UK cyber security and cyber crime statistics

Cyber crime is impacting users across the globe. As individuals and businesses increasingly rely on internet-connected devices, malicious attackers continue to take advantage. Now, more than ever, we need to be on high alert. The UK is far from immune to the impacts of cyber crime and is feeling the effects of various threats such as ransomware attacks, data breaches, and online fraud.

In November 2020, the UK government launched a new National Cyber Force (NCF) to tackle the growing problem of cyber crime.

Below, we paint a picture of the UK cyber crime and cyber security landscape with the latest facts and statistics.

1. More than 80% of UK organizations experienced a successful attack in 2021/2022

The CyberEdge 2022 Cyberthreat Defense Report (CDR) provides a breadth of insight into cyber security in countries all over the world. It found that in the UK, 81.4 percent of organizations had experienced at least one cyber attack in the year prior to the study, compared to 71.1 percent in the previous annual findings. While this sounds high, the UK was far from the worst-hit country with Colombia (93.9 percent), Turkey (93.7 percent), and Spain (91.8 percent) all seeing a higher portion of organizations deal with attacks.

2. Over a 12-month period, ransomware attacks affected 73% of UK organizations

CyberEdge also investigated the rate at which companies were hit with ransomware attacks. Well over half (73 percent) of UK organizations dealt with a ransomware attack, a 15 percent rise on the previous year. This put it just behind South Africa (82 percent), USA (81.6 percent), Singapore (78 percent), and Saudi Arabia (77.6 percent). The hardest hit was China in which nine out of 10 organizations suffered ransomware attacks (89.6 percent) over the 12 months prior to the study.

3. 11.3% of UK IT budgets are spent on security

The average security spend as a percentage of a company’s IT budget ranged from 10.7 percent in France to 15.6 percent in Brazil. UK firms had the fifth-lowest spend at just over 11 percent of their respective IT budgets.

CyberEdge Allocation Budget Security
Source: CyberEdge

4. Security budgets stayed flat at 13%) in 2022

CyberEdge began tracing IT security spend in 2018 and saw budgets rise from 12.1 percent to 12.8 percent between then and 2020. Since then, budgets have stablized, falling only slightly to 12.7 percent in 2021 and 2022. However, there was a slight increase in the UK over the last year (from 10.9 percent to 11.3 percent).

5. Around 79% of UK respondents favor security products involving AI and machine learning

One more interesting area CyberEdge studied was how drawn companies are to the use of advanced technologies such as AI and machine learning in security products. It found that 79 percent of British firms had a moderate or strong preference for these types of products versus 82 percent the previous year. The UK was in the bottom four of the pack with Saudi Arabia (98 percent) topping the list and Germany (71.6 percent) taking the bottom spot.

6. 43% of  ransomware attacks in the UK were stopped prior to data encryption

The Sophos State of Ransomware Report 2022 delves into ransomware statistics specifically and found that, in the UK, organizations managed to block 43 percent of ransomware attacks before data was encrypted. This was above the average of 35 percent. To put things in perspective, organizations in India stopped just 20 percent of ransomware attacks prior to data encryption. At the other end of the scale, cybercriminals had a 62 percent fail rate in encrypting the data of organizations in Saudi Arabia.

7. 13% of UK organizations ended up paying the ransom

For attacks that were successful, around 13 percent of UK companies went ahead and paid the ransom demanded by cyber criminals. This was well below the global average of 26 percent and far lower than the top payers. In India, 66 percent of organizations paid while in Sweden, the figure was 50 percent, and in the Philippines, 32 percent.

8. The average cost of ransomware attacks in the UK was around $1.08 million

While only a small portion of companies paid the ransom, ransomware attacks can still be very expensive to fix. Indeed, Sophos found that the average cost for UK organizations was $1.08 million. However, this is still a substantial decrease from the $1.96 million reported in 2021. Belgium and Nigeria headed the list with average costs of $3.71 million and $3.43 million respectively. In Turkey, the average cost was just $0.37 million.

sophos state of ransomware 21 remediation costs
Source: Sophos

9. 77% of UK organizations have cyber security insurance

Cyber insurance is a hot topic these days and an increasing number of companies are rolling it into their policies. Some 77 percent of UK organizations have cyber insurance. This places it below the global average of 82 percent. Among those with the highest rate of cyber security insurance are Chile (96 percent), Poland (91 percent), and Sweden (also 91 percent). Cyber insurance cover was less common among organizations in Israel at just 66 percent.

10. 1.6% of spam originates in the UK

A Kaspersky study determined how much spam originates in various regions around the globe. The top offenders were Russia (24.77 percent), Germany (14.12 percent), and the United States (10.46 percent). The UK wasn’t without fault however, and contributed 1.66 percent of the world’s spam (up from 1.04 percent in 2020).

Kaspersky source of spam by country or region
Source: Kaspersky

11. Around 8% of people tried to open a phishing link in 2021

Another area of the Kaspersky study looks at how many users in a region have attempted to open phishing links in 2021. Brazil had the worst figures in this regard, with 12.39 percent of users trying to open phishing links. However, this was a significant decrease on the 19.94 percent in 2020. The UK saw roughly half of Brazil’s figure at 6.42 percent (down from 2020’s 9.75 percent). Other regions with higher figures included France (12.21 percent) and Portugal (11.40 percent).

12. 1.2% of scam websites have a .co.uk domain

The largest portion of scam websites predictably have .com domains. However, according to Kaspersky’s figures, these only account for 31.55 percent of scam websites. Other popular extensions are .xyz (13.71 percent) and .cn (7.14 percent). The UK extension .co.uk accounted for 1.20 percent of all scam sites in 2020 and with no figure available in the 2021 report, it suggests it has become even more uncommon.

13. The UK is 8th out of 75 for cyber security

Based on a recent Comparitech study, the UK earned a firm top-ten position compared to 74 other countries around the world. We analyzed the cyber health of these regions based on a range of factors including how many users in the country experience different types of cyber attacks and how many attacks originate in each country. The UK did well to rank in eighth place, behind several other European countries. Denmark took the top spot followed by Sweden, Ireland, Norway, Finland, the Netherlands, and Austria.

14. The UK has issued €44 million worth of GDPR fines

The DLA Piper Data Breach Report 2022 offers insight into the General Data Protection Regulation (GDPR) fines that have been issued since the regulation was first introduced in 2018. The United Kingdom has issued €45,350,000 worth of fines during that time. While this is high, Luxembourg has an astonishing total of €746,299,400. Ireland ranked second highest at €226,046,500.

15. The highest individual fines were issued in Luxembourg and Ireland

According to DLA Piper, Luxembourg has issued by far the biggest GDPR fine. This stands at €746 million and is against a US online retailer. The second largest fine is from Ireland which issued a fine of €225 million against WhatsApp Ireland Limited. This is followed by a €50 million fine of Google in France.

16. Seven GDPR fines have been issued in the UK

While the UK has among the highest fine totals, it has only issued seven fines (that have been made public). This is in stark contrast to Spain where over 200 fines have been issued.

GDPR Enforcement Tracker 21-22
Source: Enforcement Tracker

17. The average cost of a data breach in 2021 was over $4.5 million

IBM’s Cost of a Data Breach Report 2021 looks at various statistics surrounding data breaches, including company response times and costs incurred. The average cost of a breach for UK firms in 2020 was $3.9 million. However, this rose to $4.67 million in 2021. This was just above the global average of $4.24 million. Regions, where companies lost big to breaches included the US ($9.05 million), the Middle East ($6.93 million), and Canada ($5.40 million).

18. Most UK breaches are malicious

IBM investigated the root cause of breaches and found that 53 percent of UK breaches were malicious in nature. 23 percent were caused by system glitches and 25 percent by human error. These patterns were fairly similar across the board with the Middle East seeing the highest portion of malicious attacks (59 percent) and Canada the lowest (42 percent).

19. The average time to identify a UK data breach is 181 days

A key factor in determining the damage caused by a data breach is how long it takes a company to remediate an incident. In the UK, organizations took an average of 181 days to identify the fact that a breach had occurred and a further 75 days to contain the incident. With 256 days for identification and containment, the UK was fifth fastest to respond, behind Germany, Canada, South Africa, and the US.

20. The UK was the third most affected country by stalkerware in Europe

The Kaspersky State of Stalkerware 2021 report examined how often this type of malware affects users in various parts of the globe. The UK had the third-highest number of cases of stalkerware in Europe, with 430 reported incidents. Germany had 1,012 and Italy 611. Elsewhere in the world, Russia was the hardest hit with 7,541 incidents, followed by Brazil (4,807) and the US (2,319).

21. The number of cyber security companies grew 21% in 2020

A study by Atlas VPN found that the UK cyber security industry comprised 1,483 companies in 2020. This was up 21 percent over 2019. In 2017, there were just 846 cyber security companies, meaning the industry has grown 85 percent in three years.

Most firms (840) are considered micro in size, having fewer than 10 employees. 327 are small firms with 10–49 employees, 172 are medium-sized (50–249 employees), and 144 are large (250 or more employees).

The number of UK cyber firms by year.
Source: Atlas VPN

22. The UK cyber security industry employs over 50,000 people

A report by Ipsos MORI tells us that nearly 52,700 people are employed in a cyber security role. This represents an increase of nearly 13 percent compared to 2020. 64 percent of employees work for large organizations (those with 250 employees or more).

23. Total revenue in the UK cyber security industry was over £10 billion

Ipsos MORI also reported on the total revenue of the cyber security industry in the UK. It estimated that organizations took in a total of £10.1 billion in 2021. This represented a 14 percent increase compared to the 2020 figure of £8.9 billion.

24. The average salary for a cyber security job in the UK is £62,500

CW Jobs tells us the average salary for various types of jobs in the UK. From a sample size of 531 jobs, it determined that the average salary for a cyber security role is £62,500. As expected, salary ranges depend heavily on location. At the higher end you have Bracknell with an average salary of £82,500 and range of £77,500–£87,500. At the lower end is Manchester where the average salary is £47,500 and the range is £42,500–£52,500.

25. There were over 400,000 reports of fraud and cybercrime in the UK in 2021

The NFIB Fraud and Cyber Crime Dashboard shows up-to-date data regarding various types of cybercrime. In 2021, there were 445,357 reports. 382,776 of those reports came from individuals and 60,111 from businesses.

26. 2021-2022 losses to fraud and cybercrime in the UK totaled over £3 billion

The NFIB also tracked losses resulting from these reports and found that cybercrime cost £3.1 billion from April 2021 to April 2022.

NFIB Fraud and Cyber Crime Dashboard
Source: NFIB

27. Online shopping and auction accounted for a massive number of reports

Of the NFIB reports in 2021, around 86,000 have been related to online shopping and auctions. The figure in 2020 was 80,500 (24 percent of all reports). However, losses seemed to be more heavily weighted on reports to do with cheques, plastic cards, and online bank accounts. In 2021, £275.7 million in losses were associated with 115,162 reports.

28. Those aged 20 to 39 are the largest target for cyber crime

The NFIB even hones in on the age of victims of fraud and cyber crime. The hardest hit seemed to be those in the 20–39 age group. The likelihood of attacks appeared to decrease slightly as age increased. However, there are a lot of factors that could have skewed this data, including the frequency of use of digital technology and the likelihood of victims in certain age groups to report crimes.

29. There were almost 14,000 reports of email and social media hacking in 2021

When we filter out fraud from the data and look at other types of cybercrime, social media and email hacking emerge as a top threat. There were 13,522 such cases in 2021, resulting in £7.8 million in losses, over double that of 2020.

FAQs about UK cyber security and cybercrime

What should I do if my data is breached in the UK?

If your data has been compromised, the first thing to do is change the password for the account involved in the breach. If you believe financial details have been stolen, contact your bank or credit card provider to notify them immediately. If your social media accounts have been hacked, contact your connections to warn them of any dangerous messages the attackers may have sent impersonating you.

How can data breaches be avoided?

There are several steps to prevent your data from being involved in a data breach. For starters, you should choose a strong password consisting of letters, numbers, capital letters, and special characters/symbols. To bolster your account security further, use the following best practices as a guide:

  • Never write down your passwords. Instead, use a password vault.
  • Where available, set up two-factor authentication on your account.
  • Keep an eye on your credit report for any suspicious changes.
  • Consider a service that includes identity theft monitoring.

How do I identify a scam email?

Are you ready for a lesson in spotting fraudulent emails? Look for typos, grammar mistakes, and phony email addresses that don’t match the sender’s name – all clues to an email imposter. Have you ever gotten an email urging you to click a “vital” link before it’s too late? Nearly always, that’ll be a scam, asking for your credentials before digging into your wallet and fleeing with your hard-earned cash!

What is cybercrime, and how does it differ from other types of crime?

Cybercrime is any criminal activity that involves the use of technology, such as the internet or a computer network, to commit a crime. It can include hacking and phishing scams, identity theft, and intellectual property theft. One key difference between cybercrime and other types of crime is that it often crosses international borders due to the global nature of the internet.

What are some common types of cybercrime, and how do they typically work?

Some common types of cybercrime include hacking, data breaches, online fraud, phishing scams, and malware attacks. These can involve stealing sensitive information like passwords or credit card numbers, hijacking computer systems, or spreading ransomware to extort money from victims. Cybercriminals’ methods are becoming more sophisticated all the time, with new and increasingly dangerous threats emerging regularly.

Is cyberbullying a crime in the UK?

Before you start a cyberbullying campaign, know this: in the UK, it’s definitely not a laughing matter! In fact, it could land you in court if your taunts cross the line. So, if you don’t want to end up doing time with your victims (figuratively, we hope), think twice before sending that tweet or text.

See also: