Cyber Security: The Billion Pound Risk

Key Take Aways

1. Cyber security represents a significant economic threat, with recent incidents costing the UK economy billions, evidenced by the £1.9 billion impact from the Jaguar Land Rover attack.
2. Businesses must treat cyber security as an integral risk, affecting operational integrity, regulatory compliance, and reputation, rather than a disposable expense.
3. The dependency on shared technology providers increases systemic cyber risk; a failure at a major provider like AWS can cascade across entire sectors.
4. Despite high levels of confidence in preparedness, surveys indicate an ongoing need to enhance cyber resilience, especially given the rise in high-severity cyber-attacks.
5. A proactive approach, including continual review, staff training, and testing of incident plans, is crucial for developing and maintaining resilience.
6. Cyber insurance coverage is widespread among firms, but it is insufficient without comprehensive security measures; insurers expect organisations to show due diligence.
7. Rising sophistication in cyber threats, facilitated by AI, demands that firms overhaul their security strategies frequently.
8. Sectoral reliance on outsourcing and legacy systems continues to pose vulnerabilities that need addressing for improved cyber resilience.
9. Regulatory and governmental bodies are urged to provide clearer guidance and oversight, especially on critical third-party dependencies, data retention, and AI use.
10. Board-level oversight and governance are essential; senior management must understand risks sufficiently to endorse necessary investments.
11. Implementing recognised security standards, such as Cyber Essentials, and adopting encryption and multi-factor authentication can significantly reduce risks.
12. The threat landscape is evolving rapidly, and organisations must stay vigilant, leveraging both technological tools and strategic governance to safeguard against increasingly sophisticated cyber threats.

Key Statistics

• The cyber-attack on Jaguar Land Rover caused an estimated UK financial impact of £1.9 billion.
• Capita was fined £14 million for data protection failings following a cyber-attack.
• The frequency of ‘nationally significant’ cyber attacks in the UK is four per week, according to the NCSC.
• 78% of cybersecurity professionals agree that AI will increase cyber-attacks on their organisations.
• 78% of businesses attacked in the last 12 months experienced a phishing attack.
• Nearly 90% of survey respondents reported having cyber insurance, but the true value depends on their security posture.
• CrowdStrike’s 2025 report indicated a 442% increase in voice phishing (vishing) between H1 and H2 of 2024.
• Almost 50% of companies hacked in 2024 paid a ransom, demonstrating ongoing reliance on ransom payments.
• 64% of cybersecurity professionals expect AI to force a strategic overhaul in their security approach.
• 50% rise in ‘highly significant’ cyber attacks within the last year.
• The NCSC describes ransomware as “one of the most acute and pervasive cyber threats” to UK organisations.
• The Cyber Essentials scheme provides free or low-cost accreditation and insurance for UK firms with under £20m turnover.

Key Discussion Points

• Cyber security costs are escalating, with attacks increasingly damaging across operational, regulatory, and reputational domains.
• Dependency on cloud providers like AWS introduces systemic risks, emphasising the importance of resilience planning.
• The rise in ‘highly significant’ cyber attacks warrants heightened board-level responsibility and strategic oversight.
• Organisations must go beyond basic protections; ongoing staff training and rigorous testing of incident response plans are vital.
• AI-driven attacks are making traditional red flags less visible, necessitating ongoing updates to security strategies.
• The proliferation of digital transformation initiatives, while delivering efficiency, also expands attack surfaces.
• Legacy infrastructure and underinvestment in security measures are persistent vulnerabilities, especially for SMEs.
• Enhanced governmental guidance and regulation are necessary to address critical third-party risks and AI governance.
• Cyber insurance is widespread; however, its effectiveness hinges on proportionate security practices.
• Sector interconnectivity underscores the importance of sharing intelligence and adopting best practices.
• Organisations need to embed cyber governance across the enterprise, ensuring strategic and operational alignment.
• Recognising cyber security as a matter of national resilience underscores the collective responsibility of policymakers, regulators, and industry stakeholders.