The Cyber Security Breaches Survey is a quantitative and qualitative survey of UK businesses and, for the first time in this 2018 release, charities.

The quantitative survey was carried out in winter 2017 and the qualitative survey in early 2018.

It helps these organisations to understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the Government to shape future policy in this area

The full report can be downloaded from the GOV.UK website.

Here are a few of the highlights.

Over four in ten businesses (43%) and two in ten charities (19%) experienced a cyber security breach or attack in the last12 months.

Three-quarters of businesses (74%) and over half of all charities (53%) say that cyber security is a high priority for their organisation’s senior management.

Under three in ten businesses (27%, versus 33% in the previous 2017 survey), and two in ten charities (21%) have a formal cyber security policy or


Main findings

The overwhelming majority of businesses and charities are reliant on online services, which exposes them to cyber security risks. Virtually all UK businesses (98%) and charities (93%) represented in the survey rely on some  form of digital communication or services, such as staff email addresses, websites, online banking and the ability for customers to shop online. More businesses had websites or social media pages in the 2017 survey than in 2016. The 2018 figures are similar to 2017, and therefore also higher than in 2016.

Charities are exposed to furtheronline risks. Around three in ten enable people to donate online (31%) and just under three in ten allow beneficiaries to access  their services online (27%). This is especially true of larger charities (53% of charities with an income of £500,000 or more let people donate online, and 49% enable beneficiaries to access services online).

Breaches impact on organisations in various ways. Where breaches have resulted in lost assets or data, the financial consequences have been especially significant.

Of all the organisations that experienced breaches or attacks, over half (53%) of the businesses and six in ten (59%) of the charities report being impacted by these. These impacts most commonly included needing new measures against future attacks (36% of businesses and 38% of charities), extra staff time required to deal with the breach (32% and 26%), and staff being stopped from carrying out day-to-day work (27% and 24%).

Typically, organisations incur no specific financial cost from cyber security breaches. This is reflective of the fact that most breaches or attacks do not have any material outcome (a loss of assets or data), so do not always need a response. However, where breaches do result in such a material outcome, the costs can be significant.

The average (mean) cost of breaches with such outcomes is £3,100 for businesses and £1,030 for charities. This is much higher for medium businesses (£16,100) and large businesses (£22,300). Moreover, the estimated total cost of breaches has consistently increased for medium businesses specifically, even when including breaches that do not result in lost assets or data (from £1,860 in the 2016 survey and £3,070 in the 2017 survey, to £8,180 in 2018).