A third of UK firms suffer a cyber attack every week

Cyber attacks and related incidents at UK organisations continue their seemingly unstoppable rise, with new statistics from the Department for Digital, Culture, Media and Sport (DCMS) released recently.

Rrevealing that 31% of businesses and 26% of charity organisations now experience incidents on a weekly basis.

The data, contained in the annual Cyber security breaches survey report, paints a stark picture of the scale of the threat facing the average organisation, and the urgent need to boost standards and defences.

“It is vital that every organisation takes cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk,” said cyber minister Julia Lopez.

“No matter how big or small your organisation is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online.”

Some 20% of businesses and 19% of charities said they had experienced a negative outcome as a direct consequence of an attack. The average cost of an attack, spread out across all organisations, now works out at £4,200, or £19,400 if only medium and large businesses are considered, although there is probably a vast amount of under-reporting, so the true figures are certainly higher.

Meanwhile, 35% of businesses and 38% of charities said they had experienced some kind of negative impact during the incident, such as service downtime.


The most impactful forms of cyber attack experienced in the UK were simple phishing attempts, cited by 83% of the 39% of UK businesses that identified an attack. More sophisticated attacks, which in DCMS’s metrics include denial of service, malware or ransomware hits, were seen in 21% of cases.

Note that phishing attacks, if successful, will usually be a precursor to a more serious incident, such as ransomware, highlighting the importance of addressing phishing in cyber risk assessments and training initiatives.

In terms of incident management, just 19% of businesses told DCMS that they had a formal incident response plan in place, while 39% had assigned roles should an incident happen. The survey did, however, identify very clear evidence of a strong reactive approach to incidents, with the vast majority saying they would both inform the board and make an assessment of the attack, should one occur.

In terms of risk management, just over half, 54%, of businesses said they had acted in the past 12 months to identify risk, covering a range of potential actions, of which implementing security monitoring tools was the most common. However, this figure was actually down from a high point of 64% in 2020.

In terms of following guidance on cyber hygiene, the DCMS report found that 49% of businesses and 40% of charities had taken action against at least five of the 10 components contained in the official National Cyber Security Centre (NCSC) 10 steps to cyber security guidance, with identity and access management (IAM) surveyed most favourably, and supply chain security the least.

Photo by Markus Spiske on Unsplash

Owner of smallmediumbusiness.co.uk, technical specialist who has a passion for the environment and loves his tech.