The changing face of cyber: Five years of cyber research

Cyber attacks remain a threat that is constantly evolving and therefore challenging to mitigate. The minute a pattern is believed to be discovered, the following year attackers’ tactics evolve and change.

While over the last 5 years the percentage of companies that were attacked has oscillated between 43% and a high of 61%, the overriding conclusion is that cyber attacks are the most prevalent threat that UK businesses face. This is a sentiment that the head of the Government Communication Headquarters (external link) (GCHQ), Sir Richard Fleming, also holds. In a recent statement, Fleming said that all company boardrooms should make them their top priority going forward.

This becomes all the more prevalent when we learn that cyber attacks are no longer discriminatory against the size of a business. Today, companies that earn $100,000 to $500,000 are experiencing as many cyber attacks as those that earn $1m to $9m in annual profits. More than anything, this illustrates the importance of thorough and effective cyber prevention, whether a business is a large market enterprise or an SME.

Many believe that these changes and the heightened risk of attack have come hand-in-hand with the recent shift brought about by the COVID-19 pandemic. Indeed, 36% of businesses in the last year blamed their risk of exposure on the greater number of employees working remotely. As an example, our reports illustrated that ransomware incidents have increased from 17% to 19% between 2018 and 2022. This type of cyber tech is often spread through phishing emails and harmful malware, which are much harder to monitor among a remote working team.

Interestingly, however, when looking at the sectors targeted, this has remained quite consistent. The last three Cyber Readiness reports (2019-22) have seen both the Financial Services and TMT (Technology, Media, and Telecom) industries in the top spots for reporting at least one cyber attack. Meanwhile, the Energy sector has appeared in a top-three spot for the last two years.

Though the number of attacks themselves may be fluctuating, the costs seem to only be rising. Whether that be costs to recover and repair after an attack or to invest in preventative measures, it all takes fragments out of net profits. The median cost of cyber attacks within a year has increased from $10,000 in 2018-19 to $16,950 in 2021-22. Furthermore, the period of 2019-20 marked a record high for the cost of cyber attacks, with the highest reported single cost sitting at $67,050. This came despite only 39% of businesses experiencing a cyber incident in that same period.

Of course, with these rising costs comes the need to be prepared. As the years have passed in a cyber-filled blur, an increasing number of companies are setting larger proportions of their budgets aside to aid cyber security and protect their assets. This illustrates that businesses of all sizes, across all sectors, are taking the cyber threat more seriously.

The median IT budget for cyber security has increased from $50,000 in 2018-19, to $129,000 in 2021-22. In turn, the percentage of companies’ overall IT budget has increased in line with this, with 23% now dedicated to cyber security, compared to 10% in 2018. However, the number of companies without a dedicated cyber security role still sits at 16%, as it did four years ago.

Nevertheless, with this need for preparedness growing, the need for insurance to protect against attacks is also rising. For example, from 2021 to 2022, 64% of businesses had cyber insurance, compared to just 41% in 2018-19.

The past five years of data effectively illustrates that it’s not just high-value businesses that are at risk anymore. More recently, we’re seeing an increase in SMEs being targeted, meaning having effective processes, policies, insurance, and experts in place shouldn’t just be reserved for enterprise level.

We’re also seeing an increase in the number of cyber threats, potentially due to the higher number of people working from home after the mass adoption of remote and hybrid working. As threats like phishing emails that hide harmful malware and ransomware are more difficult to manage remotely, educating employees on cyber best practice is key to tackling this corner of the issue.

While cyber attacks have fluctuated through the years, we’re seeing their power intensify further, with costs climbing and attackers showing no discrimination between small and large businesses. SMEs now feel that they are just as at risk of attacks now as their larger market siblings, illustrating how much broader the cyber threat has become over the last five years.

The growing level of concern has become evident. Businesses are now more aware of the impact of cyber attacks; with budgets increasing and more companies investing in cyber insurance than ever before. Though this is one explanation, the latter observation could also be down to the lesser prevalence of cyber insurance in 2018 compared to now. However, a lot can be said about this growing prevalence, due to the more pressing need for this type of insurance compared to four years ago.

Interestingly, the number of dedicated cyber security roles has stayed the same across all reports. However, while we can observe that teams aren’t necessarily increasing in number, the budget for those teams certainly is.

On reflection, while cyber attacks have seen some fluctuation, they continue to be on the rise YoY over the last two years. Whatever the cause, and subsequent patterns that may emerge, it will be interesting to see how costs, profits, and budgets align with this growing risk.

If you’re concerned about the growing cyber threat but don’t know where to start, you can use our Cyber Maturity Model. Our helpful tool can help understand your company’s cyber maturity and provide industry-standard insights to help protect your business.