UK businesses have lost an estimated £44bn from cyberattacks since 2019, according to a new report by Howden. The insurance intermediary, which commissioned a survey by YouGov of 905 senior IT decision-makers in September 2024, also found that 52% of UK businesses had fallen victim to at least one cyberattack.
“Cybercrime is on the rise, with malicious actors continuing to take advantage of cybersecurity vulnerabilities, particularly as firms become ever reliant on technology for their operations,” said Howden’s UK cyber retail head Sarah Neild. “UK businesses are currently losing a significant amount of revenue to cyberattacks, and the insurance industry is crucial to strengthening resilience and raising awareness of the security measures needed to help businesses protect their operations.”
The financial burden of cyberattacks has been particularly significant for businesses with annual revenues exceeding £100m, with 74% of these companies reporting at least one incident. However, small and medium-sized enterprises (SMEs) have also been affected, with 49% of businesses generating between £2m and £50m annually experiencing cyberattacks. In total, it is estimated that 1.3 million private sector companies have faced a cyberattack within this timeframe.
The growing financial toll of cyberattacks and the need for stronger defenses
The most common forms of cyberattacks include compromised emails (20%) and data theft (18%), with supplier compromise impacting 16% of businesses. Fraud involving funds transfers and malicious insider threats were each reported by 14% of firms, while ransomware affected 12%. The average financial cost of these attacks has been substantial. Compromised emails cost an average of £2.1m, data theft amounted to £2m, supplier compromise resulted in £3.4m, and fraud involving funds transfers led to £2.7m. Malicious insider threats accounted for £2.9m, and ransomware cost £1.7m.
Despite these mounting costs, many UK businesses remain underprepared for cyber threats, claims Howden. Its study found that only 61% of businesses have implemented antivirus software, while just 55% use network firewalls. A lack of investment in cybersecurity is exacerbated by key obstacles, including cost (26%), insufficient knowledge (26%) and a lack of internal IT resources (22%).
Howden’s analysis estimates that by adopting basic cybersecurity measures, British businesses could cut cyberattack costs by up to 75%, saving approximately £30bn between 2019 and 2024. These measures could lead to savings of around £3.5m over 10 years for the average business, the insurance intermediary argues, representing a return on investment of 25%.
To improve cyber resilience, UK businesses have identified tax relief on cyber security investments as the most effective policy measure (33%). Other measures such as free access to cybersecurity expertise and resources (32%), compulsory minimum cyber standards (31%), and compulsory cyber insurance (26%) were also suggested to boost cyber security uptake. Both the insurance industry and the government are seen as having vital roles to play in driving these initiatives and raising awareness of the growing cyber threat.
Howden’s conclusions are echoed in other polls. Earlier this year, the UK government’s annual Cyber Security Breaches Survey also reported that half of all businesses and a third of charities experienced some form of cyber breach in 2023, marking an increase from 32% and 24%, respectively, the previous year. The Cyber Security Breaches Survey 2024 additionally revealed that larger (74%) and medium-sized businesses (70%) were more likely to be targeted, with phishing attacks identified as the most common method of breach. Despite continued investment in cybersecurity, the survey highlighted that most UK businesses still lack a formal incident response plan.
Read more: Half of UK businesses and a third of charities experienced cyberattacks last year
