Ipsos MORI and its partner, the Institute of Criminal Justice Studies (ICJS) at the University of Portsmouth, were commissioned by the UK Government’s National Cyber Security Programme to survey UK businesses on their approach to cyber security and the costs they have incurred from cyber security breaches. The survey and report have been endorsed by the Confederation of British Industry (CBI), the Federation of Small Businesses (FSB), and the Institute of Chartered Accountants in England and Wales (ICAEW).
E-commerce has become much more important to UK businesses in recent years. In this context, seven in ten businesses (69%) say cyber security is either a very high (33%) or fairly high (37%) priority for their organisation’s senior management. However, many may not fully understand how their organisation is at risk and what action to take:
- Just half (51%) of all businesses have attempted to identify the cyber security risks faced by their organisation, for example through health checks, risk assessments or audits.
- Half of all firms (48%) have enacted basic technical controls across all five areas laid out under the Government-backed Cyber Essentials scheme.
- Three in ten (29%) have written cyber security policies, and just one in ten (10%) have formal incident management processes.
- While most businesses set rules and controls within their organisations, just 13 per cent set minimum cyber security standards for their suppliers.
- A quarter (24%) of all businesses detected one or more cyber security breaches in the last 12 months. This is substantially higher among medium firms (51%) and large firms (65%).
Among the businesses that detected breaches:
- The estimated average cost of all breaches over the last 12 months is £3,480. This is much higher for large firms, at £36,500.
- The estimated average cost of the single most disruptive breach from the last 12 months is £2,620 across all businesses and £32,300 for large businesses.
The qualitative research finds that businesses face various barriers to accurate monitoring of cyber attacks, and may therefore underestimate the costs they do and will incur from cyber security breaches. Businesses may benefit from being more aware of the range of Government support on cyber security available on the gov.uk website, such as the small business guidance, free online training, 10 Steps guidance and the Cyber Essentials scheme.
- Ipsos MORI surveyed 1,008 UK businesses (including 203 large businesses employing 250 or more staff) by telephone from 30 November 2015 to 5 February 2016.
- Data are weighted to be representative of all UK businesses.
- A total of 30 in-depth interviews were undertaken in January and February 2016 to follow up businesses that participated in the survey.