If you are a large Information or Entertainment company, modelled costs can exceed £1m. Micro UK construction companies, on the other hand, may experience costs in the tens of thousands. Costs vary considerably depending on sector and organisational size.
We were recently commissioned by DSIT to analyse sector specific costs of cyber attacks in the UK, exploring how direct financial impacts differ by firm size and type of attack. While the underlying data reflects the best available sources at the time of the study, the structure and patterns we identified remain relevant for organisations thinking about their cyber risk exposure.
Our modelling estimated the average direct cost of a significant cyber‑attack for a UK business using the best available datasets at the time of the study. These averages were indicative, helping to show the relative impact between sectors, size bands and types of attacks.
When scaled based on the estimated proportion of UK businesses that experience a significant cyber‑attack, the modelling showed the macro‑economic impact can reach tens of billions of pounds annually, representing around 0.5% of UK GDP at the time of analysis.
More importantly, the study reinforced that the relative variation in cost is what matters most. Some sectors see consistently higher impacts due to digital intensity, operational interdependencies or data sensitivity. Others experience lower – but still material – costs per incident.
Although cyber incident datasets have expanded significantly in recent years, cost information is still recorded inconsistently across organisations and sectors, making modelled averages useful for indicating patterns and relative analysis rather than definitive price tags.
Estimating how often businesses experience damaging cyber incidents is challenging. Reporting practices vary, definitions differ, and many attacks never appear in public datasets. Even so, national trends give a useful indication of how common harmful incidents are.
The DSIT Cyber Security Breaches Survey 2024 found that:
These headline figures show that cyber attacks with real impact are not rare, but the likelihood for any individual organisation varies significantly. Factors such as sector, digital footprint, critical systems, data sensitivity, reliance on third parties and the strength of existing controls all influence how exposed a business is to materially harmful events.
This is where CRI (Cyber Risk Insights) provides a more tailored and actionable view. Instead of relying on broad national averages, CRI combines global incident datasets, sector specific threat patterns and an organisation’s own environment to estimate the annual likelihood of impactful loss events. This modelling reflects the realities of your specific operating conditions – not the “average UK business”.
By grounding likelihood in both external intelligence and internal context, CRI gives organisations a clearer view of which scenarios are most probable and most financially significant. This supports more informed prioritisation and investment decisions than generic survey statistics alone.
Our DSIT report provides a breakdown of average costs by sector, organisation size and attack type, providing a baseline for understanding how cyber attack impacts vary across the UK economy.
The core message remains highly relevant: Cyber attacks carry real, measurable financial consequences – and those consequences differ widely between organisations.
To understand the financial exposure specific to your own organisation, we encourage you to explore our Cyber Risk Quantification (CRQ) Accelerator, which uses our Cyber Risk Insights (CRI) platform to generate clear, actionable financial insights in just six weeks.
Reach out to the team for a free demo, or if you want support with more confident, data‑driven cyber risk decision‑making.
