70 percent of companies in the UK have fallen victim to a cyberattack
at least once in the past two years. This is according to the "Cyber
Security Report UK 2024/25" by security firm Horizon3.ai.
For the report, a sample of 100 UK-based companies was surveyed.
According to the findings, 53 percent of companies reported a specific
incident of damage. 16 percent detected a hacker attack but claimed to have
successfully defended against it. 23 percent of the companies contacted by
Horizon3.ai were unsure whether they had been the victim of a cyberattack
in the past 24 months. Only 8 percent of companies stated, "We are
certain that we were not attacked."
Nearly Half
of Companies Targeted by Two or More Cyberattacks
Nearly half of the companies (44 percent) were targeted by a
cyberattack twice or more during the two-year period examined, according to
the "Cyber Security Report UK 2024/2025."
"The true extent of the issue is likely far greater," warns
Keith Poyser, Vice President for EMEA at cybersecurity firm Horizon3.ai,
which conducted the study, pointing to the near quarter of respondents
unaware of any cyberattacks. He continues, "With almost 20,000 new
vulnerabilities in software identified by the European Union Agency for
Cybersecurity (ENISA) in just one year, alongside the increasing complexity
of IT and network environments, many organisations have lost sight of how
vulnerable they truly are and how frequently they are targeted. There are
numerous instances where attackers have silently infiltrated corporate
networks for months, extracting sensitive data without being detected. It's
only when an attack disrupts operations or a ransom demand appears that
many companies become aware of the breach."
Downtime,
Financial Losses, Legal Consequences, and Data Theft
According to the "Cyber Security Report DACH 2024/2025," 62
percent of the surveyed organisations experienced downtime due to a
cyberattack over the two-year period examined. 42 percent (multiple answers
were allowed) suffered financial losses as a result. 15 percent faced legal
consequences, while data theft occurred in 35 percent of cases. Alarmingly,
54 percent of companies received a ransom demand to recover data encrypted
by hackers.
Cybersecurity expert Keith Poyser is concerned: "Many executives,
CEOs, and IT leaders seem unaware of the potential damage that cyberattacks
can cause to their organisations. The consequences can escalate
exponentially, negatively impacting every part of the organisation. Both
the financial losses and the resources required for recovery can inflict
significant harm. UK companies working with EU partners must also be aware
that they are subject to European regulations like NIS2 and risk
operational disruptions if they fail to meet cybersecurity compliance
standards."
Key
Executives' Lack of Understanding of Risks and Their Personal and Corporate
Impact
The participants selected for the survey predominantly hold responsible
positions within their companies: IT team leaders (21 percent), Chief
Information Security Officers (18 percent), Chief Technology Officers (14
percent), Chief Information Officers, and IT Managers (12 percent each). "According
to the survey, more than half of the executives who would be personally
affected in the event of a cyber incident do not believe they could be held
liable for potential damage," says Keith Poyser, highlighting the lack
of understanding among key executives about the risks and their potential
personal and corporate impact.
The cybersecurity expert warns: "Organisations must urgently step
up their efforts on cybersecurity. With artificial intelligence driving
increasingly rapid and aggressive cyberattacks, and the growing use of
remote work and the increase of Internet of Things (IoT) devices being connected
to corporate networks, the opportunities for threat actors are expanding.
The gap between the growing threats and the level of protection
organisations have in place is widening at an alarming rate."
Keith Poyser advises organisations to "conduct penetration tests
frequently to continuously assess their cyber resilience." A
penetration test involves a company-commissioned simulated attack to
identify security vulnerabilities. In the financial sector, the European
banking regulator regularly conducts penetration tests, known as "stress
tests," to assess financial institutions' ability to defend against
cyberattacks. "I recommend that every board member, CEO, and IT leader
across all industries subject their company to such a rigorous test," says
the Vice President for EMEA at Horizon3.ai, whose company operates
NodeZero, a platform aimed at making these penetration tests accessible and
affordable for mid-sized organisations.