UK Businesses Under Siege: The Cyber Attack Crisis of 2024
Bottom Line Up Front: Despite slight improvements in cybersecurity preparedness among smaller businesses, UK companies continue to face a relentless barrage of cyber attacks, with 43% of businesses experiencing breaches in 2024 and cumulative losses reaching £44 billion over five years.
The cyber threat landscape facing UK businesses has reached alarming proportions, with new government data revealing the persistent and costly nature of digital attacks against British enterprises. While some progress has been made in defensive measures, particularly among smaller firms, the financial toll and frequency of successful breaches continue to underscore the urgent need for enhanced cybersecurity resilience across all sectors.
The Scale of the Problem
Just over four in ten businesses (43%) and three in ten charities (30%) reported having experienced any kind of cyber security breach or attack in the last 12 months, according to the latest government Cyber Security Breaches Survey 2025. This equates to approximately 612,000 businesses and 61,000 charities having identified a cyber breach or attack in the past year.
The latest data shows a modest improvement from 2024, when 50% of businesses experienced attacks, representing what researchers describe as "observed strengthening of cyber hygiene among small businesses". However, the threat remains formidable, with larger organizations continuing to face disproportionately high attack rates.
The prevalence of cyber breaches and attacks in medium and large businesses remains high (67% medium and 74% large), demonstrating that cybercriminals continue to view substantial enterprises as prime targets due to their greater resources and valuable data assets.
The £44 Billion Price Tag
The financial impact of cyber attacks on UK businesses has been nothing short of devastating. Cyberattacks have cost British businesses around 44 billion pounds ($55.08 billion) in lost revenue in the past five years, with 52% of private sector companies reporting at least one attack in that time, according to research by insurance broker Howden.
Cyberattacks cost businesses 1.9% of their revenue on average, creating a substantial drag on economic performance. Companies making over £100m in revenue are more likely to fall victim to a cyber breach, highlighting the sophistication with which criminals target high-value organizations.
The immediate costs of individual incidents, while varying significantly by business size, paint a sobering picture. Among those identifying any breaches or attacks, we estimate the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium-sized businesses, the average cost of a cyber-attack to a medium UK business was £10,830.
Small and medium enterprises (SMEs) face particular challenges in accurately assessing cyber risk costs. Research reveals that UK SMEs yet to experience a cyber attack underestimate the financial impact by nearly £85,000, with businesses that have never been attacked expecting losses of around £39,633 compared to the £123,984 actually experienced by previously breached companies.
Phishing Remains the Primary Threat Vector
Phishing is the most common type of cyber attack, reported by 84% of attacked businesses and 83% of attacked charities. The most common causes of cyberattacks were compromised emails, at 20%, and data theft, at 18% of cases.
The persistence of phishing as the dominant attack method reflects both its effectiveness and the continuing sophistication of social engineering tactics. The qualitative interviews also highlighted that phishing attacks have become more sophisticated because of an advancement in technology.
Beyond phishing, the next most common is impersonation of the organisation or staff (35% of businesses and 37% of charities). This is followed by targeting with other malware like viruses or spyware (17% of businesses and 14% of charities).
Ransomware attacks, while affecting a smaller percentage of businesses, have shown concerning growth trends. Ransomware attacks in the UK have doubled from 0.5% of businesses experiencing them in 2024 to 1% in 2025.
Sector Variations in Cyber Exposure
The cyber threat landscape varies significantly across different business sectors. Businesses in the information or communication sector (69%) and the professional, science or technical sector (55%) were significantly more likely than businesses overall to have identified breaches or attacks in the last 12 months.
Conversely, businesses less likely to have identified breaches or attacks in the last 12 months include those in the food or hospitality sector (30%) and the retail or wholesale sector (32%).
This variation likely reflects both the different digital footprints of various sectors and the varying attractiveness of their data and systems to cybercriminals. Technology and professional services companies often maintain more extensive digital infrastructures and handle valuable intellectual property, making them particularly attractive targets.
Defensive Measures and Preparedness Gaps
Despite the clear and present danger, many UK businesses remain inadequately prepared for cyber threats. Only 61% of businesses were using anti-virus software and only 55% were using network firewalls, representing fundamental gaps in basic cybersecurity hygiene.
The situation regarding formal incident response planning is similarly concerning. Only 22% of UK businesses have a formal cybersecurity incident management plan in place, and in 2024 only 31% of businesses and 26% of charities undertook a cyber security risk assessment/health check.
However, there are encouraging signs of improvement, particularly among smaller businesses. In 2024, 49% of small businesses and 40% of micro-businesses reported phishing attacks, but these figures dropped to 42% and 35% in 2025. The study found that they are increasingly adopting cyber security risk assessments, cyber insurance, cyber security policies, and business continuity plans.
Small businesses showed a significant increase in implementing various incident response measures compared to 2024, including guidance on internal reporting (55% compared to 48% in 2024), external communication plans (29% compared to 21% in 2024), and guidance on external reporting (48% compared to 41% in 2024).
The Leadership Challenge
An alarming trend has emerged regarding cybersecurity governance at the board level. Only 27% have a cyber specialist on their board of directors, marking a significant decline since 2021 when that same figure was 38%. This decline in specialized oversight occurs precisely when cyber threats are becoming more sophisticated and costly.
The absence of cybersecurity expertise in corporate governance creates challenges for technical teams who must now present complex security issues to board members lacking technical backgrounds. As one cybersecurity professional noted, this requires "a constant dialogue about what we're doing, this is why we're doing it" to ensure proper understanding and support for security initiatives.
Economic and Geopolitical Context
The cyber threat environment has been exacerbated by broader economic and geopolitical factors. Interviewees who mentioned a rise in cyber-attacks referred to an increase in phishing risks, with some attributing this to "the difficult economic conditions were driving opportunists to take advantage".
The geopolitical dimension has become increasingly significant, with 90% of cyber-attacks recorded between April 2023 and March 2024 were politically motivated, underscoring the growing intersection between cybercrime and global politics.
This politicization of cyber threats adds complexity to the defensive challenge, as businesses must now contend not only with financially motivated criminals but also with state-sponsored actors pursuing strategic objectives.
EU Compliance and Cross-Border Regulatory Challenges
Brexit has created additional complexity for UK businesses operating in European markets, as they must navigate dual regulatory frameworks while maintaining cybersecurity resilience. Despite leaving the EU, many UK organizations continue to process personal data of EU residents and must therefore comply with GDPR alongside UK GDPR requirements.
The intersection of cybersecurity incidents and compliance obligations creates compounding risks for UK businesses. When cyber attacks result in data breaches, organizations face potential regulatory action under multiple jurisdictions. Remote workers can access and transport data in ways that violate the growing list of data privacy and protection laws, as well as contractual obligations with other organizations.
Modern compliance management requires sophisticated mapping of regulatory requirements across multiple jurisdictions. Tools that provide comprehensive regulatory mapping like those available through specialized compliance platforms are becoming essential for organizations operating across UK-EU borders. The complexity of maintaining compliance while defending against cyber threats requires integrated approaches that address both security and regulatory requirements simultaneously.
For organizations seeking to understand their obligations across different EU member states, platforms offering detailed regulatory mapping capabilities help ensure comprehensive coverage of applicable requirements. Similarly, understanding the global compliance landscape through specialized mapping tools enables organizations to identify regulatory gaps that could compound cybersecurity risks.
High-Profile Incidents and Their Impact
The year 2024 witnessed several devastating attacks on critical UK infrastructure that highlighted the real-world consequences of cyber vulnerabilities. A ransomware attack on pathology supplier Synnovis on June 3 has significantly impacted patient care. Guy's and St Thomas' NHS Foundation Trusts, King's College Hospital NHS Foundation Trusts and primary care services in South East London were quickly forced to cancel operations and divert emergency patients.
NHS England revealing as of 15 August that 1,693 elective procedures and 10,054 acute outpatient appointments were postponed at King's College Hospital NHS Foundation Trust and Guy's and St Thomas' NHS Foundation Trust since 3 June. The attack also contributed to a critical shortage of O type blood among NHS hospitals.
These incidents underscore how cyber attacks extend far beyond immediate financial losses to create cascading effects that can impact public safety and essential services.
The Path Forward: Investment, Innovation, and Integrated Compliance
Despite the significant challenges, there are reasons for cautious optimism. By implementing cyber security basics, Howden estimates that UK businesses could reduce cyber attack costs by up to ~75% (a total of ~£30bn from 2019-24), with the introduction of these measures saving the average UK business ~£3.5m over ten years, equating to a return on investment of 25%.
However, modern cybersecurity strategies must integrate compliance considerations from the outset rather than treating them as separate concerns. The traditional approach of addressing security and compliance in silos is no longer viable in an environment where cyber incidents can trigger multiple regulatory obligations simultaneously.
Organizations operating across UK-EU borders face particular challenges in maintaining both security and compliance alignment. The divergence between UK and EU regulatory frameworks post-Brexit means that incident response procedures must account for different notification requirements, data transfer restrictions, and enforcement approaches. This complexity requires sophisticated regulatory mapping to ensure comprehensive coverage.
To accelerate adoption of integrated cybersecurity and compliance measures, businesses have identified several policy interventions that would be most effective. UK businesses say that new policy measures such as tax relief on cyber investment (33%) will be the most effective way of improving cyber resilience within businesses, followed by free access to cyber expertise and resources (32%), compulsory minimum cyber standards (31%) and compulsory cyber insurance (26%).
The integration of compliance management into cybersecurity planning offers additional benefits beyond regulatory adherence. Organizations with mature compliance programs often demonstrate better overall risk management, more systematic approaches to documentation, and enhanced incident response capabilities. This alignment between security and compliance objectives creates synergies that strengthen overall organizational resilience.
For organizations seeking to develop integrated approaches, understanding the specific regulatory landscape across all operational jurisdictions becomes critical. Platforms providing detailed regulatory mapping across European markets help ensure comprehensive understanding of applicable requirements, while global compliance mapping enables identification of regulatory arbitrage opportunities and risk concentrations.
The convergence of cybersecurity and data protection requirements, particularly around GDPR and ISO standards, requires specialized expertise to navigate effectively. Organizations benefit from integrated guidance that addresses both security implementation and compliance validation, ensuring that protective measures satisfy both operational and regulatory requirements.
Expert Perspectives
Industry professionals emphasize the need for a coordinated approach to address the cyber threat. Matt Cooke, a cybersecurity strategist, noted that "Phishing continues to plague UK businesses, so it comes as no surprise that this remains the number one threat in this year's report".
The insurance industry is positioning itself as a key partner in improving cybersecurity resilience. The insurance industry must therefore work alongside the government to raise awareness of the growing severity and frequency of cyber attacks and the return on investment that can be achieved with the implementation of cyber security measures.
Looking Ahead: The Continuing Challenge
The cyber threat facing UK businesses shows no signs of abating. In 2023, global ransomware attacks surged by 85%, with ransomware revenue exceeding US$1bn for the first time, indicating that cybercriminals are becoming more successful and better resourced.
The sophistication of attacks continues to evolve, with attacks often going beyond financial extortion to include the theft of sensitive personal information or commercial data, making them more difficult to mitigate.
For UK businesses, the message is clear: cybersecurity can no longer be treated as an optional IT consideration but must be recognized as a fundamental business risk requiring board-level attention, adequate investment, and comprehensive planning. The cost of inaction, as demonstrated by the £44 billion in losses over the past five years, far exceeds the investment required for effective cybersecurity measures.
As the threat landscape continues to evolve, businesses that fail to adapt their defensive postures will find themselves increasingly vulnerable to attacks that can not only inflict immediate financial damage but also cause long-term reputational harm and operational disruption. The time for complacency has long passed – the question now is whether UK businesses will rise to meet this challenge before it becomes even more costly and disruptive.
This analysis is based on the latest government cyber security surveys, insurance industry reports, and cybersecurity research conducted throughout 2024 and early 2025.
