UK Cyber Security Statistics for 2024

Cyber Crime

The data for cyber security in the UK for 2024 has been released and it makes interesting reading. Cyber attacks are up in 2024, to a staggering 7.78 million instances, with 53% of businesses being attacked once a month or more. This is just what they detect, which is mostly phishing attacks but very few businesses have security monitoring in place to see the full picture. In this blog post we’ll explore the stats and see what patterns emerge, to help us remain secure.

The Scale of Attacks

Over the last 12 months in the UK there has been 7.78 million cyber attacks. Over half of businesses (53%) said they are attacked at least once a month, with 32% suffering from attacks at least once a week.

The focus of threat actors is still weighted towards the medium and large organisations, as 74% of large organisations have identified at least one cyber attack in the last 12 months. This is likely to be due to attackers targeting those with the most to lose, so a larger profit for them in achieving their compromise.

The identified attacks against UK businesses in the last 12 months have mostly been phishing attacks. 84% of businesses suffered a phishing attack, with the next largest attack type being closely related – impersonation of employees. This affected 35% of businesses. Charities were roughly in line with businesses, with 83% suffering a phishing attack and 37% suffering impersonation attacks. Away from social engineering style attacks, deployment of malware onto organisations devices affected 17% of businesses and 14% of charities.

Interestingly, the statistics are only the identified attacks. Any attacks which have gone unnoticed would not be captured in this data. This is important, as phishing is likely to be caught by attentive employees as well as technical controls. However more advanced attacks, which are technically focused, may have remained undetected. The other statistics around the lack of security monitoring tooling and non-adherence to basic cyber hygiene guidelines suggest this is likely to be the case.

The data also showed that charities are mostly in line with businesses in terms of being attacked. It is unlikely that charities will be storing high value intellectual property but do deal with financials heavily. Charities also work with high levels of personal information, which is a prime target for an attacker to both steal as well as deploy ransomware as a blackmail technique.

The Costs of Cyber Crime

The effects of cyber crime can be both substantial and long lasting. The data revealed that large businesses put the short-term cost of a cyber attack at £17,970 per breach. Given the prior statistic that said most large businesses suffer from attacks at least once a month, this figure can spiral rapidly. It also is just the initial cost of the attack.

Large businesses put the longer-term cost of any individual attack at £15,330 on average. This is nearly as much as the initial cost experienced. Indirect costs, such as the deployment of employees to help defend the organisation and restore the security add a further £7,310 for large businesses.

These costs don’t include the difficult to quantify effect that an attack has on a business’s reputation or fines for example. It also excludes the fact that being attacked successfully is likely to result in a follow on attack. The data shows that only 28% of businesses were victims once, whereas 59% experienced 3 or more instances of cyber crime. The data confirmed that 18% of large businesses said their employees were stopped from carrying out their day to day work, by a cyber attack.

Perhaps businesses see the cost as a necessary cost to do business, just like advertising or office costs. That may explain why there’s been a remarkable change since 2023 with regards to ransomware payment policies. 57% of businesses said they had a policy to not pay ransomware fees in 2023, however this year that figure has dropped to 48%. This means 9% of businesses have changed their opinion and now see paying the attackers as an option.

The Importance of Cyber Security

Cyber security has never had such a focus in the news and in the general population’s consciousness. This is backed up by the data, as 75% of businesses and 63% of charities confirmed that they viewed cyber security as a high priority. Unless the business was in the agricultural sector, as it’s only a high priority for 59% of those businesses. That’s an odd outlier as food supply is quite important to people’s daily lives and there’s been recent spikes in cyber attacks in the sector.

However, this attention does not always translate into meaningful action. Only 30% of both businesses and charities have someone at board / trustee level who has a responsibility over cyber security.

What’s most worrying is the fact that after a cyber attack, 39% of businesses took no action. Yes, you read that right. No patching, no security uplift, no training or any other activity was undertaken. 39% of businesses were attacked and then just resumed what they were doing before.

Common sense would say that notifying customers, other organisations or law enforcement after a breach would be expected. The data proved this assumption to be false. Only 34% of businesses and 37% of charities disclosed details of the cyber crime to a third party. In most cases this was only to their IT services supplier. To be clear, this means 66% of businesses and 63% of charities stayed quiet after experiencing a cyber crime.

Where Are the Risks?

With cyber security being so important, businesses should be proactively seeking out where their risks are. Sadly, once again this assumption proves false.

31% of businesses and 26% of charities have undertaken a cyber risk assessment in the last 12 months. These risk assessments would highlight gaps in their policies, procedures as well as wider vulnerabilities. They just aren’t being done.

Supply chain risks have been a hot topic both last year and this year, so it’s natural to presume they would be on businesses cyber security agenda. Sadly not, as only 11% of businesses reviewed the cyber risks posed to them by suppliers. If businesses have no idea of their supply chain risks, then remaining both operational and secure can be a challenge. We also have seen firsthand attackers pivoting their focus to suppliers of targets as it’s an easier route in.

Security monitoring is a key part of managing a businesses risk, yet only 23% of charities have security monitoring tools. This isn’t a cost based barrier to entry as there are many security monitoring tools which are free, so it’s perplexing to see why they’re not rolled out.

If businesses aren’t looking at the supply chains or monitoring much, perhaps they’re confident in their security posture because they regularly assess it? 11% of businesses conducted a penetration test in the last 12 months. That would be a no to that assumption as well then. Penetration testing allows businesses and charities to simulate a real world attacker but in a safe and controlled way, with guidance on how to improve their security posture.

If it all goes wrong for a business or charity then there’ll be a robust incident response plan surely. I’m afraid not, the data showed us that 22% of businesses and 19% of charities have an incident response plan. It’s no wonder that day to day operations of businesses are impacted by cyber crime, if there isn’t a plan to handle the incident and recover.

Cyber Security Guidance and Certifications

Perhaps the survey casts businesses and charities in an unfair light. Maybe resources are tight and there’s a lot going on. The data showed us that 41% of businesses do indeed look for cyber security advice. Finally, some positive news. Until we compare it with 2023’s figures, which was at 49%. This means 8% of businesses have stopped looking for cyber security advice in 2024. Interestingly, the data also showed a tell-tale trend. The seeking of advice peaked in 2018/2019, around the time when GDPR was coming into force and has been falling ever since.

Those great businesses and charities who seek out cyber security advice must go on to be safer, surely? The advice out there is great, it’s never been more accessible. However, only 43% of businesses and 44% of charities who do see the fantastic guidance actually make a change. It would be a great insight to learn from the other 56-57% of businesses and charities on why they didn’t want to improve their security posture.

At least businesses and charities are aware of the guidance though. Ah, another awkward point we need to cover. It turns out the flow when seeking cyber security information is to talk to an external supplier first (typically the IT provider), then do some web searching and lastly check the government sites for advice. This might explain why only 12% of businesses and 11% of charities are aware of Cyber Essentials. The qualitative data shows that of that knowledgeable selection of organisations, most only found out about it by their clients mandating it in contracts.

Perhaps we’ll fare better with the free advice portals from the NCSC, such as the 10 steps or small business guides for example. They don’t buck the trend either sadly. Only 13% of businesses are aware of NCSC 10 steps to cyber security.

Businesses will at least have MFA enabled right? I mean this subject has been omnipresent in every account signup process, every piece of phishing guidance and is generally the done thing. Nope. Just 39% of businesses have MFA enabled. And we wonder why people still launch phishing attacks.

What Do We Do Now?

In summary, there’s a lot of alarming statistics released in this data set. Cyber crime is increasing rapidly, generally leaders of organisations are vocalising support for cyber security but not undertaking the basics. Technical controls are still adrift of where they should be, as is the level of knowledge.

The drivers to improve cyber security are rarely to make the business or charity more secure, they’re mostly compliance driven based on client specifications in contracts. Organisations are more likely to just pay attackers in ransomware situations, perhaps that’s why there’s been an uptick in cyber insurance this year. When things go wrong, organisations stay quiet rather than seeking advice or informing their customers.

Despite all these challenges, it has provided us a basis to work from. Your business or charity can avoid being another cyber crime statistic by taking some steps.

  • Conduct a penetration test so you know where the risks are. We are here to help.
  • Look at your organisations supply chain risks and not just from a cyber security perspective.
  • Back your data up to a secure system i.e. one that can’t just be deleted or encrypted by ransomware.
  • Secure your email service so it cannot be spoofed and configure employee devices so malware and phishing attempts are stopped in their tracks.
  • Enable MFA on as much as you can, we put some guidance together on MFA and how to reduce the risks around identity management in your organisation.
  • Deploy security tooling to help you identify attacks and defend yourself. This doesn’t need to be the most expensive solution, often free tooling can provide great insight. Speak to us and we’ll advise you on what’s best.

Data Source: UK Government Cyber Security Breaches Survey 2024

Scroll to Top