Cyber attacks are costing UK firms billions every year – ransom payments, staff overtime, and lost business are crippling victims
With more than half of firms hit by cyber attacks every year, one-in-eight victims enters administration


Cyber attacks are costing UK businesses £64 billion a year in ransom payments, staff overtime, lost business, and other associated costs.
Research from cybersecurity firm ESET shows that 53% of UK businesses have fallen victim to at least one attack over the last year, with 43% saying that it's had a long-term impact on business growth.
The top three most common cyber attacks or breaches were phishing attacks, experienced by nearly half, while more than a third were targeted with malware and three-in-ten by attacks - or attempted attacks - against online bank accounts.
This is having a significant effect on the bottom line, the study noted. The most common direct cost was the extra staff time needed to deal with an attack, cited by nearly two-thirds of businesses.
Other direct costs included ransom payments, stolen or lost funds, legal and regulatory costs, disruption to operations, and the cost of bringing in third-party expertise along with higher cyber insurance premiums.
All in all, these direct costs added up to £37.3 billion, or 0.7% of overall business turnover. Notably, the indirect costs were almost as significant, at £26.7 billion or 0.5% of overall business turnover.
The biggest factor here was the need to increase cybersecurity budgets, with two-thirds of businesses identifying this as a major cost, and 28% deeming it extremely significant.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Other indirect costs included loss of clients, the cost of redirecting resources to incident response, and a loss of competitive advantage due to the theft of corporate intellectual property.
"The rising costs of cyber attacks – both direct and indirect – prove that no business can afford to overlook cybersecurity," said Jake Moore, global cybersecurity advisor at ESET.
"With growing public scrutiny on data protection and cybersecurity preparedness, businesses that fail to take proactive measures risk financial losses and long-term damage to trust and credibility."
Cyber attacks have huge long-term implications
ESET also specifically highlighted the long-term effects of cyber attacks. More than four-in-ten businesses reported restricted business growth and a similar number needed additional funding, the study found.
In some cases, the consequences were more severe, with 14% saying they'd been forced to downsize, 15% that they'd entered administration, and 16% that they'd undergone a merger or acquisition.
Small businesses suffered particularly from impacted growth rates, which affected 45%. Meanwhile, large enterprises were more likely to require additional financing to recover from an attack, a problem for 46%.
But despite 43% of businesses expecting an attack in the next 12 months, nearly half said they manage cybersecurity fully in-house, without external expertise, and 15% report having no cybersecurity budget at all.
Impact on UK regions differs greatly
On a regional basis, Southern England is facing the highest financial burden - £20.2 billion in direct costs and £15.5 billion in indirect costs - probably because of a concentration of high-value industries such as finance and technology, the study noted.
Meanwhile, the Midlands gets off the lightest financially, with £4.6 billion in direct costs and £2.6 billion per year.
"With over 50% of UK businesses experiencing a cyber attack in the past three years, it’s clear that no organization is immune. Businesses must shift from a reactive to a proactive cybersecurity strategy to stay ahead of evolving threats," said Matt Knell, UK MD of ESET.
"At ESET, we’ve found that organizations forced to make a reactive investment can spend more than 10 times as much as they would have spent on proactive measures when recovering from an attack."
MORE FROM ITPRO
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Databricks continues EMEA growth drive with double leadership appointment
News Databricks has announced the appointments of Nico Gaviola and Daniel Holz to its senior EMEA leadership team as the firm looks to drive further regional growth
-
96% of businesses have low cyber-readiness, claims Cisco
The 2025 Cisco Cybersecurity Readiness Index shows a concerning number of businesses globally are unprepared for rising AI-related threats.
-
Simplifying Password Management eBook
Whitepaper
-
Living off the Land eBook
Whitepaper
-
The Public Sector's Guide to Privilege and Password Management
Whitepaper
-
Zero Standing Privilege: Automating Cybersecurity Without Disrupting Productivity
Whitepaper
-
Cyber attacks against UK firms dropped by 10% last year, but experts say don't get complacent
News More than four-in-ten UK businesses were hit by a cyber attack last year, marking a decrease on the year prior – but security experts have warned enterprises to still remain vigilant.
-
Unlock profitability with Cove Data Protection
Whitepaper Agile risk management starts with a common language
-
Ransomware missteps that can cost you
Whitepaper Agile risk management starts with a common language
-
The big book of selling data protection
Whitepaper Agile risk management starts with a common language