The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
Unless you live off-grid and offline, you’ll be familiar with cybercrime. It’s likely you’ve even been the victim of a cyberattack already – though you might not be aware of it.
With just shy of six billion electronic records being stolen globally, according to the latest Mimecast Email and Collaboration Security report, the world of cybercrime is vast and, for those attempting to understand and resolve it, the landscape is ever-changing. From receiving a shady text from the Post Office to having your email compromised following your Ferrari upgrade, letting your guard down online simply isn’t an option.
While a good VPN combined with up-to-date anti-virus software will cover your IP address and give you more general peace of mind while browsing, when it comes to protecting yourself from cybercrime, there’s always more that can be done. Cybercrime is by no means new and some of the most prominent cases — such as WannaCry, Petya, NotPetya which disrupted at least 81 English health trusts and cancelled nearly 19,494 medical appointments — date back to 2017 with continued impact.
It’s a battle for individuals and smaller companies just as much as it is for big organisations; as the digital space is expanding and as AI is impacting our everyday lives, hackers are getting more inventive every day. And, if you’re not convinced that cybercrime is going to be an issue in your life, the statistics below will change your mind.
It seems that the UK is ripe for cybercrime. Currently second on the Global Cyber Security Index behind the US, here are some stats that make it clear why better prevention and general management of cyber threats is more essential than ever.
A survey by the Department for Science, Innovation & Technology showed that one in two businesses reported a cyber breach or attack in the last 12 months, while almost a third of charities (32%) reported the same.
These figures are much higher for medium businesses, where 70% experienced a cyber breach, large businesses (74%), and charities with yearly incomes of £500,000 or higher (66%).
According to the UK Official Statistics Cyber Security Breaches report 2023, 61% of businesses and 56% of charities reported that staff receiving fraudulent emails or using fraudulent websites was the most disruptive cyber security breach.
This was followed by people impersonating their organisation or staff in emails or online.
According to NSCS’s annual review, there were 2,005 cyber security incidents in 2023—an increase of 64% from the previous year. Of these, 62 were nationally significant, and four were among the most severe incidents the NCSC has had to manage (compared with one last year) due to the sustained disruption they caused and the victims’ links to critical infrastructure via supply chains.
According to the UK Official Statistics Cyber Security Breaches report 2023, 32 per cent of businesses and 20 per cent of charities note cyber attacks as frequently as once a week. Seven per cent of businesses even reported they experienced cyber attacks as commonly as several times a day.
In organisations that identified breaches with an outcome, the average cost of cybercrime for UK businesses for short-term expenses (payments to external IT consultants, any payments to the attackers, money stolen) reported by the UK government is £1,630. This figure stands at £4,250 for medium and large businesses. The figure for micro/small UK businesses was £1,450, and £1,130 for charities.
Money is a huge motivation for cyber attacks around the world. According to Steve Morgan, editor-in-chief at Cybersecurity Ventures, if cybercrime was measured as a country, it would be the world’s third largest economy, behind the US and China. Now to see what else has been happening beyond the UK, and no doubt shaping the cybersecurity landscape.
According to Cybersecurity Ventures, damage costs are set to increase by 15 per cent per year until 2025 where estimates predict that global expenditure on cybercrime could reach US$10.5 trillion (£8.4 trillion).
According to the Mimecast Email and Collaboration Security report, cybercrime is expected to surge by 15% throughout 2024, going from a global total of US$8 trillion (£6.2 trillion) in 2023 to a projected US$10.5 trillion (£8.2 trillion) by the end of 2025. This number sat at US$3 trillion (£2.3 trillion) in 2015.
Hacktivism, where hackers pursue political agendas through cyber attacks, continued to gain momentum during Q3 in 2023, with public safety organisations emerging as prime targets, as revealed by the Public Safety Threat Alliance (PSTA). During that time, hacktivist threats accounted for 83 per cent of all cyber activities targeting the public safety sector.
Law enforcement agencies experienced a 28 per cent surge in cybercrime incidents, primarily fueled by hacktivism and financial motivations.
According to IBM’s 2023 report, it takes an average of 277 days for those on the frontline of security to identify and respond to a security breach. This is the same amount of time as in 2022 but 10 days fewer than in 2021.
The longer it takes to identify and contain a cyberattack, the more expensive it is. The 2023 report also shows an average cost saving of US$1.02 million (£801,862)— 23 per cent —for breaches that took less than 200 days to contain.
5. Ransomware damages cost 57 times more in 2021 than in 2015: US$20 billion (£16 billion)
According to Cybersecurity Ventures’ 2023 report, ransomware could cost victims (consumers and organisations) around US$265 billion (£212 billion) annually by 2031, with new attacks as frequent as every two seconds. In 2021, it was estimated damages were US$20 billion (£16 billion). The UK’s NCSC chief executive officer, Lindy Cameron, believes ransomware could now be the most immediate cybersecurity threat to UK businesses.
A Clark School study, conducted by Michel Cukier in a bid to profile “brute force” hackers, showed that attacks are happening all the time on computers with an internet connection, averaging 2,244 attempts a day and amounting to one attack every 39 seconds. Although not all successful, most are trying to access usernames and passwords.
There are a number of ways that data can be compromised, and many companies are falling victim to data breaches. According to IBM’s study, data breaches have become increasingly costly, with the average breach setting organisations back a record-breaking US$4.45 million (£3.49 million) in 2023 — a 2.3% increase from the US$4.35 million average cost in 2022.
Looking back over a longer timeframe, the financial toll of data breaches has increased by 15.3% since 2020, when the average cost stood at $3.86 million.
The effects of cybercrime and data breaches are expansive and global. According to Statista studies, there were 3,205 cases of data compromises on US individuals last year, and 353 million individuals were in some way affected by threat actors.
Email phishing is the most common type of attack, SoSafe’s Cybercrime Trends Report 2024 tells us. Although, the report also reveals the cyber threat landscape is rapidly evolving, with 34 per cent of attacks now leveraging social media platforms. This trend poses a significant risk, particularly for small businesses that heavily rely on social media to attract and engage customers. Cybercriminals are exploiting this vulnerability, hijacking business accounts and essentially crippling their operations.
According to IBM’s 2023 report, healthcare is regarded as one of the most highly regulated industries in the US and, for the 13th consecutive year, remains the costliest industry for data breaches. The cost of a data breach for the healthcare industry in 2023 was estimated at US$10.93 million (£8.5 million), 53.3 per cent higher than it was in 2020.
The following top four industries by costs incurred are the financial, pharmaceutical, energy, and industrial sectors. Notably, IBM’s threat intelligence data reveals that the manufacturing industry emerges as the most frequent target for cybercriminal activities.
It’s becoming clear that learning from failures and staying one step ahead of the cybercriminals is what will help victims come out on top, but with cybercrime set to cost the world $13.8 trillion dollars (£10.8 trillion) by 2028, there is still some work to be done.
Costs resulting from cybercrimes are not just fraud on a public or private company level; the impacts can be expansive. Pauses in productivity, lawsuits from data compromises and long-term effects of stolen business intelligence for organisations, not to mention reputational harm, all add up. For example, the MOVEit ransomware attacks that occurred in June 2023 impacted millions of individuals and thousands of organisations. Through the payment of ransomware demands, the cybercriminal group Cl0P, is estimated to have amassed millions of dollars, according to the World Economic Forum’s Global Cybersecurity Outlook January 2024 Insight Report.
When it comes to the different types of cybercrime, there are many. Malware, phishing, ransomware and disrupted denial of service attacks (DDoS ) are some of the most common.
The NCSC’s annual report highlights ransomware as one of the biggest threats to domestic organisations, taking up a lot of its efforts. Between September 2022 and August 2023, the NCSC received 297 reports of ransomware activity. However, the threat landscape is seeing a rise in data extortion attacks, where cybercriminals steal sensitive information without encrypting it.
The NCSC believes these threats will only increase with AI becoming more widely available. The Rt Hon Oliver Dowden CBE MP says:
“The rapid rise of artificial intelligence (AI) is accelerating the pace of change, compounding the threats and lowering the barrier to entry. As a result, the cyber world is a more dangerous place than ever before, and cyber security is rising up our risk register.”
IBM’s X-Force Threat Intelligence Index 2024 details that the manufacturing sector is the most at risk of cyber attacks, with the industry experiencing 25.7 per cent of incidents within the top 10 industries throughout 2023. Finance and insurance (18.2 per cent) was the second-most attacked industry and professional, business and consumer services (15.4 per cent) were the third.
It’s clear that bigger companies, which have access to more funding and better resources, can absorb the cybercrime costs more easily. A 2023 ITRC Business Impact report found that 73% of US small businesses had experienced a cyber breach or data attack in 2023. From these, 13% of owners said these attacks cost the business more than US$500,000 (£393,225).
Outside of the costs of dealing with a cyber attack, ransom payments differed between business sizes. According to Sophos’ The State of Ransomware 2024 report, smaller companies with annual revenues under US$10 million (£7.8 million) are less likely to pay ransoms, with only 25% of such firms reporting having made ransom payments. Whereas larger companies with revenues exceeding US$5 billion (£3.9 billion) have the highest ransom payment rate at 61%. However, a key factor influencing this will most likely be the availability of funds, as many small businesses simply lack the financial resources to cover the ransom demands.
The NSCS’s annual review 2023 highlights how important it is to improve the UK’s cyber resilience to significant cyber risks to safeguard the country’s infrastructure. The organisation is looking to continue building an understanding of the cyber threats to both businesses and individuals.
Furthermore, the National Cybersecurity Strategy report released by the US Biden-Harris Administration highlights a want to better support vulnerable individuals and small businesses in cyberspace. The report, released 2 March 2023, notes how the US is preparing to invest US$65 billion into a safe and reliable internet and outlines plans to bolster online defences to create a secure digital environment.
As we continue in 2024, many say that we’re going to see more unusual cases of cybercrime attacks. Therefore, companies need to set the pace when it comes to cybercrime and emphasise vigilance while actively building defence systems and not giving threat actors easy or obvious targets.
According to Proofpoint’s 2024 report, only 59 per cent of employees were either unsure or claimed they weren’t responsible for security in their companies.
This is set to shift. An awareness of how cyberminds are working in the modern age will be key to understanding the future of cyberattacks and defence, according to cyber expert Bruce Schneier, Harvard University.
However, knowing which will take precedence in the short and long term remains uncertain. Some experts say businesses might even want to fall back onto “classic” cybersecurity skills. Founder and CEO of Hack The Box, Haris Pylarinos predicts: “I expect to see a growing demand for retro cybersecurity skills, as businesses revert to old, cheaper ways of working while cybercriminals use modern skills to hack into legacy technology,” anticipating the best ways that business can outdo hackers this year.
It will be crucial for companies to get the right type of cyber insurance and make phishing and other types of cyber attack tests for employees as ritualistic as fire drills. Future strategy is also about building a supportive and security-first environment; using AI for threat intelligence or for enhanced risk assessments; implementing extended detection and response (xdr); considering a healthy zero trust architecture (which saved some companies an average of US$1 million in average breach costs); and exploring more paths that can contribute to lower data breach costs and shorter identification times.
If you own a small UK business, there are still lots of affordable ways to protect your company, the NCSC has a sound online resource you can utilise. That being said, there is a four million shortage of cyber-professionals, so there is definitely room for those who are up for the challenge of outsmarting cybercriminals beyond 2024.
There are a few simple steps you can take to ensure you’ve got the basics covered when it comes to protecting yourself or your place of work from cybercrime. As well as staying aware of the latest data breaches and crimes in the UK and further afield, here are some more tips to consider:
Keep your guard up against phishing links and leads on email, text or via any manner of communication for that matter. Note that unsolicited emails may be designed to look like your bank or a reputable industry/service like the NHS or Post Office in the UK. Check authenticity by analysing the domain name (the text after @ symbol) matches the website before clicking any links or opening attachments.
If you do still want to open an attachment from an email like this, which isn’t recommended, scan it with anti-virus first. Bear in mind that even what might appear as a seemingly harmless PDF file can be an app in disguise and install nasty malware on your computer or phone. Also note that your bank will be able to let you know how to recognise a legitimate email or other type of communication from them so confirm directly before getting caught out.
Especially when using public wifi or when connecting to a sensitive website such as your bank or pension provider. There are even some reputable free VPNs that can protect you without breaking the bank.
Update passwords regularly and make them complex. Cybersecurity experts at McAfee suggest updating all passwords at least every three months to reduce the chances of hacking.
Keeping your apps and software up to date on your laptop, mobile phone, and other devices will minimise the risk of hackers finding faults in your system to easily access files or mess about with any online security settings.
Keeping settings private. If you typically use your pet(s)’ name(s) as the answer to basic security questions online, keep it under wraps or reconsider. If you have kids, ensure they are aware of how to stay safe online too and make sure they feel confident in talking to you if they come across or are subjected to any form of harassment or cyberbullying.
Generally speaking, it’s better to be safe than sorry. Some banks don’t reimburse money lost if you have given your data away so it’s important you can spot the signs and avoid cybercrime and all costs.
