12 May 2025
Cyber attacks are costing UK businesses a staggering £64 billion each year, yet a new study from cybersecurity firm ESET reveals that many organizations remain ill-equipped to defend against these increasingly sophisticated threats.
The research highlights an urgent need for companies to bolster their cybersecurity defenses, as over half of surveyed businesses (53%) reported experiencing at least one attack or breach in the past three years.
The cyber threat landscape has become more complex than ever, intensified by the rise of artificial intelligence and the proliferation of attack methods such as ransomware, phishing, and supply chain compromises. Businesses of all sizes face heightened exposure to international cyber threats and the emergence of Cybercrime-as-a-Service (CaaS), which offers cybercriminal tools and services on a commercial basis.
The total cost of cyber attacks breaks down into direct and indirect expenses. Direct costs, which include ransom payments, stolen funds, legal and regulatory penalties, operational disruptions, staff time, third-party cybersecurity expertise, and increased insurance premiums, amount to approximately £37.3 billion annually — equivalent to 0.7% of business turnover and £13.1 billion in gross value added (GVA). Staff time spent responding to incidents was cited as the most significant direct expense, with 63% of organizations reporting this burden.
Indirect costs, which encompass loss of clients, opportunity costs from diverting resources, diminished competitive advantage due to intellectual property theft, and rising cybersecurity budgets, total around £26.7 billion annually — representing 0.5% of business turnover and £9.0 billion in GVA. Notably, 66% of businesses identified increased cybersecurity spending as a major expense, with 28% considering it extremely significant.
The repercussions of cyber attacks extend beyond immediate financial losses, often hindering long-term growth and stability. About 43% of affected companies reported restricted business growth, while 41% needed to secure additional funding to recover. For some organizations, the fallout was more severe, with 14% downsizing, 15% entering administration, and 16% undergoing mergers or acquisitions following an attack. Small and medium-sized enterprises (SMEs) are especially vulnerable, with 45% experiencing growth constraints, while larger firms are more likely to seek extra financing — 46% — to recover.
Despite the rising threat, nearly half (45%) of UK businesses still manage cybersecurity internally without external support, and 15% admit to having no dedicated cybersecurity budget at all. This lack of preparedness leaves many vulnerable.
"The rising costs of cyber attacks — both direct and indirect — prove that no business can afford to overlook cybersecurity. With increased public scrutiny on data protection, organizations that fail to invest in robust security solutions, threat detection, and staff training risk significant financial and reputational damage. Cyber resilience is no longer optional — it’s essential for maintaining business continuity and customer trust,” said Jake Moore, Global Cybersecurity Advisor at ESET. "No business can face this landscape alone. A coordinated effort between the private sector, government, and cybersecurity experts is vital to securing the UK’s digital economy and safeguarding long-term growth."
