According to the UK Government’s Cyber Security Breaches Survey 2024, approximately half of UK businesses have reported encountering a cyber incident or data breach in the past year.

Similarly, around a third of charities experienced a cybersecurity breach or attack during the same period, marking an increase compared to the previous year’s figures.

The survey, which involved polling 2000 UK businesses and 1004 charities, revealed that larger businesses were most vulnerable to such incidents, with 74% reporting being affected, followed by medium-sized (70%) and small businesses (58%).

Micro businesses, defined as those with one to nine employees, were the least impacted, with 48% experiencing cyber-attacks.

Phishing messages emerged as the primary cause of most cyber-attacks for both businesses (84%) and charities (83%), followed by attackers impersonating the organization or its staff in online emails (35% businesses, 37% charities), and malware attacks (17% businesses, 14% charities).

Nearly half of the affected businesses (46%) and charities (45%) experienced only phishing attacks without any other breaches or attacks.

Incidents occurred frequently, with 53% of businesses and 45% of charities reporting breaches or attacks at least once a month.

In response to cyber-attacks, over 90% of affected businesses and charities managed to restore their operations within 24 hours. However, 13% of businesses reported negative outcomes, such as website or online services being taken down or slowed, temporary loss of access to files or networks, money theft, and lost access to third-party services.

Large businesses were more prone to negative outcomes, with 32% experiencing at least one issue following an incident.

Besides direct consequences, businesses also faced indirect impacts, including added staff time to deal with breaches, the need for new security measures, disruption to daily work, repair or recovery costs, complaints from customers, and loss of revenue or share value.

The study calculated the financial costs of breaches, with short-term costs averaging £510 ($646) per incident for all businesses. Medium/large businesses incurred higher costs (£4670 or $5923 per incident) compared to micro/small businesses (£330 or $418 per incident).

Long-term costs, including expenses for new software or systems and legal fees, averaged £240 ($304) per incident for all businesses, with medium/large businesses facing higher costs (£3550 or $4503) compared to micro/small businesses (£90 or $114).

Regarding ransomware incidents, nearly half of businesses (48%) and over a third of charities (37%) have policies against paying ransom demands, although this percentage has decreased since the previous year.

There is a noted lack of focus on cybersecurity risk management and supply chain security among businesses, with only 11% reviewing the risks posed by their immediate suppliers. Additionally, a minority of businesses and charities have undertaken cybersecurity risk assessments or have formal incident response plans.

External reporting of breaches remains uncommon, with just 34% of businesses reporting their most disruptive breach outside their organization.

Experts emphasize the importance of implementing security controls, providing regular cybersecurity awareness training, prioritizing compliance with cybersecurity regulations, and gaining visibility of supplier risk to mitigate cyber threats effectively.