Over the last three years, UK businesses have lost an astonishing £64 billion in direct and indirect costs caused by cyber attacks, and in-house cybersecurity is being outpaced by cybercriminals, writes Jake Moore, Global Cybersecurity Advisor, at the cyber firm ESET.
The start of 2025 has been an unfortunate testament to this, with the high-profile breaches of M&S, Co-op and Harrods (to name a few) pushing cyber threats to the top of the business anxiety list for enterprises across the UK. And for good reason. Over half of UK businesses have fallen victim to a cyber attack since 2022, making it clear threat actors are indiscriminate in the organisations they target. M&S reported a £300m profit loss as a result of the cyber attack it suffered in April. In an evolving cyber landscape and escalating attacks due to advanced technologies, organised groups and hostile nation-states, this massive loss must serve as a warning to all businesses. It doesn’t matter how big or well-known your business is, everyone is at risk.
To minimise the devastating impact an attack can have, shifting from a reactive to proactive cybersecurity strategy is fundamental. Proper investment can help organisations stay ahead of evolving threats and mitigate payouts in the wake of an attack. What’s more, there’s proof cybersecurity has a positive impact on revenue.
RaaS
Businesses are often put off advanced security measures because of the perceived initial high costs involved. However, the emergence of dark web offerings like ransomware-as-a-service (RaaS), increased threats from hostile nation states and the advancement of AI, is making robust cybersecurity more vital than ever. Numerous attack types, including supply chain vulnerabilities and phishing ploys, can affect any and all businesses.
Although cybersecurity costs do initially appear steep for businesses with stretched budgets and other pressing priorities, they pale in comparison to the potential fallout of a cyber attack. The average cost of an attack can reach £721,000 for small to mid-size enterprises (SMEs) and run into the millions for large businesses. For SMEs in particular, this cost can be crippling.
Faced with evolving and highly sophisticated threats, a fully in-house approach to cybersecurity is unsustainable for most, yet almost half of UK businesses still manage security in-house. To ensure the most robust defences in the face of evolving cyber threats, external support must be sought after.
Insurance is now a necessity
The Cyber Security and Resilience Bill, due to be implemented in the second half of 2025, will require businesses to demonstrate their cyber resilience. Comprehensive cyber insurance is a crucial component of any robust cybersecurity strategy, however, soaring premiums are posing a major financial challenge for many businesses. With the new bill coming into effect imminently, businesses must prioritise attaining proper insurance sooner rather than later. To do so, finding ways to bring down the cost is of growing importance.
Having the right cyber protection in place can help to drastically reduce premiums. In fact, personal experience has shown that implementing measures like an extended detection and response (XDR) platform, multi-factor authentication and vulnerability scanning, can lead to a reduction in insurances premiums of up to 75 per cent.
Investment boosts profits
What many don’t realise is the return on investment cybersecurity can deliver. But research shows that UK businesses generate an estimated £27bn in additional revenue annually from investing in cybersecurity. Because of this, more UK businesses are considering cybersecurity a strategic priority, with 77 per cent planning to increase their cyber budget over the next year. You cannot put a price on reputation, and while well-established and widely known brands are better positioned to rectify the reputational damage breaches can cause, for smaller or less well-known companies, a negative reputation could be devastating. As customers become increasingly cyber aware, proving strong cyber credentials like expert-managed solutions and robust threat detection, can now be a deciding factor in winning new business over competitors.
What’s more, outsourcing cybersecurity is cited by 68pc of businesses to improve information technology (IT) systems in efficiency, increased performance and reduced IT downtime. Nearly half of respondents also said robust cyber security infrastructure had enabled them to take on more risk such as entering new markets or adopting emerging technologies. Previously only viewed as a protection measure, businesses are gradually adopting the mindset of strong cybersecurity ultimately boosting streams of revenue and internal efficiencies, providing benefits beyond ‘simple’ security.
Strategies must evolve
Early investment in cybersecurity carries immense financial and operational benefits, but businesses must be well supported and educated on the necessary cyber measures to suit their specific business needs. Reactionary cybersecurity can cost more than 10 times as much when recovering from an attack as businesses would spend on proactive measures. By implementing cybersecurity, businesses can maximise efficiency, enhance customer trust and position themselves for sustained competitive advantage in an increasingly digital economy.
For some businesses, adopting cyber measures to protect against perceived threats is not enough. In order to fully adopt the necessary security, a shift in mindset must happen for UK businesses to see it as a revenue driver and ultimately profit from cybersecurity beyond its ability to protect internal systems.
