UK cybersecurity statistics you need to know

Use these key data points to help understand and communicate the risks UK businesses face.

pie chart man statistics
Thinkstock

Did you know that data breaches cost less in the UK than the global average, but security budgets are also smaller? Or that the vast majority of companies in the country have suffered incidents, and usually by phishing?

Having the right information can help CISOs make better and more informed decisions, and better communicate risk to stakeholders. Here’s a list of useful cybersecurity stats about the UK, put into a wider global context where comparable data is available.

Data breach scope in the UK

Up to 88% of UK companies have suffered breaches in the last 12 months, Carbon Black reports. That is lower than Germany (92%), France (94%), and Italy (90%)

One small business in the UK is successfully hacked every 19 seconds, according to Hiscox. Around 65,000 attempts to hack small- to medium-sized businesses (SMBs) occur in the UK every day, around 4,500 of which are successful. That equates to around 1.6 million of the 5.7 million SMBs in the UK per year. Cisco estimates 53% of SMBs suffered a security breach globally in 2018.

Thirty-seven percent of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO) in the past 12 months. Seventeen percent had reported more than one incident.

Cost of cybercrime in the UK

Data breaches cost UK enterprises an average of $3.88 million per breach, according to IBM and Ponemon’s Cost of a Data Breach study. That’s slightly lower than the global average of $3.92 million. The UK also has smaller average size of breaches; 23,600 in the UK versus 25,575 globally.

Thirty-three percent of UK organizations say they lost customers after a data breach. A Forrester study of UK and US companies found 38% had lost business because of security issues.

Forty-four percent of UK consumers claim they will stop spending with a business temporarily after a security breach, and 41% claim they will never return to a business post-breach, compared to 83% and 21% for customers in the US.

Twenty-three percent of AIG’s cyber insurance claims in EMEA in 2018 were for Business Email Compromise attacks. A further 18% were for ransomware incidents.

UK phishing stats

One in every 3,722 emails in the UK is a phishing attempt, according to Symantec. That figure is one in every 657 in Saudi Arabia, one in 3,231 in the US, one in 5,223 in Germany, and one in 3,471 in Australia. Nearly 55% of UK email is spam.

Around half of cyberattacks in the UK involve phishing. That’s roughly 20% higher than the global average.

Twenty-two percent of UK organizations do not provide their employees with regular security awareness training for email.

Biggest UK vulnerabilities

FTSE 250 companies have an average of 35 systems exposed to the internet. That’s more than Australian companies on the ASX 200 (29) but much less than the Fortune 500 (500).

UK security structure and budgets

Sixty-five percent of UK CISOs report to the CIO, while 12% of companies say the CISO is a peer to the CIO. In the US around 45% of CISOs report to the CIO. In the UK 58% have a CISO or equivalent, compared to 56% in the US.

Sixty-six percent of UK organisations say their security budgets had risen in the last year. A quarter of organisations reported that the increase over the previous 12 months had been ‘significant’. Globally around 60% of organisations are reporting budget increases by an average of 13%.

The average UK cybersecurity budget is around $900,000, compared to an average of $1.46 million globally, according to Hiscox.

Thirty-one percent of UK organizations have done a cyber risk assessment in the last 12 months, according to the UK Government’s report into cybersecurity breaches. The same report says only 57% of large companies have cybersecurity incident response processes in place. Ponemon suggests globally that figure is only 33%.

There is a security staff shortage of more than 140,000 people within EMEA, according to ISC2. Over 60% of organizations surveyed by CSO saying they are suffering skills gaps within the security function. In North America the shortage is estimated to be almost 500,000 people.

UK compliance stats

Seventy-five percent of the UK’s international data flows are with the EU, according to a recent study by UCL. The study also found disruption to EU-to-UK data flows will be “extremely damaging” for UK businesses in the event of the UK leaving the EU without a deal.  

Fifty-five percent of EU companies claim to be fully compliant with the General Data Protection Regulation (GDPR). That figure falls to 43% among US organisations, 32% in Japan, and 29% China. UK orgs spend an average of $1.16 million to be GDPR compliant, compared to $1.75 million in Germany,  $1.58 million in France, and $1.41 million in the US.

There was a 21% decrease (to 966,000 offences) in computer misuse offences – actual and estimated – between 2018 and 2019. according to the Office of National Statistics (ONS). Only 422 prosecutions have been brought under the Computer Misuse Act 1990 in the last decade.

The biggest fine issued by the ICO so far is £183 million against BA for violations under GDPR. The same week the regulator issued a £99 million penalty to the Marriott hotel chain. Under the previous legislation the largest fine that could be issued was £500,000. Under the last year of the previous data protection act, the ICO issued 22 fines totaling just £3 million.

Facebook leaving the phone numbers and  of 18 million people from the UK exposed online, along with hundreds of millions of people from the rest of the world, is the single biggest incident of UK customers. The details of around 7 million UK customers were in the Marriott breach.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!