While cyber attacks cost UK businesses £64 billion a year, many remain underprepared to mitigate the risk of attack. That’s according to a study from cybersecurity firm ESET. A half of surveyed businesses (53pc) report they have been victim of at least one attack or breach in the past three years.
The cyber firm says the growing threat of attack methods like ransomware, phishing and supply chain attacks continues to impact businesses of all sizes, alongside increased exposure to international threats and the rise of Cybercrime-as-a-Service (CaaS). The direct costs of cyber attacks account for £37.3 billion of this total cost (£13.1 billion in GVA terms) or 0.7 per cent of business turnover. Direct costs include ransom payments, stolen/lost funds, legal and regulatory costs, disruption to operations, staff time spent dealing with the attack, costs of third-party consultants and others brought in, and higher cyber insurance premiums. A most frequently cited significant direct cost was staff time spent dealing with an attack (cited by 63pc).
The indirect costs of cyber attacks account for £26.7 billion (£9.0 billion in GVA terms), or 0.5 per cent of business turnover. Indirect costs include loss of clients, the opportunity cost of redirecting resources to incident response, reduced competitive advantage due to the theft of corporate intellectual property, and the subsequent need for increased cybersecurity or IT budgets. The most significant indirect financial burden was the need to increase cybersecurity budgets; some 66pc of businesses identified this as a major cost and 28pc deemed it extremely significant.
Cyber attacks can also have long-lasting consequences, including restricted business growth (as cited by 43pc) and the need to secure additional funding (41pc). For some, the consequences were more severe, with reports of downsizing (14pc), entering administration (15pc), and undergoing a merger or acquisition (16pc) after an attack. For small and medium enterprises (SMEs), growth restrictions were particularly pronounced (as cited by 45pc), while large enterprises were more likely to require additional financing (46pc) to recover from an attack.
Despite 43pc of businesses bracing for an attack in the next 12 months, nearly half (45pc) choose to manage cybersecurity fully in-house, without external expertise, and 15pc report having no cybersecurity budget at all.
Comment
Jake Moore, Global Cybersecurity Advisor at ESET, says, “The rising costs of cyber attacks – both direct and indirect – prove that no business can afford to overlook cybersecurity. With growing public scrutiny on data protection and cybersecurity preparedness, businesses that fail to take proactive measures risk financial losses and long-term damage to trust and credibility. Investing in expert-managed solutions, robust threat detection, and staff training can significantly reduce long-term financial and operational risks. Cyber resilience is no longer optional – it’s essential for safeguarding business continuity and maintaining customer confidence in an increasingly digital world.
“But businesses cannot face the cyber landscape alone.”
