Indirect losses, such as reputation damage or ransoms paid by an insurer, were actually often more costly than the initial incident itself

Three quarters of senior IT leaders report experienced a serious cyber-attack in the past three years, up from just 60% of respondents in 2021 – a 25% increase overall.

US businesses were slightly more likely to experience a serious cyber-attack (77%) compared to their UK peers (73%), though both markets saw an increase in attacks in 2022.

Incident type experienced20212022

Data exfiltration

37%

46%

Ransomware/extortion

30%

40%

Hactivism/web/social defacement

32%

39%

Denial of Service/Sabotage

28%

39%

Fraud

29%

38%

Cryptojacking

27%

33%

Other/don’t know/did not experience

13%

3%

Data source: S-RM Cyber Security Insights Report 2022

Jamie Smith, board director at S-RM said: “Our latest report shows the sheer scale of serious cyber-attacks on businesses in the UK and the US, with three in four businesses affected in the last three years. This is a growing problem and one with serious ramifications for affected organisations. Instances of data theft, ransomware, fraud, cryptojacking, and other attacks all increased this year, causing significant financial damage.

The report also examined the damage caused by these attacks, which averaged nearly $3.4m (£3 million). Respondents reported an average direct loss from a serious cyber incident of $1.5m (£1.3m), a significant figure that doesn’t take into account an incident’s long-term fallout, which can cause businesses further financial damage.

Indirect losses, such as reputation damage or ransoms paid by an insurer, were actually often more costly than the initial incident itself, averaging $1.87m (£1.5m). These indirect costs were slightly higher amongst UK IT leaders ($1.95m / £1.7m) than US senior IT leaders ($1.79m / £1.56m).

The most common impacts of cyber incidents across this period were the result of operational downtime (reported by 40% of respondents), increased insurance premiums (36%), reputational damage (34%), and legal costs (34%).

Smith added: “Often businesses will focus on the direct financial impact of a cyber incident, but the indirect impact can be even higher and far more difficult for them to accurately quantify. This is part of the reason why an effective incident response plan and relevant training is so important.

“The right plan can minimise the secondary impact of attacks, help to limit reputational damage, aid recovery, and minimise costly downtime.