UK cybersecurity statistics you need to know

Did you know that data breaches cost less in the UK than the global average, but security budgets are also smaller? Or that the vast majority of companies in the country have suffered incidents, and usually by phishing?

Having the right information can help CISOs make better and more informed decisions, and better communicate risk to stakeholders. Here’s a list of useful cybersecurity stats about the UK, put into a wider global context where comparable data is available.

Data breach scope in the UK

Up to 88% of UK companies have suffered breaches in the last 12 months, Carbon Black reports. That is lower than Germany (92%), France (94%), and Italy (90%)

One small business in the UK is successfully hacked every 19 seconds, according to Hiscox. Around 65,000 attempts to hack small- to medium-sized businesses (SMBs) occur in the UK every day, around 4,500 of which are successful. That equates to around 1.6 million of the 5.7 million SMBs in the UK per year. Cisco estimates 53% of SMBs suffered a security breach globally in 2018.

Thirty-seven percent of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO) in the past 12 months. Seventeen percent had reported more than one incident.

Cost of cybercrime in the UK

Data breaches cost UK enterprises an average of $3.88 million per breach, according to IBM and Ponemon’s Cost of a Data Breach study. That’s slightly lower than the global average of $3.92 million. The UK also has smaller average size of breaches; 23,600 in the UK versus 25,575 globally.

Thirty-three percent of UK organizations say they lost customers after a data breach. A Forrester study of UK and US companies found 38% had lost business because of security issues.

Forty-four percent of UK consumers claim they will stop spending with a business temporarily after a security breach, and 41% claim they will never return to a business post-breach, compared to 83% and 21% for customers in the US.

Twenty-three percent of AIG’s cyber insurance claims in EMEA in 2018 were for Business Email Compromise attacks. A further 18% were for ransomware incidents.

Forty-eight percent of UK organisations hit by ransomware in the last year, according to Sophos. This is lower than the global average of 51%. 13% of UK organizations reportedly paid the ransom.

The average remediation cost of a successful ransomware attack to UK enterprises is $840,000, higher than the global average of $761,00. 32% of UK companies have cybersecurity insurance that doesn’t cover ransomware. 

UK phishing stats

One in every 3,722 emails in the UK is a phishing attempt, according to Symantec. That figure is one in every 657 in Saudi Arabia, one in 3,231 in the US, one in 5,223 in Germany, and one in 3,471 in Australia. Nearly 55% of UK email is spam.

Around half of cyberattacks in the UK involve phishing. That’s roughly 20% higher than the global average.

Twenty-two percent of UK organizations do not provide their employees with regular security awareness training for email.

Biggest UK vulnerabilities

FTSE 250 companies have an average of 35 systems exposed to the internet. That’s more than Australian companies on the ASX 200 (29) but much less than the Fortune 500 (500).

UK security structure and budgets

Sixty-five percent of UK CISOs report to the CIO, while 12% of companies say the CISO is a peer to the CIO. In the US around 45% of CISOs report to the CIO. In the UK 58% have a CISO or equivalent, compared to 56% in the US.

Sixty-six percent of UK organisations say their security budgets had risen in the last year. A quarter of organisations reported that the increase over the previous 12 months had been ‘significant’. Globally around 60% of organisations are reporting budget increases by an average of 13%.

The average UK cybersecurity budget is around $900,000, compared to an average of $1.46 million globally, according to Hiscox.

Thirty-one percent of UK organizations have done a cyber risk assessment in the last 12 months, according to the UK Government’s report into cybersecurity breaches. The same report says only 57% of large companies have cybersecurity incident response processes in place. Ponemon suggests globally that figure is only 33%.

There is a security staff shortage of more than 140,000 people within EMEA, according to ISC². Over 60% of organizations surveyed by CSO saying they are suffering skills gaps within the security function. In North America the shortage is estimated to be almost 500,000 people.

There are an estimated 1,221 firms within the UK providing cyber security products and services, according to a report from the UK Government. Those firms employs ~43,000 Full Time Equivalents (FTEs) in a cyber security related role and generate a total annual revenue of £8.3 billion. The number of firms, security roles, and revenues have all grown at a rate of over 35% in the last two years.

Cybersecurity firms in the UK are predominately offering cyber professional services (provided by 71% of firms), threat intelligence, monitoring, detection and analysis (46%), or endpoint security (including Mobile Security (37%). Most UK cyber firms have fewer than 10 employees.

42% of UK organizations cite concerns around introducing security or compliance risks as a barrier for digital transformation, according to NTT.  A further 35% cite potential business disruption as an obstacle for innovation.

UK compliance stats

Seventy-five percent of the UK’s international data flows are with the EU, according to a recent study by UCL. The study also found disruption to EU-to-UK data flows will be “extremely damaging” for UK businesses in the event of the UK leaving the EU without a deal.  

Fifty-five percent of EU companies claim to be fully compliant with the General Data Protection Regulation (GDPR). That figure falls to 43% among US organisations, 32% in Japan, and 29% China. UK orgs spend an average of $1.16 million to be GDPR compliant, compared to $1.75 million in Germany,  $1.58 million in France, and $1.41 million in the US.

There was a 21% decrease (to 966,000) in computer misuse offences – actual and estimated – between 2018 and 2019. according to the Office of National Statistics (ONS). Only 422 prosecutions have been brought under the Computer Misuse Act 1990 in the last decade.

A quarter of UK organizations have notified the ICO of a breach or potential breach within their organisation, according to a survey by Apricorn. A further 21% have had a breach or potential breach reported by a third party.

The biggest fine issued by the ICO so far is £183 million against BA for violations under GDPR. The same week the regulator issued a £99 million penalty to the Marriott hotel chain. Under the previous legislation the largest fine that could be issued was £500,000. Under the last year of the previous data protection act, the ICO issued 22 fines totaling just £3 million.

Facebook leaving the phone numbers and linked Facebook IDs of 18 million people from the UK exposed online, along with hundreds of millions of people from the rest of the world, is the single biggest incident of UK customers. Equifax says around 15.2 million UK records were exposed or lost in its 2017 breach, while the details of around 7 million UK customers were in the Marriott breach.

UK CISO, board and skills stats

The average CISO salary in the UK is £87,000 per year, according to PayScale.com. CISOs in London earn can an average of 30% more than in other parts of the country.

The average tenure of a CISO is just 26 months, and UK CISOs work an average of nine hours of overtime a week, according to Nominet.

37% of CISOs have been in the security industry for between 15-25 years, according to ClubCISO. 21% have between 11-15 years of experience, 19% have 5-10 years’ worth, and 12% less than 5 years.

55% of CISOs left their last role either to progress their career or because they didn’t feel challenged anymore, according to the same report. A further 22% left because they frustrated with their company’s approach to security.

Eighty-eight percent of UK CISOs are male and 12% are female, according to a SASIG/Cyber Connect UK study. By comparison, SpencerStuart reports that 29% of CIOs in the UK are women.

Thirty-seven percent of UK businesses have board members with a cybersecurity brief, according to the UK Government data breach statistics, up from 28% in 2016.

The UK Government’s Cyber security skills in the UK labour market 2020 report says just under 400,000 cybersecurity-related jobs were posted over the past three years in the UK. The most common roles sought are security engineers (18%), security analysts (13%), security architects (10%), security managers (9%) and security consultants (8%).

Half of all businesses in the UK have just one person responsible for cybersecurity in-house, the same government study found. Thirteen percent of orgs with over 250 staff still only have one security employee, while 12% of large businesses employ a head of information security, CISO or CSO.