In today’s hyper-connected landscape, cyber-attacks are no longer just a technical or compliance issue — they are a material business risk, capable of inflicting serious financial damage across sectors. The UK Government’s recent summary of independent research — particularly the section on “sector-specific costings” — shines a stark light on just how big the stakes are.
A Snapshot of the Business Landscape
According to the report, around 43% of UK businesses reported experiencing a cyber-security breach or attack — equating to more than 600,000 organisations. This high prevalence, combined with the magnitude of potential losses, raises the urgency for businesses to treat cybersecurity as a strategic priority — not just an IT issue.
Sector-Specific Costings: What the Numbers Tell Us
The research estimates the average cost of a “significant cyber-attack” (defined in the modelling as an incident costing at least £500 and causing tangible business impact). The results are broken down by sector, and by firm-size (turnover bands) — offering a richer view of risk exposure.
| Sector | Micro (≤ £0.65 m) | Small (£0.65m-£6.5m) | Medium (£6.5m-£65m) | Large (> £65m) | Average across all firms |
|---|---|---|---|---|---|
| Utilities | £ 93,665 | £ 137,687 | £ 124,245 | £ 436,443 | £ 210,837 |
| Construction | £ 39,540 | £ 58,926 | £ 53,173 | £ 149,340 | £ 46,695 |
| Manufacturing | £ 203,071 | £ 293,337 | £ 264,699 | £ 846,619 | £ 330,406 |
| Trade | £ 161,644 | £ 233,603 | £ 210,797 | £ 591,913 | £ 224,280 |
| Retail | £ 206,264 | £ 306,183 | £ 276,290 | £ 919,026 | £ 250,457 |
| Transportation | £ 215,176 | £ 326,481 | £ 294,607 | £ 951,442 | £ 261,070 |
| Information | £ 240,843 | £ 364,709 | £ 329,103 | £ 1,101,588 | £ 336,773 |
| Financial | £ 203,811 | £ 304,920 | £ 275,151 | £ 908,294 | £ 309,181 |
| Real Estate | £ 81,227 | £ 122,551 | £ 110,586 | £ 374,666 | £ 92,683 |
| Professional | £ 240,453 | £ 363,889 | £ 328,363 | £ 968,187 | £ 271,683 |
| Management | £ 225,566 | £ 281,715 | £ 254,211 | £ 681,067 | £ 333,943 |
Note: Firm size bands: Micro = turnover ≤ £0.65m; Small = £0.65m–£6.5m; Medium = £6.5m–£65m; Large > £65m.
Table 2: Average Cost by Type of Cyber-Attack
| Type of Attack | Average Cost (£, 2024 prices) |
|---|---|
| Accidental disclosure | £ 43,546 |
| Denial of Service (DoS) | £ 97,560 |
| Insider misuse | £ 89,817 |
| Physical threat | £ 62,083 |
| Ransomware | £ 210,128 |
| Scam or fraud | £ 2,564,422 |
| System failure | £ 1,170,714 |
| System intrusion | £ 236,818 |
What the Figures Mean
-
Average costs by sector: For example, the “Information” sector faces an average of ~£336,773 for a significant attack, while “Financial” faces ~£309,181.
-
Size-band variation: Larger firms face much higher average losses (e.g., manufacturing: micro ~£203k; large ~£847k).
-
Lower-cost sectors: Some sectors such as Real Estate (~£92,683 average) and Construction (~£46,695) show much lower average losses — though risk remains material.
-
Tail risk matters: The modelling emphasises the cost distribution is heavily skewed, with “worst‐case” outcomes many times higher than the average.
Implications for Organisations
For ICCSO members and organisations alike, these findings translate into concrete strategic insights:
-
Risk-calibration by sector and size: The risk profile for a small construction firm differs significantly from a large financial institution.
-
Tail risk awareness: Average costs provide useful baseline—but organisations must plan for extreme losses, not just the median scenario.
-
Sector-wide vigilance: Even sectors with lower average losses must remain proactive; a “lower-cost” sector does not equal “no risk”.
-
Invest in resilience: For sectors such as Information and Financial, six-figure average losses reinforce the business case for robust cybersecurity programmes.
-
Tailored control frameworks: Risk value differs by sector and size—so one-size-fits-all approaches are unlikely to be optimal.
ICCSO’s Call to Action
At ICCSO, we believe these findings should galvanise the cybersecurity community—especially boards and leadership teams—to treat cyber risk as a strategic business risk, not an IT issue alone. We recommend the following actions:
-
Boards should challenge: “What is our sector-specific exposure? Are we benchmarking against these figures?”
-
Cybersecurity teams should run scenario modelling aligned with their sector and size, and present potential losses and mitigation plans to senior leadership.
-
Organisations should perform stress-testing of cyber-incident response plans—can they withstand not only average events but extreme, high-impact incidents?
-
Sector collaboration is vital. Share incident data, near-misses, threat intelligence. This collective knowledge reduces the overall cost curve for UK organisations.
Final Thoughts
The UK Government’s modelling offers one of the most detailed publicly available insights into cyber‐attack cost by sector and size. While averages in the ~£300k range may not make headlines daily, they represent meaningful amounts in most organisations’ budgets and risk frameworks. More importantly: the outliers—the tail events—can cause losses ten- or hundred-times greater.
For both large enterprises and smaller firms, the clear message is: treat cyber risk as core business risk, invest accordingly, plan for the worst-case, and build resilience. As we in ICCSO always emphasise: prevention is essential, but preparation matters even more when a major incident strikes.
ICCSO gratefully recognises the original authors of the research for making this data publicly available.