The number of cyber security breaches is down – but is it too soon to celebrate?

New figures from the Department for Digital, Culture, Media and Sport reveal that the number of businesses reporting breaches and cyber attacks has fallen. This is in line with a similar trend seen by the general public in the Crime Survey for England and Wales. [2]

The number of businesses experiencing an attack in the last year, 32 per cent, is lower than at the same time in 2018 when it was 43 per cent and in 2017 when it was 46 per cent.

But before you start to breathe a sigh of relief, it’s important to look at some of the report’s other findings. The average number of breaches that have been attacks is up from four to six. The average cost of an attack has increased too and now stands at over £4,000, £1,000 up on 2018’s report.

The reason for the lower number of breaches, says the report, could be that organisations are becoming more secure. Many have improved their defences against cyber attacks. Another factor could be the introduction of GDPR in May 2018. This has undoubtedly raised awareness, but it may also have changed the perception as to what constitutes a breach. It may also have made some organisations less willing to report minor issues for fear of incurring a heavy penalty. The average fine handed down by the ICO for data breaches doubled last year to more than £140,000 [3]. But businesses also need to consider the longer term damage to their reputation and the potential loss of customers that could result from a high profile breach.

Greater attack sophistication

It could also be the case that cybercriminals are making more sophisticated attacks. Some experts believe [3] that hackers are carrying out more in-depth research into possible targets, probing their systems to assess the chance of an attack succeeding, before they strike. This could account for the reduced numbers of attacks, but make those that are driven through far more devastating in their impact.

If businesses fail to detect initial suspicious activity on their networks, then attackers can be reasonably confident in making follow-up attacks.

From the business perspective, this puts additional pressure on organisations to defend against network attacks. It also pushes up the cost of investigating incidents. An investigation may be required to determine whether or not an attempted breach needs to be reported, further increasing stress on security teams.

Unintended consequences

GDPR has certainly had an effect on the way in which businesses treat the threat of cyber attacks. But the DDCMS report highlights that there have been some unintended consequences to the legislation. Many businesses have set their security policy in terms of avoiding breaches of personal data. But this narrowing of focus could risk preparedness for other types of attack.

Cyber security is still under-represented at board level too. The report shows that only just over a third of companies have a board member specifically responsible for cyber security and this figure is even lower in the charity sector. Supply chain safety is also an issue, with only 18 per cent of companies requiring their suppliers to conform to a set of cyber security standards. In many cases, this is because they hadn’t considered it a threat, but with increasing levels of digital integration, it becomes an area that must be addressed.

Although on the surface it appears to be good news that attack numbers are down, it’s vital that businesses don’t rest on their laurels, they must continue to take cyber security seriously.


What can you do?

The simple answer is not to get complacent, if you want to know what steps are necessary to have a more secure business IT infrastructure then give Cloudworks a call: 0115 824 8244 or email us at