Table of Contents
We’re now well into 2025, and it will soon be time for the Cyber Breaches Survey 2025 - so what better time for a quick review of the 2024 data. We’ll follow up this recap with some in-depth analysis of the ‘25 report once it’s published.
It’s about more than Just Tech
Before we go any further, it’s important to remember that Cyberattacks are not just IT issues; often, we count the cost of an incident in terms of the price to recover IT systems, or perhaps the cost associated with cleaning up after a data breach - but incidents often lead to less obvious, but very real, financial impacts on businesses over the longer term. Therefore, take the figures suggested here as a minimum cost, rather than a maximum one. On the other hand, it’s worth noting that data on this subject consistently shows that, providing you have even basic protections in place, there’s a good chance that the cost of an attack might be £0.
Average Cost of a Cyber Incident for UK Businesses (2024–2025)
In the UK, we’re fortunate enough to benefit from a number of reliable and consistent sources of information - one of the best is the Annual Cyber Breaches Survey, which provides some insight into the typical costs of cyber incidents for businesses. Although the 2025 survey isn’t yet available, we do know that, according to the UK Cyber Security Breaches Survey 2024, about half of UK businesses (50%) experienced a cyber breach or attack in the prior 12 months 1.
For those that were hit, the “single most disruptive” incident cost the business an average of approximately £1,205 (combining all business sizes) 1. That number seems fairly low, but it’s important to realise that this average includes many minor incidents and many incidents which were successfully defended against – in fact, the median cost (the most frequenyl recorded cost) was actually £0, reflecting the fact that many attacks which were successfully repelled (e.g. a phishing email caught in filters) did not result in a tangible loss 2 . This only goes to show that well-designed and implemented defences can, and do, provide real financial protection for businesses of all sizes.
Now for the “less good” news - the same survey shows that costs rise sharply when an attack succeeds. If we exclude cases where the attack was successfully repelled (ie, where the attacker did achieve at least part of their goal), the average cost of an attack jumps to £3270. There’s also a stark gap between “small” and “medium” businesses in the data - Small businesses’ costs were, on average £2,240, whereas medium businesses’ costs averaged £17,970. Part of this gap is doubtless due to the way that the survey stratifies its cost data - “micro” and “small” businesses are grouped, forming a category of “businesses less than 50 employees”, and “medium” and “large” businesses are grouped, yielding a category comprising any organisation over 50 employees. While it’s still great data, some more granularity would help organisations to understand their potential costs better. Suffice it to say, that per the 2024 data the cost to your business will be, on average, somewhere between £2,240 and £17,970 for your “most impactful” incident of the year. Quick reminder, though, if you experience more than one incident in a year, the costs multiply!
Do unsuccessful attacks still cost?
One area worth focusing on a little more is that £0 figure - do some attacks really cost nothing? Probably not. The Survey itself acknowledges that even breaches that do not result in negative financial consequences or data loss can still have an impact on organisations, and this impact can translate to added cost. Almost a quarter of businesses (24%) and two-fifths of charities (41%) that experienced a breach or attack said they also experienced:
- Added staff time to deal with breach or inform others (14%, 25%)
- New measures needed for future attacks (14%, 21%)
- Stopped staff carrying out daily work (7%, 7%)
While none of these costs are likely to be as high as those caused by a successful attack, they’re still real costs that businesses need to keep in mind. To reduce these sorts of peripheral costs, organisations need to develop cybersecurity controls which aren’t just effective, but also efficient. Take breach notification - the most common issue highlighted above - many organisations make the mistake of attempting to draft a breach notification letter after an incident has already occurred. This very often leads to a rushed, poorly constructed and badly handled communication, which drives customer anger and raises tensions even further. Preparing these sorts of documents in advance, by contrast, can save critical time and effort during an attack, which can then be better used to respond properly.
Direct vs. Indirect Costs of an Incident
As we mentioned above, it’s not just the direct cost of an incident which need to be considered. Ultimately, modern business (especially companies based wholly online) trade on trust. Trust is hard won and easily lost, especially when it comes to Cyberattacks. While we can quantify the costs directly associated with an attack, it’s much harder to pin down the true cost of long-term loss of confidence. What we can say with certainty, however, is that customers do lose trust in organisations who fail to protect their data. Indeed, one study showed that 66% of consumers say they would not trust a company after a data breach2while another suggested that 60% of shoppers would avoid a retailer after a breach 3
Prevention is the best cure
The Cyber Breaches survey provides us with some great data on how bad the impact of a breach can be - but the most important thing to remember is that with even basic cybersecurity defences in place, your business could be racking up £0 incidents, rather than £18k ones. Unfortunately, the survey data doesn’t tell us how many of the businesses which reported a £0 incident had a framework like Cyber Essentials in place, but I’d be willing to bet that many of them were either Cyber Essentials or ISO 27001 certified.
Getting Cyber Essentials certified (or building cyber resilience based on it, even if you don’t certify) can be much more cost-effective than you might imagine, and if that’s of interest to you, you can learn more here.
References
-
Department for Science, Innovation & Technology (UK), Cyber Security Breaches Survey 2024 – Official Statistics, Apr. 2024. [Online]. Available: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024 ↩ ↩2
-
“66% of consumers wouldn’t trust a company post-breach”, Security Magazine, Jul. 2023. [Online]. Available: https://www.securitymagazine.com/articles/100296-66-of-consumers-would-not-trust-a-company-following-a-data-breach ↩ ↩2
-
“More than 60% of consumers would avoid a retailer post-breach”, Security Magazine, Oct. 2023. [Online]. Available: https://www.securitymagazine.com/articles/100466-more-than-60-of-consumers-would-avoid-a-retailer-post-breach ↩
Start the conversation