top of page

20% businesses negatively affected by a cyber-attack in the last 12 months

The Department for Digital, Culture, Media and Sport (DCMS) has released its annual Cyber Security Breaches Survey which surveys UK businesses, charities and education institutions as part of the National Cyber Security Programme.

The proportion of businesses and charities reporting any breaches or attacks has remained similar to last year. However, this contradicts the longer term trend for both organisation type.

There has been a decline in the proportion of businesses identifying breaches or attacks since 2017 (39% vs. 46%). Conversely, there has been a significant increase for charities since we started surveying them in 2018 (30% vs. 19%)

Percentage of organisations over time identifying any breaches or attacks

Key findings:

  • 31% of businesses and 26% of charities estimate they were attacked at least once a week.

  • One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact.

  • There has been a 9% decrease in the number of businesses who have cyber security policies that cover remote or mobile working, whilst the number of charities covering it increased by 10%.

  • Only 32% of businesses and 26% of charities are using a virtual private network (VPN) for employees that are connection remotely.

  • The most common threat vector was phishing attempts (83%).

  • Organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

  • The average estimated cost of all cyber-attacks in the last 12 months of £4,200. For medium and large businesses, the figure rises to £19,400.

  • Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security.

  • Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

So, what do these findings mean for businesses like yours?

The latest Cyber Security Breaches Survey demonstrates that businesses of all sizes still have a way to go in knowing how to best protect themselves from cyber-attacks. With 83% of attacks having been related phishing attempts, it demonstrates that there is still more to be done to educate businesses on better cyber hygiene practices.

The first thing we would encourage businesses to do is to become a FREE member of the WMCRC. With this membership, you will receive regular tips and guidance on how to firm up your business’s cyber security. We have already produced checklists for you to follow to help you develop best practices, short and easy to follow videos that highlight how to spot the signs of a phishing attack and many other resources.

Receive your digestible welcome pack when signing up today and start protecting your business today.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page