Cyber attacks have cost UK businesses £44bn in the last five years, according to Howden

Howden estimates that businesses can reduce cyber attack costs by up to 75% (£30bn) by implementing simple cyber security basics more widely.

London, 25 November 2024 – Howden, the international insurance intermediary group, has published new research on cyber resilience amongst UK businesses, finding that half (52%) have suffered at least one cyber attack in the past five years, equating to ~£44bn of lost revenue.

Businesses with an annual revenue of over £100m were the most targeted group, with 74% of those surveyed having suffered a cyber attack over the past five years. However, threat levels are elevated across all businesses, with half (49%) of SMEs with a revenue of £2m to £50m also experiencing a cyber attack over the same period. 

The most common causes of cyber attacks were compromised emails (20%) and data theft (18%), with the average cost of these attacks equating to £2.1m and £2m respectively. 

Fig. 1: Proportion of UK businesses to have suffered a cyber attack and average cost per attack by type, 2019-24

Despite the growing threat posed by cyber attacks, take up of even the most basic cyber security measures remains low, highlighting a critical cybersecurity knowledge gap within UK businesses. At present, 61% of businesses are actively using antivirus software and only 55% are employing network firewalls. Organisations cite a number of obstacles to improving their cyber security, including cost (26%), insufficient knowledge (26%) and lack of internal IT resource (22%).

However, by implementing cyber security basics, Howden estimates that UK businesses could reduce cyber attack costs by up to ~75% (a total of ~£30bn from 2019-24), with the introduction of these measures saving the average UK business ~£3.5m over ten years, equating to a return on investment of 25%.

In aid of greater take up, UK businesses say that new policy measures such as tax relief on cyber investment (33%) will be the most effective way of improving cyber resilience within businesses, followed by free access to cyber expertise and resources (32%), compulsory minimum cyber standards (31%) and compulsory cyber insurance (26%). The insurance industry must therefore work alongside the government to raise awareness of the growing severity and frequency of cyber attacks and the return on investment that can be achieved with the implementation of cyber security measures. In addition, the insurance industry has a vital role to play in boosting resilience by advising businesses on security and offering incident response services.

Sarah Neild, Head of UK Cyber Retail: “Cybercrime is on the rise, with malicious actors continuing to take advantage of cybersecurity vulnerabilities, particularly as firms become ever reliant on technology for their operations. UK businesses are currently losing a significant amount of revenue to cyber attacks, and the insurance industry is crucial to strengthening resilience and raising awareness of the security measures needed to help businesses protect their operations.

“Engagement with SMEs will be particularly important. This segment has been historically underserved by the cyber insurance market yet forms an important backbone of economic activity, both in terms of its size but also as an engine of growth. Through increased insurance penetration and education about implementation, we can help businesses improve their cyber resilience and protect against loss of revenue from these attacks.”

Methodology

Howden analysed the results of a proprietary survey of 905 senior IT decision makers from across the UK private sector to better understand their experiences of, and attitudes towards, cyber security.  YouGov conducted the survey from 9 to 22 September 2024.