How Much Does Cybercrime Really Cost UK Businesses?
Table Of Contents:
Cybercrime poses an ongoing threat to UK businesses. With many organisations reliant on a digital supply chain and using cloud-based platforms to store their data, opportunities for threat actors to exploit vulnerabilities are growing, and businesses are scrambling to keep up.
In fact, 100% of our global State of Information Security Report respondents – over 1,500 information security professionals – say their organisation has experienced a cybersecurity or information security incident in the last 12 months. On top of any potential financial losses from these incidents, 99% of UK respondents received regulatory fines for a data breach or a violation of data protection rules.
Using data reported to Action Fraud and from our State of Information Security Report, Christie Rae looks at the financial impact of cybercrime on UK* businesses and how organisations can improve their information security defences.
The Top Five Cybercrimes Impacting UK Businesses
Action Fraud lists several different crimes in the cyber-dependent crime category. These are:
- NFIB50A – Computer virus/Malware/Spyware
- NFIB51A – Denial of Service Attack
- NFIB51B – Denial of Service Attack – Extortion
- NFIB52A – Hacking – Server
- NFIB52B – Hacking – Personal
- NFIB52C – Hacking – Social media and email
- NFIB52D – Hacking – PBX/Dial through
- NFIB52E – Hacking – Extortion.
Below are the top five cybercrimes impacting UK organisations.
| Fraud Type (Top 5) | Report Volume | Financial Loss | Average Loss Per Report** |
| NFIB50A – Computer Virus \ Malware \ Spyware | 274 | £908,196 | £3,315 |
| NFIB52C – Hacking – Social Media and Email | 1,944 | £783,704 | £403 |
| NFIB52E – Hacking Extortion | 411 | £401,923 | £978 |
| NFIB52B – Hacking – Personal | 199 | £98,565 | £495 |
| NFIB52A – Hacking – Server | 398 | £0 | £0 |
| Total | 3,226 | £2,192,388 | £680 |
1. NFIB50A – Computer Virus / Malware / Spyware
National Fraud Intelligence Bureau (NFIB) crime description[1]: Crimes should be recorded under this section up until the point where the offender then actually uses the malware. When the offender uses the malware it becomes a deliberate targeting of that computer.
Where malware is used to obtain details to commit fraud or other computer misuse offences then the fraud or computer misuse offences are the principal crime and should be recorded. The malware has been used to enable another offence to be committed and no offence should be recorded under this section if reported at the same time.
Example: Mr A reports to Action Fraud that he has clicked on a link that has downloaded a program. He has run an anti spyware program and been told that the program is a key logger program and has been successfully removed. One crime of unauthorised modification of computer material (class NFIB50A). A week later, he contacts Action Fraud to report that today his online bank account has been unlawfully accessed and £2000 has been stolen from it by changing a standing order to pay his mortgage. One additional crime of Mandate fraud (NFIB5D) should be recorded.
Total report volume: 274
Total financial loss: £908,196
Average loss per report: £3,315
Between January 2023 and June 2024, UK businesses lost over £900,000 to computer viruses, malware, or spyware in only 274 reports – meaning a single malware incident costs businesses over £3,300 on average. Malware was the top reported cybersecurity incident in our State of Information Security Report, with over a third (35%) of organisations experiencing a malware incident in the last 12 months.
2. NFIB52C – Hacking – Social Media and Email
NFIB crime description: This crime includes all forms of individual email accounts and all forms of individual social media, for example X and Facebook. It includes personal accounts as well as companies’ or organisations’ individual accounts. This fraud should not be viewed as limited to desktop or laptop computers. It can include any device using operating software accessible online, for example, game consoles and smartphones.
Total report volume: 1,944
Total financial loss: £783,704
Average loss per report: £403
Social media and email hacking cost businesses over £780,000 in the last 18 months. Our State of Information Security Report found that social engineering was the second most common cybersecurity incident, experienced by 32% of respondents.
3. NFIB52E – Hacking – Extortion
NFIB crime description: This occurs where there is an unwarranted demand with menaces (Blackmail) attached to any computer hacking or threat of computer hacking. The extortion can be in relation to any NFIB class under NFIB52 Computer Hacking.
Example: ABC Ltd report that they have received a demand for £100,000 to be paid, otherwise a copy of the code for their new computer game will be posted on the world wide web. They are extremely concerned, because last week they received a memory stick with part of the code from their server copied on it. One crime computer Hacking (extortion) (class NFIB52E).
Total report volume: 411
Total financial loss: £401,923
Average loss per report: £978
Our Report found that in the last 12 months, 29% of organisations – nearly one in three – have experienced a ransomware attack. Hacking extortion cases have caused over £400,000 in losses by UK businesses in the last 12 months, with £180,000 of these losses made in 2024 despite considerably fewer reports.
4. NFIB52B – Hacking – Personal
NFIB crime description: Unauthorised access to computer material with intent to commit or facilitate commission of further offences. Where the actions of the hacker are only preparatory and no substantive offence has been committed under any other fraud offence, then an offence should be recorded under this section.
Report volume: 199
Financial loss: £98,565
Average loss per report: £495
Organisations have lost nearly £100,000 to personal device hacking, such as a laptop or mobile phone. Robust work device security measures and employee training and awareness are key for combating this type of attack. 35% of organisations said their employees had used personal devices for work purposes without proper security measures in our Report, making this the top cybersecurity mistake made by employees.
5. NFIB52A Hacking – Server
NFIB crime description: For crimes to be recorded under this section the files or services modified must be on the server and not on a computer’s local hard drive.
Example: An employee leaves his desktop computer logged on when he leaves the office. A colleague then gains access to his employment records held on the server and amends some of the details recorded on his file by using the logged on computer. One crime of Hacking-Server (class NFIB52A).
Total report volume: 398
Financial loss: £0
Average loss per report: £0
Organisations made no financial losses to server hacking crimes in the last 18 months. However, this is likely due to the NFIB crime recording rules, which state that “where the unauthorised access has directly enabled the commission of another fraud offence, the principle crime will be the other fraud offence.”
Total Business Financial Losses to Cyber-Dependent Crimes
Between January 2023 and June 2024, businesses reported nearly 3,500 cybercrimes with financial losses of £2,234,788 to Action Fraud. 2,377 of the reports and £1,367,477 of losses were made in the last 12 months.
January 2023 saw the highest financial losses, with 179 reports, £580,734 financial losses and £3,244 estimated average loss per report. June 2023 saw the lowest financial losses, with 191 reports but no financial losses.
| Month | Report Volume | Financial Loss | Average Loss Per Report |
| Jan-23 | 179 | £580,734 | £3,244 |
| Feb-23 | 194 | £196,743 | £1,014 |
| Mar-23 | 216 | £40,862 | £189 |
| Apr-23 | 176 | £30,067 | £170 |
| May-23 | 166 | £18,905 | £113 |
| Jun-23 | 191 | £0 | £0 |
| Jul-23 | 196 | £95,963 | £489 |
| Aug-23 | 208 | £160,237 | £770 |
| Sep-23 | 215 | £254,252 | £1,182 |
| Oct-23 | 214 | £2,956 | £13 |
| Nov-23 | 222 | £74,249 | £334 |
| Dec-23 | 177 | £114,920 | £649 |
| Jan-24 | 196 | £423,500 | £2,160 |
| Feb-24 | 200 | £89,000 | £445 |
| Mar-24 | 191 | £2,200 | £11 |
| Apr-24 | 179 | £24,000 | £134 |
| May-24 | 173 | £120,400 | £695 |
| Jun-24 | 206 | £5,800 | £28 |
| Total | 3,499 | £2,234,788 | £638 |
The table below shows the total number of cyber-dependent crime reports and financial losses reported by businesses and individuals between January 2023 and June 2024. Just 5.7% of reported cyber-dependent crimes were reported by businesses, but they made up 30% of the total financial losses.
| Total Cyber Dependent Crimes Jan 2023-June 2024 | ||
| Date | Report Volume | Financial Loss |
| Jan-23 | 2,176 | £670,752 |
| Feb-23 | 1,972 | £442,071 |
| Mar-23 | 2,517 | £659,304 |
| Apr-23 | 2,267 | £253,575 |
| May-23 | 2,965 | £547,045 |
| Jun-23 | 2,874 | £310,386 |
| Jul-23 | 3,952 | £718,226 |
| Aug-23 | 3,313 | £332,210 |
| Sep-23 | 3,224 | £500,528 |
| Oct-23 | 3,670 | £363,292 |
| Nov-23 | 3,957 | £264,566 |
| Dec-23 | 3,439 | £490,098 |
| Jan-24 | 4,028 | £890,500 |
| Feb-24 | 3,777 | £215,300 |
| Mar-24 | 4,101 | £242,700 |
| Apr-24 | 3,849 | £187,100 |
| May-24 | 4,461 | £257,600 |
| Jun-24 | 4,436 | £219,400 |
| Total | 60,978 | £7,564,652 |
How Much Does the Average UK Business Lose a Year?
Our State of Information Security Report found that 99% of UK businesses have received fines for a data breach or violation of data protection rules in the last 12 months. Respondents revealed the total amount in fines their organisations received:
| Fine amount | Respondent Count |
| Up to £50,000 | 36 |
| £50,001-£100,000 | 101 |
| £101,000-£250,000 | 177 |
| £250,001-£500,000 | 133 |
| £500,001-£1,000,000 | 51 |
| More than £1,000,000, please specify | 0 |
| We have not received a fine for data breach or violation of data protection rules in the last 12 months | 4 |
The average total fine businesses received is £366,475***, while the average financial loss from a single cyber-dependent crime report by organisations to Action Fraud in the same time span (April 2023-March 2024) was £538.37. Organisations could have lost as much as £367,013 from a single incident.
Preventing Cyber Attacks with ISO 27001
The top cyber-dependent crimes reported to Action Fraud show that taking advantage of human error is a key target for threat actors. In response, organisations are focusing on employee information security education. Nearly half (45%) of respondents in our State of Information Security Report say that their organisation has adopted a greater focus on employee education and awareness, and 35% say that learning management platforms have proven to be the most effective method.
Certification to information security standards like ISO 27001 helps businesses take a thorough approach to bolstering their security defences, reducing the risk of cyber incidents. To achieve ISO 27001 certification, businesses must build, maintain and continually improve an ISO 27001-compliant information security management system (ISMS) and successfully complete an external audit.
Risk Management
Continuous information security risk management is a requirement of the ISO 27001 standard clause 6.1, actions to address risks and opportunities. Your organisation should identify the risks associated with each information asset within the scope of your ISMS, and select the appropriate risk treatment for each risk – treat, transfer, tolerate or terminate.
ISO 27001 Annex A outlines the 93 controls your organisation must consider when undertaking risk management, and justification must be given for the decision to apply or not apply a control in your Statement of Applicability (SoA). This thorough approach to risk management and treatment enables your organisation to identify, treat and mitigate risks throughout their lifecycle, reducing the likelihood of an incident and reducing the impact should an incident occur.
Continuous Improvement
The ISO 27001 standard promotes continuous improvement in information security, including ongoing organisation-wide information security awareness. Awareness plays a key role in ISO 27001 compliance; Annex A.6.3 information security and privacy awareness, education and training is one of the standard’s 93 controls. The control ensures employee awareness and fulfilment of their information security responsibilities.
Take a Stand Against Costly Cybercrime
The statistics from Action Fraud and ISMS.online’s State of Information Security Report reveal that cybercrime presents an ongoing and growing challenge for UK businesses. Reports of cyber-dependent crimes are increasing year over year and organisations that fall victim to data breaches or fail to comply with regulatory requirements face significant fines.
Now is the time for businesses to boost their information security efforts.
Improving staff and stakeholder awareness is vital to reduce the risk of incidents caused by human error. Building a robust ISMS that aligns with ISO 27001 requirements will add additional layers of defence. ISO 27001 certification enhances organisational resilience and provides a competitive advantage over businesses that have less focus on their security posture.
–
Data sources:
- ISMS.online State of Information Security 2024 data, research conducted by independent market research firm Censuswide.
- 2023 Action Fraud data from Freedom of Information request FOI2024/00990, City of London Police, received 25/7/2024.
- 2024 Action Fraud data from National Fraud Intelligence Bureau Dashboard, collected 25/7/24.
*This data does not include information from Police Scotland, which is responsible for the gathering and enforcement of fraudulent activity affecting Scottish victims. The data supplied by Action Fraud pertains to fraudulent activity in England, Wales, Northern Ireland and fraudulent activity reported directly to Action Fraud by Scottish organisations and individuals.
**Average loss per report calculated by dividing financial loss by report volume
***Average fine calculated by dividing mean fine by respondent count
[1] https://assets.publishing.service.gov.uk/media/645b7b87479612000fc29318/nfib-fraud-april-2023.pdf
