Cybercrimes against organisations in the UK
There is no definite figure when it comes to the total losses by businesses because of cyber threats. However, the Cyber Security Breaches Survey 2024 gives some idea of the total costs UK businesses could be facing as a result of these attacks
This official report showed that half of all businesses, and nearly a third of charities, report having experienced some form of cyber security breach or attack in the last 12 months, which accounts for 718,000 businesses. This figure is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%) specifically.
PERCENTAGE OF ORGANISATIONS THAT HAVE IDENTIFIED BREACHES OR ATTACKS IN THE LAST 12 MONTHS | |
---|---|
Businesses overall | 50% |
Micro businesses | 47% |
Small businesses | 58% |
Medium businesses | 70% |
Large businesses | 74% |
Information or communication | 72% |
Within utilities or production | 62% |
Charities overall | 32% |
The most common type of breach or attack experienced by these businesses was phishing, with 84% of businesses that have experienced an attack experiencing one of this type and 83% of charities.
This was followed by others impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).
Among those identifying any breaches or attacks, the government estimate the single most disruptive breach from the last 12 months cost each business, of any size, an average of £1,205. But, for medium and large businesses this was £10,830 and for charities, it was £460.
As for the outcomes of these attacks, among the 50% of businesses that identified breaches or attacks within their organisations just over 1 in 10 (13%) reported a negative outcome such as a loss of money. This equates to approximately 93,340 businesses.
If we take the mean cost of these attacks for all businesses at £1,205 this would equate to a total estimated loss of £1.12 Billion.
However, if we use the mean cost to only the organisations identifying breaches with an outcome, which is £6,940, this brings the total cost up to £6.68 billion- although the mean cost for medium and large businesses is nearly six times this figure at £40,400, which could mean this total figure is actually a lot higher.
Behind the Screens: the cost of crimes targeting workers
The NFIB (National Fraud Intelligence Bureau) fraud and cybercrime dashboard also sheds some light on fraud and cybercrime offences amounting to a “crime” under the Home Office Crime Recording rules.
THE CRIME CODES INCLUDED ARE: | |
---|---|
NFIB52C: Hacking - social media and email | |
NFIB52A: Hacking - server | |
NFIB52E: Hacking - extortion | |
NFIB50A: Computer virus \ Malware \ spyware | |
NFIB52B: Hacking - personal |
Most of these attacks are likely to target the everyday worker, rather than those cybercrimes of a much larger scale which result in hefty fines.
According to the rolling data from NFIB, between May 1st 2023 and April 30th 2024 there were a total of 2,355 reports of cyber related crime against organisations in the UK. Of these, around 1,400 instances of cybercrime offenses were against limited company organisations, 258 against sole traders, 126 against charities, 100 against PLCs and 53 against LLPs.
The majority of these crimes were reported under the code ofHacking- social media and email, which made up 1.3k of the total crimes reported in this time period. The second most reported crime type was Hacking- Server with 289 and just behind in third was Hacking- Extortion with 271 reports.
Being the business hub of the UK, it is no surprise that, as well as coming out on top for fraud and computer misuse cases in England and Wales, that the capital is also the top location for cybercrimes against organisations in the UK. There were 478 reports of cybercrimes in the region of London between May '23 to April '24Media and digital communications are easy ways in for hackers as just under half (49%) were reports of hacking- social media and email.
Next was the eastern region of the UK with 300 reported cybercrimes, closely followed by the southeast, which reported 278 cybercrimes.
Sectors with the most data breaches
How susceptible certain industries are to cybercrime depends on a plethora of factors. For example, sectors that handle valuable or sensitive information or sectors that are heavily reliant on digital technology make them attractive targets and therefore have higher risks of cyber- attacks. But which one is most vulnerable?
Looking at Information Commissioners Office (ICO) self-reported personal “cyber” data breach cases Q3 2022/23 - Q3 2023/24, it appears the retail and manufacturing sector fall victim to the most cyber-attacks with 614 cyber related data breaches within this period. It's not entirely surprising as these industries handle vast amounts of sensitive data like personal details, customer payment information and intellectual property. This kind of data is valuable and is an attractive target for cybercriminals. Plus, as the retail sector is heavily reliant on digital platforms and e-commerce systems for transactions, it makes them more prone to certain cyber-attacks like payment card fraud or phishing scams. Additionally, the manufacturing sector faces supply chain complexities which usually involve several third-party vendors and partners. This can introduce vulnerabilities along the chain and increase the risk of data breaches.
Right behind the retail and manufacturing industries are the finance, insurance, and credit sectors with 505 reported breaches. This sector is a prime target for cybercriminals as it also handles vast amounts of sensitive financial data, including personal and payment information - which is particularly enticing to criminals who are after identity theft or monetary gain. There are significant financial rewards due to the large amounts of money involved in financial transactions, investments and banking activities meaning this sector is at bigger risk of malware attacks.
And in third place is education and childcare with 299 data breaches. Educational institutions and childcare providers collect and store a huge amount of sensitive information about students, staff, and families. This usually includes personally identifiable information (PII) such as names, addresses, dates of birth and even financial information for tuition or fees. This makes them targets for criminals seeking to steal identities, commit fraud or sell personal information on the dark web. Combine this with the fact that smaller schools and childcare centres don't always have the budget or have a dedicated IT staff for a comprehensive cybersecurity system which can leave them vulnerable to attacks which can also explain the high number of breaches.
The varied nature of the top three most breached industries highlights the diverse range of industries targeted by cybercriminals seeking to exploit vulnerabilities in data security
SECTOR | SELF-REPORTED PERSONAL "CYBER" DATA BREACH CASES Q3 2022/23 - Q3 2023/24 |
---|---|
Retail and manufacture | 614 |
Finance, insurance and credit | 505 |
Education and childcare | 299 |
Health | 277 |
Legal | 243 |
Transport and leisure | 209 |
Charitable and voluntary | 208 |
Online Technology and Telecoms | 203 |
Land or property services | 185 |
Local government | 120 |
When breaking it down further by subsector it is the suppliers of services that have the most reported cases of cyber related data breaches, with 224 reported within Q3 2022/23 - Q3 2023/24 according to the ICO data
This is very closely followed by legal professionals at 223 and suppliers of goods at 199.
SUB-SECTOR | SELF-REPORTED PERSONAL CYBER DATA BREACH CASES Q3 2022/23 - Q3 2023/24 |
---|---|
Supplier of services | 224 |
Legal professionals | 223 |
Supplier of goods | 199 |
Financial services and advice | 192 |
Manufacturing | 180 |
Local charities | 108 |
Insurance | 94 |
National charities | 85 |
Software developers | 85 |
Private Healthcare providers | 73 |
These are data sets of instances where data controllers have self-reported potential personal data breaches to the ICO. These cases were dealt with the ICO's personal data breach team, but not referred to their investigations department for consideration as it was not considered that regulatory action may be required. However, it highlights intended targets, suggesting those sectors which should be more vigilant when it comes to cybersecurity.
Hello