39% of Businesses Suffered Security Breaches in the last 12 months

The Government’s Cyber Security Breaches Survey suggests that fewer businesses are identifying breaches or attacks than in 2020 (when it was 46%), the average annual cost for a business is £8,460 for lost data or assets after breaches.

Almost four in ten (39%) of UK firms reported that they experienced a cyber-attack or data breach in the last 12 months – up from 46% from 2019. This is one of the key findings in the UK Government’s annual Cyber Security Breaches Survey.

The study also found that, despite the decrease in such reports, 27% of business are being attacked at least once a week. But there has been an increase to 43% in the number of businesses that have taken up cyber insurance, up from 32% in 2020.

According to the survey, the number of medium (65%) and large (64%) businesses reporting breaches or attacks this year, a decrease from 2020 where 75% of large business identified breaches or attacks.

Dealing with Covid-19

In response to the changing remote workforce and dealing with Covid-19, 47% of businesses have staff using personal devices for work. Only 18% of personal devices being covered with a cybersecurity policy for working.

There's still a lot of work for businesses to do coming out of the last 12 months, just 23% of businesses cover home working through a cybersecurity policy. Only 34% of businesses have staff who use a VPN whilst working from home.

Despite COVID-19, cybersecurity remains high on the agenda among management boards. 77% of businesses say that cybersecurity is a high priority for their directors or senior managers (vs. 69% in 2016).

With resources stretched during the last 12 month, fewer businesses report having up-to-date malware

protection (83%, vs. 88% in 2020) and network firewalls (78%, vs. 83% in 2020).

Just 34% have started to manage the risk by completing a cyber risk assessment, and only 32% of businesses are monitoring user activity. Which is a decrease from 38% in 2020.

Reporting Incidents

In this year's survey, just 66% of business have a formalised incident response process, with 93% of businesses saying they informed their senior managers or directors of their most disruptive breach. Just over one-third (36%) of business has taken no action since their most disruptive breach.

Cyber Security Breaches Survey

The study highlights that the rise in incidents has been offset by the improved response and stronger resilience, but businesses continue to suffer from phishing attacks. 83% of businesses have identified a phishing attack in the last 12 months (an increase from 72%), with 27% of businesses finding others impersonating their organisation in emails or online.

Among the businesses identifying any breaches or attacks, from 2017 to 2021 there has been a fall in viruses or other malware (from 33% to 9%) and a fall in ransomware (from 17% to 7%).

77% of respondents to the survey described cybersecurity as a high priority for their directors or senior management team and 38% said they have board members with a security brief. There is still considerable work to be done with regards to other aspects of cybersecurity,

Just 6% of those surveyed said that they have a specific cyber insurance policy; 37% of businesses having cybersecurity cover as part of a wider insurance policy. 15% have cybersecurity vulnerability audits in the past year; 12% have reviewed supply chain risk posed by suppliers and 31% have a business continuity plan that covers cybersecurity.

How can you improve your cyber resilience?

Unprepared staff are at a heightened risk of being caught unaware when working from home or first starting a new job. It's important your staff are being trained in cybersecurity regularly, just 14% of businesses said they had trained staff on cyber security.

Cyber Security is more important than ever, growing numbers of people in your organisation are at risk from a variety of threats that will disrupt, damage or even destroy your assets or the data that makes up your business.

There’s no technological fix for cybersecurity and criminals are in a never-ending race to one-up each other. The best long-term, cost-effective answer for your business is to provide cybersecurity awareness training that develops and embeds a culture in your organisation.

The Cyber Resilience Centre can offer your staff security awareness training to provide simple and effective knowledge so your staff understand their environment and give them the confidence to challenge when something doesn’t look right.

Ready to prepare your staff with security awareness training? Contact us today to learn more.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of Cyber Resilience Centre for Greater Manchester (CRCGM) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. CRCGM provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

CRCGM does not accept any responsibility for any loss which may arise from reliance on information or materials published on this website. CRCGM is not responsible for the content of external internet sites that link to this site or which are linked from it.


Cyber Resilience Centre GM, Manchester Technology Centre, Oxford Rd, Manchester, M1 7ED

0161 706 0940


Registered in England & Wales No.12309263.



  • LinkedIn
  • Twitter
Greater Manchester Logo Light.png

© 2021 - The Cyber Resilience Centre for Greater Manchester