February 9, 2026
Making sense of cyber attack costs: A sector by sector view
James Hanbury
Global Lead Director, Co-founder

The cost of a cyber‑attack varies by company size and industry sector. Here are the patterns we found in research we conducted for the Department for Science, Innovation and Technology (DSIT) and why those patterns still matter today, even as the threat landscape evolves.

What might a cyber-attack cost your business?

If you are a large Information or Entertainment company, modelled costs can exceed £1m. Micro UK construction companies, on the other hand, may experience costs in the tens of thousands. Costs vary considerably depending on sector and organisational size.

We were recently commissioned by DSIT to analyse sector specific costs of cyber attacks in the UK, exploring how direct financial impacts differ by firm size and type of attack. While the underlying data reflects the best available sources at the time of the study, the structure and patterns we identified remain relevant for organisations thinking about their cyber risk exposure.

What did we find?

Our modelling estimated the average direct cost of a significant cyber‑attack for a UK business using the best available datasets at the time of the study. These averages were indicative, helping to show the relative impact between sectors, size bands and types of attacks.

When scaled based on the estimated proportion of UK businesses that experience a significant cyber‑attack, the modelling showed the macro‑economic impact can reach tens of billions of pounds annually, representing around 0.5% of UK GDP at the time of analysis.

More importantly, the study reinforced that the relative variation in cost is what matters most. Some sectors see consistently higher impacts due to digital intensity, operational interdependencies or data sensitivity. Others experience lower but still materialcosts per incident.

Although cyber incident datasets have expanded significantly in recent years, cost information is still recorded inconsistently across organisations and sectors, making modelled averages useful for indicating patterns and relative analysis rather than definitive price tags.

How likely is a cyber-attack on my business?

Estimating how often businesses experience damaging cyber incidents is challenging. Reporting practices vary, definitions differ, and many attacks never appear in public datasets. Even so, national trends give a useful indication of how common harmful incidents are.

The DSIT Cyber Security Breaches Survey 2024 found that:

  • 50% of UK businesses experienced some form of cyber attack or breach.
  • 13% of those incidents led to a negative outcome, such as operational disruption or financial loss.
  • This means around 6.5% of all UK businesses experienced a materially damaging cyber attack within a single year.

These headline figures show that cyber attacks with real impact are not rare, but the likelihood for any individual organisation varies significantly. Factors such as sector, digital footprint, critical systems, data sensitivity, reliance on third parties and the strength of existing controls all influence how exposed a business is to materially harmful events.

This is where CRI (Cyber Risk Insights) provides a more tailored and actionable view. Instead of relying on broad national averages, CRI combines global incident datasets, sector specific threat patterns and an organisation’s own environment to estimate the annual likelihood of impactful loss events. This modelling reflects the realities of your specific operating conditions not the “average UK business”.

By grounding likelihood in both external intelligence and internal context, CRI gives organisations a clearer view of which scenarios are most probable and most financially significant. This supports more informed prioritisation and investment decisions than generic survey statistics alone.

Find out more

Our DSIT report provides a breakdown of average costs by sector, organisation size and attack type, providing a baseline for understanding how cyber attack impacts vary across the UK economy.

The core message remains highly relevant: Cyber attacks carry real, measurable financial consequences and those consequences differ widely between organisations.

To understand the financial exposure specific to your own organisation, we encourage you to explore our Cyber Risk Quantification (CRQ) Accelerator, which uses our Cyber Risk Insights (CRI) platform to generate clear, actionable financial insights in just six weeks.

Reach out to the team for a free demo, or if you want support with more confident, data‑driven cyber risk decision‑making.

Read the next blog in the series

No items found.
James Hanbury
Global Lead Director, Co-founder
James is the co-founder and Global Lead Director of CRI. He has spent over a decade working with cyber and risk teams, helping them bring more structure and clarity to how cyber risk is measured and communicated. James began building the earliest versions of CRI's models back in 2016, using Excel to explore how organisations could approach cyber risk in a more decision-focused way. That work has since grown into a SaaS-enabled capability now used by clients around the world. Based in London, James continues to work closely with CRI's clients and partners, focusing on how to make cyber risk quantification useful, explainable, and easier to adopt in practice.
Blog
Sector insights
Making sense of cyber attack costs: A sector by sector view
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

The cost of a cyber‑attack varies by company size and industry sector. Here are the patterns we found in research we conducted for the Department for Science, Innovation and Technology (DSIT) and why those patterns still matter today, even as the threat landscape evolves.

What might a cyber-attack cost your business?

If you are a large Information or Entertainment company, modelled costs can exceed £1m. Micro UK construction companies, on the other hand, may experience costs in the tens of thousands. Costs vary considerably depending on sector and organisational size.

We were recently commissioned by DSIT to analyse sector specific costs of cyber attacks in the UK, exploring how direct financial impacts differ by firm size and type of attack. While the underlying data reflects the best available sources at the time of the study, the structure and patterns we identified remain relevant for organisations thinking about their cyber risk exposure.

What did we find?

Our modelling estimated the average direct cost of a significant cyber‑attack for a UK business using the best available datasets at the time of the study. These averages were indicative, helping to show the relative impact between sectors, size bands and types of attacks.

When scaled based on the estimated proportion of UK businesses that experience a significant cyber‑attack, the modelling showed the macro‑economic impact can reach tens of billions of pounds annually, representing around 0.5% of UK GDP at the time of analysis.

More importantly, the study reinforced that the relative variation in cost is what matters most. Some sectors see consistently higher impacts due to digital intensity, operational interdependencies or data sensitivity. Others experience lower but still materialcosts per incident.

Although cyber incident datasets have expanded significantly in recent years, cost information is still recorded inconsistently across organisations and sectors, making modelled averages useful for indicating patterns and relative analysis rather than definitive price tags.

How likely is a cyber-attack on my business?

Estimating how often businesses experience damaging cyber incidents is challenging. Reporting practices vary, definitions differ, and many attacks never appear in public datasets. Even so, national trends give a useful indication of how common harmful incidents are.

The DSIT Cyber Security Breaches Survey 2024 found that:

  • 50% of UK businesses experienced some form of cyber attack or breach.
  • 13% of those incidents led to a negative outcome, such as operational disruption or financial loss.
  • This means around 6.5% of all UK businesses experienced a materially damaging cyber attack within a single year.

These headline figures show that cyber attacks with real impact are not rare, but the likelihood for any individual organisation varies significantly. Factors such as sector, digital footprint, critical systems, data sensitivity, reliance on third parties and the strength of existing controls all influence how exposed a business is to materially harmful events.

This is where CRI (Cyber Risk Insights) provides a more tailored and actionable view. Instead of relying on broad national averages, CRI combines global incident datasets, sector specific threat patterns and an organisation’s own environment to estimate the annual likelihood of impactful loss events. This modelling reflects the realities of your specific operating conditions not the “average UK business”.

By grounding likelihood in both external intelligence and internal context, CRI gives organisations a clearer view of which scenarios are most probable and most financially significant. This supports more informed prioritisation and investment decisions than generic survey statistics alone.

Find out more

Our DSIT report provides a breakdown of average costs by sector, organisation size and attack type, providing a baseline for understanding how cyber attack impacts vary across the UK economy.

The core message remains highly relevant: Cyber attacks carry real, measurable financial consequences and those consequences differ widely between organisations.

To understand the financial exposure specific to your own organisation, we encourage you to explore our Cyber Risk Quantification (CRQ) Accelerator, which uses our Cyber Risk Insights (CRI) platform to generate clear, actionable financial insights in just six weeks.

Reach out to the team for a free demo, or if you want support with more confident, data‑driven cyber risk decision‑making.

Key messages

01

02

03

Blog
Sector insights
Making sense of cyber attack costs: A sector by sector view

Summary

The cost of a cyber‑attack varies by company size and industry sector. Here are the patterns we found in research we conducted for the Department for Science, Innovation and Technology (DSIT) and why those patterns still matter today, even as the threat landscape evolves.

What might a cyber-attack cost your business?

If you are a large Information or Entertainment company, modelled costs can exceed £1m. Micro UK construction companies, on the other hand, may experience costs in the tens of thousands. Costs vary considerably depending on sector and organisational size.

We were recently commissioned by DSIT to analyse sector specific costs of cyber attacks in the UK, exploring how direct financial impacts differ by firm size and type of attack. While the underlying data reflects the best available sources at the time of the study, the structure and patterns we identified remain relevant for organisations thinking about their cyber risk exposure.

What did we find?

Our modelling estimated the average direct cost of a significant cyber‑attack for a UK business using the best available datasets at the time of the study. These averages were indicative, helping to show the relative impact between sectors, size bands and types of attacks.

When scaled based on the estimated proportion of UK businesses that experience a significant cyber‑attack, the modelling showed the macro‑economic impact can reach tens of billions of pounds annually, representing around 0.5% of UK GDP at the time of analysis.

More importantly, the study reinforced that the relative variation in cost is what matters most. Some sectors see consistently higher impacts due to digital intensity, operational interdependencies or data sensitivity. Others experience lower but still materialcosts per incident.

Although cyber incident datasets have expanded significantly in recent years, cost information is still recorded inconsistently across organisations and sectors, making modelled averages useful for indicating patterns and relative analysis rather than definitive price tags.

How likely is a cyber-attack on my business?

Estimating how often businesses experience damaging cyber incidents is challenging. Reporting practices vary, definitions differ, and many attacks never appear in public datasets. Even so, national trends give a useful indication of how common harmful incidents are.

The DSIT Cyber Security Breaches Survey 2024 found that:

  • 50% of UK businesses experienced some form of cyber attack or breach.
  • 13% of those incidents led to a negative outcome, such as operational disruption or financial loss.
  • This means around 6.5% of all UK businesses experienced a materially damaging cyber attack within a single year.

These headline figures show that cyber attacks with real impact are not rare, but the likelihood for any individual organisation varies significantly. Factors such as sector, digital footprint, critical systems, data sensitivity, reliance on third parties and the strength of existing controls all influence how exposed a business is to materially harmful events.

This is where CRI (Cyber Risk Insights) provides a more tailored and actionable view. Instead of relying on broad national averages, CRI combines global incident datasets, sector specific threat patterns and an organisation’s own environment to estimate the annual likelihood of impactful loss events. This modelling reflects the realities of your specific operating conditions not the “average UK business”.

By grounding likelihood in both external intelligence and internal context, CRI gives organisations a clearer view of which scenarios are most probable and most financially significant. This supports more informed prioritisation and investment decisions than generic survey statistics alone.

Find out more

Our DSIT report provides a breakdown of average costs by sector, organisation size and attack type, providing a baseline for understanding how cyber attack impacts vary across the UK economy.

The core message remains highly relevant: Cyber attacks carry real, measurable financial consequences and those consequences differ widely between organisations.

To understand the financial exposure specific to your own organisation, we encourage you to explore our Cyber Risk Quantification (CRQ) Accelerator, which uses our Cyber Risk Insights (CRI) platform to generate clear, actionable financial insights in just six weeks.

Reach out to the team for a free demo, or if you want support with more confident, data‑driven cyber risk decision‑making.

Key messages

01

02

03

Recent Insights

Cyber resilience in the North West: turning risk into regional strength

According to the Department for Science, Innovation and Technology (DSIT), over 600,000 UK businesses experiencing some form of cyber‑attack. So, if cyber risk isn’t new, why do impacts keep rising? And what can we do in the North West to change the trend?
Martin Tyley
Blog
Resilience

Achieving resilience in third-party risk management

Discover the results of KPMG's latest global third-party risk management (TPRM) survey.
Thought Leadership
Resilience

Cybersecurity in 2026: What leaders need to know

The latest Global Cybersecurity Outlook from the World Economic Forum highlights three forces reshaping cyber risk in 2026: artificial intelligence, geopolitics and cyber enabled fraud. For many boards, that’s going to raise questions such as “how much loss are we really exposed to?”, and “where should the next pound of investment go?”.
Martin Tyley
Resilience
Blog

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo