premiums or not offering coverage at all.
5. Businesses have been able to maintain good cyber hygiene
Despite continued challenges, the report has found that businesses and charities have been able to maintain good cyber hygiene, with most rules, policies and controls, and risk mitigation techniques remaining steady compared to the previous year.
According to the study, more than four-fifths of medium and large companies have taken steps to improve cybersecurity in at least five areas detailed in the government guidance called the 10 Steps to Cyber Security. Additionally, several technical controls such as access management, malware, firewalls, and data security have become “very commonplace.” The report said this showed that larger UK enterprises have a good standard of cybersecurity.