Howden has estimated firms can reduce the cost of cyber-attack by up to 75% (£30bn) by implementing simple cyber security basics more widely.

Half of UK businesses, representing 1.3 million private sector companies, have suffered at least one cyber-attack in the past five years, costing on average 1.9% of revenue, according to Howden.

Howden cyber stat

Proportion of UK businesses to have suffered a cyber-attack and average cost per attack by type 2019-2024. Source: Howden

Introducing basic cyber security measures could save the average UK business some £3.5m over ten years, equating to a return on investment of 25%, the broker estimated.

The insurance industry and government have a vital role to play in boosting cyber security uptake, by helping companies address common barriers around cyber investment, the (re)insurance broker emphasised.

UK businesses consider tax relief on cyber security investments to be the most effective policy lever to support their cyber resilience, Howden highlighted.

Howden published new research on cyber resilience among UK businesses, finding that half (52%) have suffered at least one cyber-attack in the past five years, equating to in the region of £44bn in lost revenue.

Businesses with an annual revenue of over £100m were the most targeted group, with 74% of those surveyed having suffered a cyber-attack over the past five years.

However, threat levels are elevated across all businesses, with half (49%) of small and medium sized enterprises (SMEs) with a revenue of £2m to £50m also experiencing a cyber-attack over the same period.

The most common causes of cyber-attacks were compromised emails (20%) and data theft (18%), Howden said, with the average cost of these attacks equating to £2.1m and £2m respectively.

“Cybercrime is on the rise, with malicious actors continuing to take advantage of cybersecurity vulnerabilities, particularly as firms become ever more reliant on technology for their operations,” said Sarah Neild, head of UK cyber retail.

“UK businesses are currently losing a significant amount of revenue to cyber-attacks, and the insurance industry is crucial to strengthening resilience and raising awareness of the security measures needed to help businesses protect their operations,” Neild said.

Security lax

Despite the growing threat posed by cyber-attacks, take up of even the most basic cyber security measures remains low, highlighting a critical cybersecurity knowledge gap within UK businesses.

At present, 61% of businesses are estimated to be using antivirus software and only 55% are employing network firewalls. Organisations cite a number of obstacles to improving their cyber security, including cost (26%), insufficient knowledge (26%) and lack of internal IT resource (22%).

However, by implementing cyber security basics, Howden estimates that UK businesses could reduce cyber-attack costs by up to 75% (a total of £30bn from 2019-24), with the introduction of these measures saving the average UK business about £3.5m over ten years, equating to a return on investment of 25%.

In aid of greater take up, UK businesses say that new policy measures such as tax relief on cyber investment (33%) will be the most effective way of improving cyber resilience within businesses, followed by free access to cyber expertise and resources (32%), compulsory minimum cyber standards (31%) and compulsory cyber insurance (26%).

SME engagement

Howden said the insurance industry must therefore work alongside the government to raise awareness of the growing severity and frequency of cyber-attacks and the return on investment that can be achieved with the implementation of cyber security measures.

In addition, the insurance industry has a vital role to play in boosting resilience by advising businesses on security and offering incident response services.

Engagement with SMEs will be particularly important, Neild emphasised.

“This segment has been historically underserved by the cyber insurance market yet forms an important backbone of economic activity, both in terms of its size but also as an engine of growth,” said Neild.

“Through increased insurance penetration and education about implementation, we can help businesses improve their cyber resilience and protect against loss of revenue from these attacks,” she added.