One in five businesses have been victims of cyber attack in the last year

Person on laptop entering security details
  • A fifth of businesses have been victims of cyber attacks in the past year
  • Businesses are 67% more likely to have experienced a cyber incident than a physical theft 
  • Average claim for cyber attack – which can include ransomware, malware, and phishing*– is £21,000
  • Despite the increasing cyber threat, one in five businesses do not know what to do in the event of an attack

Aviva research reveals that one in five UK businesses have experienced a cyber attack or incident, with nearly one in 10 (9%) small businesses experiencing this in the last year. This number rises to 35% of large corporate businesses, showing the increasing risk that cyber presents.

Research found that businesses are 67% more likely to have experienced a cyber incident than a physical theft and almost five times as likely to have experienced a cyber attack as a fire.

With criminals often looking for opportunities in the run-up to Christmas and cyber swiftly becoming an increasing risk for both consumers and businesses alike, the research found that businesses are 67% more likely to have experienced a cyber incident than a physical theft and almost five times as likely to have experienced a cyber attack as a fire.

When looking at the repercussions of a cyber attack or incident, almost a third (31%) experienced operational disruption, with a further fifth (21%) experiencing data loss and system lockdowns. Such interruptions led to businesses claiming an average of £21,000 per incident according to Aviva data, although costs can run into the tens or even hundreds of millions of pounds.

While around half of UK businesses express confidence in handling a cyber incident or attack, one in five (20%) admit to not being confident in knowing what to do should this happen, a figure that rises to more than a quarter (27%) of small businesses, who appear to be the most vulnerable to such a risk. Not only does this increase the risk of further damage, it means that businesses also risk being non-compliant with data protection laws. Depending on the seriousness of the incident, businesses may be required to alert the ICO within 72 hours and sometimes also notify impacted individuals. Failure to do so can result in serious consequences, including fines of up to £8.7 million or two per cent of a business’ global turnover (whichever is higher).**

Despite the high frequency of cyber incidents experienced by businesses, Aviva’s research reveals a significant gap in cyber insurance coverage, most notably among small businesses – less than one in five of whom (17%) have a cyber insurance policy – and the same proportion (17%) say they are unaware that cyber insurance exists.

Commenting on the research, Stephen Ridley, Head of Cyber, Aviva, said: “It’s important to recognise that businesses of all shapes, sizes and sectors are at constant risk of a cyber attack – particularly at this time of year, with phishing emails often increasing around Black Friday and Christmas. The nature of such a threat means that cyber criminals are evolving their tactics, looking for the opportunity as opposed to setting their sights on large corporates alone.

Many businesses do not have cyber cover, leaving them exposed to high, unforeseen costs and significant business disruption which could amount to tens of thousands of pounds.

“Though our research shows that one in three (31%) businesses see cyber as the biggest risk to their businesses, it’s worrying to see that many businesses do not know how to protect themselves from this emerging threat. Many businesses do not have cyber cover, leaving them exposed to high, unforeseen costs and significant business disruption which could amount to tens of thousands of pounds.

“If the chance arises, there’s a risk that cyber criminals will act and so it’s key to have both preventative measures and protection in place. Although businesses are more likely to purchase cyber cover after experiencing an attack, more and more affordable products are becoming available on the market from as little as £50 a year, like Aviva’s Cyber Respond. These could be a valuable lifeline to small businesses in particular, should the worst happen.”

Detective Superintendent Ian Kirby, CEO of the National Cyber Resilience Centre Group (NCRCG), said: “Cybercrime is something that can impact on any organisation, whatever its size or wherever it is in the country. It is essential that all businesses across the UK economy therefore have robust cyber practices in place, so that they are in the best position to protect themselves from cyber criminals.

One of the reasons why we are pleased that companies like Aviva have become National Ambassadors for NCRCG is that they recognise the risk of cybercrime, not just to themselves, but to all those in their supply chain, and are taking up the mantle in addressing this risk.

“In the event of a live cyber attack, any business should immediately report it to Action Fraud who will direct them to the relevant law enforcement agency for investigation as appropriate. Importantly, however, I would also encourage small and medium-sized businesses to contact their regional, police-led Cyber Resilience Centre who will be able to offer free, high-quality support on the steps they can take to strengthen their cyber resilience for the future.

“One of the reasons why we are pleased that companies like Aviva have become National Ambassadors for NCRCG is that they recognise the risk of cybercrime, not just to themselves, but to all those in their supply chain, and are taking up the mantle in addressing this risk.”

Aviva’s cyber products are designed to help protect small and medium sized businesses against cyber-related attacks. Aviva recently launched Cyber Respond, a new cyber insurance policy targeted at micro-SMEs, which focuses on breach response services and starts from as little as £50 for a year’s cover. This policy sits alongside Aviva’s standard Cyber Complete policy aimed at businesses with a turnover of up to £500m with more complex digital operations.  

Aviva’s cyber products include access to a team of dedicated cyber experts who can help with the impact of an incident, including the ‘golden hour’, the first 60 minutes following a cyber attack. Effective action within this period can dramatically reduce the impact of the event. A 24/7 telephone line is also available, meaning help is available at the end of a phone to help businesses identify what the issue is and how to recover from the incident. If further help is needed, the policy provides cover for specialist IT forensics experts to resolve the event and get the business back up and running. Other benefits of Aviva Cyber Respond include an identity fraud monitoring service, 12 months of credit monitoring services and reputation management services to minimise adverse publicity following a loss. The policy also provides a telephone-based counselling service to help small business owners who may be struggling with their mental health in the wake of a cyber event.

-Ends-

Enquiries

Erik Nelson

Motor Insurance and Compensation Culture, Fraud and Data

Claire Jermany

General Insurance⁠ — Commercial Lines, Community, Heritage

Amy Penn

General Insurance

References

The research was carried out by YouGov on behalf of Aviva. YouGov surveyed more than 1,200 UK senior business leaders from small, mid-market and corporate businesses (as defined by their annual revenue), from nine industries: professional & business services; manufacturing & industry; construction & real estate; arts, entertainment & leisure; technology & electronic; retail & wholesale; motor trade; charities; and the public sector. Fieldwork was conducted between 15th September and 8th October 2023.

*National Cyber Resilience Centre Group defines the following cyber attacks as:

  • Ransomware: A type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption. Further information: A guide to ransomware, National Cyber Security Centre
  • Malware: Derived from 'malicious software', malware is any kind of software that can damage computer systems, networks or devices. Includes viruses, ransomware and trojans.
  • Phishing: Scam emails or text messages that contain links to websites which may contain malware, or may trick users into revealing sensitive information (such as passwords) or transferring money.

**Personal data breaches, Information Commissioner's Office

Notes to editors:

  • We are the UK’s leading Insurance, Wealth & Retirement business and we operate in the UK, Ireland and Canada. We also have international investments in India and China.
  • We help our 18.7 million customers make the most out of life, plan for the future, and have the confidence that if things go wrong we’ll be there to put it right.
  • We have been taking care of people for more than 325 years, in line with our purpose of being ‘with you today, for a better tomorrow’. In 2022, we paid £23.2 billion in claims and benefits to our customers. 
  • In 2021, we announced our ambition to become Net Zero by 2040, the first major insurance company in the world to do so. We are aiming to have a cut of 25% in the carbon intensity of our investments by 2025 and of 60% by 2030; and Net Zero carbon emissions from our own operations and supply chain by 2030. While we are working towards our sustainability ambitions, we acknowledge that we have relationships with businesses and existing assets that may be associated with significant emissions. Find out more about our climate goals at www.aviva.com/climate-goals and our sustainability ambition and action at www.aviva.com/sustainability
  • Aviva is a Living Wage, Living Pension and Living Hours employer and provides market-leading benefits for our people, including flexible working, paid carers leave and equal parental leave. Find out more at https://www.aviva.com/about-us/our-people/
  • As at 30 June 2023, total Group assets under management at Aviva Group were £358 billion and our estimated Solvency II shareholder capital surplus as at 30 September 2023 was £7.6 billion. Our shares are listed on the London Stock Exchange and we are a member of the FTSE 100 index.
  • For more details on what we do, our business and how we help our customers, visit www.aviva.com/about-us
  • The Aviva newsroom at www.aviva.com/newsroom includes links to our spokespeople images, podcasts, research reports and our news release archive. Sign up to get the latest news from Aviva by email.
  • You can follow us on:
  • For the latest corporate films from around our business, subscribe to our YouTube channel: www.youtube.com/user/aviva

      More from our Newsroom