Spooky Statistics: UK Regions Where Businesses are Most Impacted by Cybercrime
Table Of Contents:
- 1) How Much Did Businesses Lose to Cybercrime in Total?
- 2) Where Did Businesses Report the Most Cybercrimes?
- 3) Cybercrime: A High-Stakes Game of Chance
- 4) Incident Reporting and Regulatory Compliance
- 5) Using ISO 27001 to Prevent Cyber Incidents and Align with NIS 2
- 6) BOO-st Your Information Security Posture Today
Cybercrime presents a growing threat for both businesses and individuals across the globe as threat actors attempt to gain access to sensitive data or finances by almost any means necessary. In the UK, data from Action Fraud shows that businesses reported over 1,600 cybercrimes – not including fraud – between January and September 2024.
In the spirit of Halloween and spooky statistics, we look at the regions with the spine-chillingly highest number of cybercrime reports by organisations in 2024 and how to defend your business against cyber incidents.
How Much Did Businesses Lose to Cybercrime in Total?
Action Fraud data revealed that organisations reported a total of 1,613 cybercrimes and losses of £932,200 between January and September 2024.
| Month | Cyber Crime Reports | Cyber Crime Reported Losses |
| January 2024 | 196 | £423,500 |
| February 2024 | 200 | £89,000 |
| March 2024 | 191 | £2,200 |
| April 2024 | 179 | £24,000 |
| May 2024 | 173 | £120,400 |
| June 2024 | 206 | £5,800 |
| July 2024 | 182 | £63,000 |
| August 2024 | 149 | £190,000 |
| September 2024 | 137 | £14,300 |
| Total | 1613 | £932,200 |
January 2024 was the worst month for financial losses at £423,500, making up 45% of the total economic losses throughout the nine months recorded. The highest number of cybercrimes was recorded in June, with 206 reports and £5,800 in reported losses. Meanwhile, the fewest cybercrime reports were made in September, with 137 reports and £14,300 in reported losses.
Where Did Businesses Report the Most Cybercrimes?
This data is recorded by the police force rather than regionally. Perhaps unsurprisingly, the London Metropolitan Police received the highest number of cybercrime reports from organisations, with 325 reports made between January and September and a total of £69,100 in financial losses. The rest of the top five spots were claimed by Greater Manchester (97 reports), Thames Valley (82 reports), West Yorkshire (54 reports) and West Midlands (47 reports).
| Rank | Police Force | Number of Reports | Reported Financial Losses |
| 1 | Metropolitan | 325 | £69,100 |
| 2 | Greater Manchester | 97 | £891 |
| 3 | Thames Valley | 82 | £400 |
| 4 | West Yorkshire | 54 | £50,000 |
| 5 | West Midlands | 47 | £565 |
The data demonstrates that a high number of reports doesn’t always lead to higher financial losses. While Greater Manchester ranked second, organisations lost only £891 over the last nine months, and Thames Valley businesses lost £400 to 82 incidents.
Cybercrime: A High-Stakes Game of Chance
When ranking regions in order of reported financial losses instead of the number of reports, we again see that the number of cybercrimes doesn’t necessarily increase the amount of economic losses by businesses:
| Rank | Police Force | Number of Reports | Reported Financial Losses |
| 1 | Surrey | 31 | £442,000 |
| 2 | Unknown | 101 | £109,200 |
| 3 | Hampshire | 46 | £105,000 |
| 4 | City of London | 35 | £98,700 |
| 5 | Metropolitan | 325 | £69,100 |
Organisations in Surrey logged just 31 reports in nine months but a staggering £442,000 in financial losses – nearly half (47%) of the total financial losses to cybercrime reported by businesses in 2024. From the previous list of police forces with the highest number of reports, only London Metropolitan is on this list, ranking fifth with 325 reports and £69,100 in losses.
The lack of correlation between the number of reports made to a police force and the financial losses reported demonstrates the indiscriminate nature of cybercrime. Just one cleverly executed attack could see a business lose thousands or even hundreds of thousands of pounds. The mean financial loss per reported cybercrime in Surrey in 2024 stands at £14,258, compared to London Metropolitan’s mean of £213, despite Metropolitan having more than ten times as many reported cybercrimes.
Incident Reporting and Regulatory Compliance
The Action Fraud statistics only represent reported data. Many cybercrimes are likely not being reported as businesses attempt to manage incidents without police intervention and reduce the impact on their insurance and reputation.
A 2021 study by Van de Weijer et al. showed 529 participants three vignettes about fictional cybercrime incidents and asked how they would react in this situation. The study states that “the large majority of SME-owners said that they would report the incidents from the vignettes to the police, but after actual victimisation, only 14.1 per cent of the cybercrimes were reported to the police.”
Reporting cybercrimes is now a requirement for organisations operating in the European Union under the newly updated Network and Information Security (NIS 2) Directive, which came into force this month. Organisations found to be non-compliant, including those that do not report cyber incidents, face potential financial penalties or even exclusion from doing business in a territory. Reporting cyber incidents will also be a requirement under the European Cyber Resilience Act when it enters into force.
Luckily, the internationally recognised information security standard ISO 27001 can provide a framework for NIS 2 compliance and help you defend your business against cyber threats.
Using ISO 27001 to Prevent Cyber Incidents and Align with NIS 2
ISO 27001 certification helps businesses improve their security posture and effectively reduce the risk of cyber incidents. To achieve ISO 27001 certification, an organisation must build, maintain and continually improve an ISO 27001-compliant information security management system (ISMS) and successfully complete an external audit undertaken by an accredited auditing body.
An ISO 27001-certified ISMS can improve your organisation’s information security defences and comply with NIS 2 in the following ways:
Risk Management
Risk management and treatment are requirements of ISO 27001 clause 6.1, actions to address risks and opportunities, and NIS 2 article 21. Your organisation should identify the risks associated with each information asset within the scope of your ISMS and select the appropriate risk treatment for each risk—treat, transfer, tolerate, or terminate.
ISO 27001 Annex A outlines the 93 controls your organisation must consider in the risk management process. In your Statement of Applicability (SoA), you must justify the decision to apply or not apply a control. This thorough approach to risk management and treatment enables your organisation to identify, treat, and mitigate risks throughout their lifecycle, reducing the likelihood of an incident and reducing the impact should an incident occur.
Incident Response
Your organisation should implement incident management processes and incident logs aligned with ISO 27001 Annex A.5.24, A.5.25, and A.5.26, which focus on information security incident management planning, preparation, decisions, and responses. An incident management procedure and response log are also required by NIS 2 Article 21. This ensures your organisation has a process to manage and minimise the impact of any incidents.
Employee Training and Awareness
Fostering a culture of information security awareness is a critical component of ISO 27001 and is equally essential to NIS 2 compliance, which is required by ISO 27001 Annex A.6.3, information security awareness, education, and training, and NIS 2 Article 21. Implementing a training and awareness plan enables you to educate employees about cyber risks. Ensuring employees know the importance of strong passwords in line with your ISO 27001 password policy is also crucial.
Threat actors often exploit human error in their attempts to access sensitive information, even persuading employees to make financial transactions via phishing emails or sophisticated AI-powered deepfakes. Of the 1,613 cybercrimes reported to Action Fraud by UK businesses this year, 919 (56%) were logged under the social media and email hacking code. Having a training and awareness plan in place and educating employees is vital to reduce the risk of these incidents.
BOO-st Your Information Security Posture Today
With new cyber regulations like the Cyber Resilience Act and the Digital Operational Resilience Act (DORA) on the horizon, now is the time to get ahead. Book your demo to learn how to mitigate risk, bolster your reputation, navigate the complex regulatory landscape, and achieve ISO 27001 compliance using ISMS.online. You can also discover practical guidance for mastering NIS 2 compliance using ISO 27001 in our webinar with experts from A-LIGN, Cybercontrols.io and ISMS.online.
