Cyberattacks Cost UK Businesses £44 Billion During Past 5 Years, Howden Survey

Cyberattacks cost UK businesses approximately £44 billion (US$55.3 billion) in lost revenue over the past five years, according to research published by Howden, the London-based insurance intermediary group.

Half of those businesses (52%), or 1.3 million private sector companies, have suffered at least one cyberattack during that time period (2019-2024), costing on average 1.9% of revenue, said the study which is based on a survey of 905 IT decision makers from across the UK private sector.

Businesses with an annual revenue of over £100 million ($125.6 million) were the most targeted group, with 74% of those surveyed having suffered a cyberattack over the past five years. However, the report emphasized that threat levels are elevated across all businesses, with half (49%) of SMEs with a revenue of £2 million to £50 million ($2.5 million to $62.8 million) also experiencing a cyberattack over the same period.

The most common causes of cyberattacks were compromised emails (20%) and data theft (18%), with the average cost of these attacks equating to £2.1 million and £2 million ($2.6 million and $2.5 million) , respectively.

Cybersecurity Lacking

Despite the growing threat posed by cyberattacks, take up of even the most basic cybersecurity measures remains low, which highlights a critical cybersecurity knowledge gap within UK businesses, Howden found.

At present, 61% of businesses are actively using antivirus software and only 55% are employing network firewalls, said the report, noting that organizations cite a number of obstacles to improving their cybersecurity, including cost (26%), insufficient knowledge (26%) and lack of internal IT resources (22%).

However, by implementing cybersecurity basics, Howden estimated that UK businesses could reduce cyberattack costs by up to approximately 75%, or £30 billion ($37.7 billion) during the five-year period.

Further, the introduction of these measures would save the average UK business approximately £3.5 million ($4.4 million) over 10 years, equating to a return on investment of 25%.

To boost take-up of cybersecurity measures, UK businesses say that new policy measures such as tax relief on cyber investment (33%) will be the most effective way of improving cyber resilience within businesses, followed by free access to cyber expertise and resources (32%), compulsory minimum cyber standards (31%) and compulsory cyber insurance (26%).

The insurance industry and government both have a vital role to play in boosting cybersecurity uptake, by helping companies address common barriers around cyber investment, according to Howden.

“Cybercrime is on the rise, with malicious actors continuing to take advantage of cybersecurity vulnerabilities, particularly as firms become ever more reliant on technology for their operations,” according to Sarah Neild, head of UK Cyber Retail, in a statement.

“UK businesses are currently losing a significant amount of revenue to cyberattacks, and the insurance industry is crucial to strengthening resilience and raising awareness of the security measures needed to help businesses protect their operations,” she added.

“Engagement with SMEs will be particularly important. This segment has been historically underserved by the cyber insurance market yet forms an important backbone of economic activity, both in terms of its size but also as an engine of growth. Through increased insurance penetration and education about implementation, we can help businesses improve their cyber resilience and protect against loss of revenue from these attacks.”

Methodology

Howden analyzed the results of a proprietary survey of 905 senior IT decision makers from across the UK private sector to better understand their experiences of, and attitudes towards, cybersecurity. YouGov conducted the survey from Sept. 9 to Sept. 22, 2024.

Source: Howden