1 in 5 businesses have been victims of cyber attack in the last year

Authored by Aviva

• A fifth of businesses have been victims of cyber attacks in the past year
• Businesses are 67% more likely to have experienced a cyber incident than a physical theft 
• Average claim for cyber attack – which can include ransomware, malware, and phishing– is £21,000
• Despite the increasing cyber threat, one in five businesses do not know what to do in the event of an attack

Aviva research reveals that one in five UK businesses have experienced a cyber attack or incident, with nearly one in 10 (9%) small businesses experiencing this in the last year. This number rises to 35% of large corporate businesses, showing the increasing risk that cyber presents.

With criminals often looking for opportunities in the run-up to Christmas and cyber swiftly becoming an increasing risk for both consumers and businesses alike, the research found that businesses are 67% more likely to have experienced a cyber incident than a physical theft and almost five times as likely to have experienced a cyber attack as a fire.

When looking at the repercussions of a cyber attack or incident, almost a third (31%) experienced operational disruption, with a further fifth (21%) experiencing data loss and system lockdowns. Such interruptions led to businesses claiming an average of £21,000 per incident according to Aviva data, although costs can run into the tens or even hundreds of millions of pounds.

While around half of UK businesses express confidence in handling a cyber incident or attack, one in five (20%) admit to not being confident in knowing what to do should this happen, a figure that rises to more than a quarter (27%) of small businesses, who appear to be the most vulnerable to such a risk. Not only does this increase the risk of further damage, it means that businesses also risk being non-compliant with data protection laws. Depending on the seriousness of the incident, businesses may be required to alert the ICO within 72 hours and sometimes also notify impacted individuals. Failure to do so can result in serious consequences, including fines of up to £8.7 million or two per cent of a business’ global turnover (whichever is higher).**

Despite the high frequency of cyber incidents experienced by businesses, Aviva’s research reveals a significant gap in cyber insurance coverage, most notably among small businesses – less than one in five of whom (17%) have a cyber insurance policy – and the same proportion (17%) say they are unaware that cyber insurance exists.

Commenting on the research, Stephen Ridley, Head of Cyber, Aviva, said: “It’s important to recognise that businesses of all shapes, sizes and sectors are at constant risk of a cyber attack – particularly at this time of year, with phishing emails often increasing around Black Friday and Christmas. The nature of such a threat means that cyber criminals are evolving their tactics, looking for the opportunity as opposed to setting their sights on large corporates alone.

“Though our research shows that one in three (31%) businesses see cyber as the biggest risk to their businesses, it’s worrying to see that many businesses do not know how to protect themselves from this emerging threat. Many businesses do not have cyber cover, leaving them exposed to high, unforeseen costs and significant business disruption which could amount to tens of thousands of pounds.

“If the chance arises, there’s a risk that cyber criminals will act and so it’s key to have both preventative measures and protection in place. Although businesses are more likely to purchase cyber cover after experiencing an attack, more and more affordable products are becoming available on the market from as little as £50 a year, like Aviva’s Cyber Respond. These could be a valuable lifeline to small businesses in particular, should the worst happen.”

Detective Superintendent Ian Kirby, CEO of the National Cyber Resilience Centre Group (NCRCG), said: “Cybercrime is something that can impact on any organisation, whatever its size or wherever it is in the country. It is essential that all businesses across the UK economy therefore have robust cyber practices in place, so that they are in the best position to protect themselves from cyber criminals.

“In the event of a live cyber attack, any business should immediately report it to Action Fraud who will direct them to the relevant law enforcement agency for investigation as appropriate. Importantly, however, I would also encourage small and medium-sized businesses to contact their regional, police-led Cyber Resilience Centre who will be able to offer free, high-quality support on the steps they can take to strengthen their cyber resilience for the future.

“One of the reasons why we are pleased that companies like Aviva have become National Ambassadors for NCRCG is that they recognise the risk of cybercrime, not just to themselves, but to all those in their supply chain, and are taking up the mantle in addressing this risk.”

Aviva’s cyber products are designed to help protect small and medium sized businesses against cyber-related attacks. Aviva recently launched Cyber Respond, a new cyber insurance policy targeted at micro-SMEs, which focuses on breach response services and starts from as little as £50 for a year’s cover. This policy sits alongside Aviva’s standard Cyber Complete policy aimed at businesses with a turnover of up to £500m with more complex digital operations.  

Aviva’s cyber products include access to a team of dedicated cyber experts who can help with the impact of an incident, including the ‘golden hour’, the first 60 minutes following a cyber attack. Effective action within this period can dramatically reduce the impact of the event. A 24/7 telephone line is also available, meaning help is available at the end of a phone to help businesses identify what the issue is and how to recover from the incident. If further help is needed, the policy provides cover for specialist IT forensics experts to resolve the event and get the business back up and running. Other benefits of Aviva Cyber Respond include an identity fraud monitoring service, 12 months of credit monitoring services and reputation management services to minimise adverse publicity following a loss. The policy also provides a telephone-based counselling service to help small business owners who may be struggling with their mental health in the wake of a cyber event.