The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
Unless you live off-grid and offline, you’ll be familiar with cybercrime. It’s likely you’ve even been the victim of a cyberattack already – though you might not be aware of it.
With 33 billion electronic records expected to be stolen in 2023, according to the latest Mimecast State of Email Security report, the world of cybercrime is vast and, for those attempting to understand and resolve it, the landscape is ever-changing. From receiving a shady text from the Post Office to having your email compromised following your Ferrari upgrade, letting your guard down online simply isn’t an option.
While a good VPN combined with up-to-date anti-virus software will cover your IP address and give you more general peace of mind while browsing, when it comes to protecting yourself from cybercrime, there’s always more that can be done. Cybercrime is by no means new and some of the most prominent cases — such as WannaCry, Petya, NotPetya which disrupted at least 81 English health trusts and cancelled nearly 19,494 medical appointments — date back to 2017 with continued impact.
It’s a battle for individuals and smaller companies just as much as it is for big organisations; as the digital space is expanding and as AI is impacting our everyday lives, hackers are getting more inventive every day. And, if you’re not convinced that cybercrime is going to be an issue in your life, the statistics below will change your mind.
It seems that the UK is ripe pickings for cybercrime. Currently second on the Global Cyber Security Index behind the US, here are some stats that make it clear why better prevention and general management of cyber threats is more essential than ever.
As reported by thenationalnews.com, a survey conducted by VPN provider Surfshark showed there were more cybercrime victims in Britain compared with the average global rate of 8 per cent, a number which grew 40 per cent in 2021. The Netherlands also saw the biggest increase in cybercrime rates at 50 per cent.
According to the UK’s National Cyber Security Centre (NCSC), social media hacking is becoming increasingly problematic in the UK and there were 8,023 reported cases in 2021/22 – a 23.5 per cent increase on the previous period. The NCSC notes how this type of cybercrime can lead to compromised data and is usually incentivised by, or will lead to, fraud.
There were 18 ransomware incidents that required a nationally coordinated response, according to NSCS’s annual review 2022. Although, in the case of South Staffordshire Water, which raised concerns around how cyber criminals work, it could still operate and supply safe water. NHS 111 was also among those affected.
According to the UK Official Statistics Cyber Security Breaches report 2022, 39 per cent of UK businesses identified cyber attacks in 2022. 31 per cent of businesses and 26 per cent of charities note them as frequent as once a week.
The average cost of cybercrime for UK businesses (counting loss of money, material, data) reported by UK government is £4,200 and, although the total figures for 2022 are apparently lower than they were the previous year, this is not the case for medium and large businesses, where costs amounted to £19,400. The figure for micro/small UK businesses was £3,080 and there wasn’t enough data to analyse charities.
Money is a huge motivation for cyber attacks around the world. According to Steve Morgan, editor-in-chief at Cybersecurity Ventures, if cybercrime was measured as a country, it would be the world’s third largest economy, behind the US and China. Now to see what else has been happening beyond the UK, and no doubt shaping the cybersecurity landscape.
According to Cybersecurity Ventures, damage costs are set to increase by 15 per cent per year until 2025 where estimates predict that global expenditure on cybercrime could reach US$10.5 trillion (£8.4 trillion).
As highlighted in Mimecast’s report, it was findings by Juniper Research that revealed this alarming figure. The 33 billion records is actually a 175 per cent increase from 2018 when 12 billion records were compromised.
Without a shadow of a doubt, the Covid pandemic had a significant effect on how we behave online, paving the way for innovative cybercrime efforts. Remote working is increasingly the norm, we invest in more IoT-connected devices, such as smart speakers and cameras (all attractive to hackers), and we rely heavily on the digital sphere at every turn. This saw cybercrime rates soar throughout 2021, and continue increasing in 2022, putting a huge strain on cybersecurity teams.
For those on the frontline of security, it takes an average of 277 days to identify and respond to a cyberattack, according to IBM’s 2022 report. Although this is three days less than the 280 IBM estimated it to take in 2020’s report, the more time it takes to identify and contain a cyberattack, the more expensive it is. The 2022 report also shows there is an average cost saving of US$1.12 million (£896,369) – 26.5 per cent – for breaches that took less than 200 days to contain.
5. Ransomware damages cost 57 times more in 2021 than in 2015: US$20 billion (£16 billion)
According to Cybersecurity Ventures’ 2022 report, ransomware could cost victims (consumers and organisations) around US$265 billion (£212 billion) annually by 2031, with new attacks as frequent as every two seconds. In 2021, it was estimated damages were US$20 billion (£16 billion), 57 times lower. The UK’s NCSC chief executive officer, Lindy Cameron, believes ransomware could now be the most immediate cybersecurity threat to UK businesses.
A Clark School study, conducted by Michel Cukier in a bid to profile “brute force” hackers, showed that attacks are happening all the time on computers with an internet connection, averaging 2,244 attempts a day and amounting to one attack every 39 seconds. Although not all successful, most are trying to access usernames and passwords.
There are a number of ways that data can be compromised and many companies are falling victim to data breaches, with 83 per cent of organisations being targeted multiple times. According to IBM’s study, stolen or compromised data accounted for 19 per cent of data breaches in 2022, costing an average of US$4.50 million. In 2021, this sat at 20 per cent.
McDonald’s is currently facing a US$530,000 fine (roughly £434, 196) from South Korea’s Personal Information Protection Commission for not better protecting a Server Message Block (SMB) that led to 4,876,106 users’ data being leaked by hackers.
The effects of cybercrime and data breaches are expansive and global. According to Statista studies, there were 1,802 cases of data compromises on US individuals last year, and 422 million individuals were in some way affected by threat actors.
Phishing is a multi-pronged approach, SoSafe’s Cyber Trends Report 2023 tells us, and employees don’t just have to contend with dodgy emails, but also vishing (voice phishing). With AI very much a part of our lives, users can easily be fooled into thinking that that link or phone call is safe. Globally, 44 per cent of people think an email is legitimately secure when the branding is familiar, according to proofpoint.’s 2023 report, and with consumers’ favourite brands at the top of the list for impersonation — Apple’s unmissable branding is said to be a go-to for cybercriminals — it’s no wonder phishing attacks are so successful.
According to IBM’s 2022 report, healthcare is regarded as one of the most highly regulated industries in the US and, for the 12th consecutive year, remains the costliest industry for data breaches. The cost of a data breach for the healthcare industry in 2022 was estimated at US$10.10 million (£8.1 million), 42 per cent higher than it was in 2020.
The following top four industries by costs incurred are the financial, pharmaceutical, technology and energy sectors. The more highly regulated industries such as these, in the US see bigger costs incurred two years post-incident, whereas lower regulated industries, for instance, tech, might see most of the spending in the initial months following a breach. The report describes these as “longtail” costs which typically account for 24 per cent of the total cost.
It’s becoming clear that learning from failures and staying one step ahead of the cybercriminals is what will help victims come out on top, but with cybercrime set to cost the world $8 trillion dollars (£6.4 million) in 2023, there is still some work to be done.
Costs resulting from cybercrimes are not just fraud on a public or private company level; the impacts can be expansive. Pauses in productivity, lawsuits from data compromises and long-term effects of stolen business intelligence for organisations, not to mention reputational harm, all adds up. For example, one of the biggest ransomware attacks in history took place in 2021 on a remote software company which, in turn, forced more than 800 stores of a Swedish grocery retail chain to close, according to the World Economic Forum’s Global Cybersecurity Outlook January 2022 Insight Report.
When it comes to the different types of cybercrime, there are many. Malware, phishing, ransomware and disrupted denial of service attacks (DDoS ) are some of the most common.
The NCSC’s annual report highlights ransomware as one of the “three Rs” that defined the UK’s cybercrime story in 2022, taking up a lot of its efforts, alongside Russian cyber aggression and renewal. The government, police forces and other organisations in the cyber security sector, including the National Crime Agency (NCA), took a three-pronged approach to tackle threat actors and fine-tuning cyber security intelligence.
Globally, 64 per cent of organisations targeted with ransomware paid the ransom (proofpoint. 2023), however, Lindy Cameron, of the NCSC, along with the information commissioner, John Edwards, doesn’t condone paying for ransom because a positive outcome is not guaranteed; victims’ data or computer access may still be retained, and systems could remain infected. What’s more, it could potentially subject companies to a stronger second attack.
As Eric McLean, chief marketing officer at eSentire, notes in the 2022 Cybersecurity Ventures’ report: “Cybercrime is impacting businesses of all sizes” and everyone is vulnerable. A 2021 Joint Cybercrime Advisory report noted a shift in threat actors prioritising more US and Australia ransomware efforts into mid-sized companies over bigger organisations. Meanwhile, all types of organisations continued to be victimised in the UK with targets including charities and public health services.
It’s clear that bigger companies, which have access to more funding and better resources, can absorb the cybercrime costs more easily. A 2018 report by Juniper Research noted how the hefty cost of a data breach could wipe out small businesses, which make up 99 per cent of the market.
At the time, small businesses were supposedly only spending 13 per cent on cybersecurity but in 2023 small businesses are now making changes. Datto’s annual State of Ransomware report 2023 highlights how small- and medium-sized businesses (SMBs) are aware that they are increasingly under fire and therefore stepping up their online security measures. Some are now hoping to dedicate as much as 47 per cent of IT budgets to security in the next year, rising from a fifth of 2022 budgets.
The NSCS’s annual review 2022 highlights how it tried to better support UK institutions and organisations to overcome and understand cybersecurity threats throughout the year. It also puts emphasis on how efforts to strengthen cybersecurity prevention is pivotal to protect the UK’s economy and national security. It also noted how learning from any cybercrimes that are successful will help prevention and solutions in the future.
Furthermore, the National Cybersecurity Strategy report released by the US Biden-Harris Administration highlights a want to better support vulnerable individuals and small businesses in cyberspace. The report, released 2 March 2023, notes how the US is preparing to invest US$65 billion into a safe and reliable internet and outlines plans to bolster online defences to create a secure digital environment.
As we continue into 2024, many say that we’re going to see more unusual cases of cybercrime attacks. Therefore, companies need to set the pace when it comes to cybercrime and emphasise vigilance while actively building defence systems and not giving threat actors easy or obvious targets.
According to proofpoint.’s 2023 report, only 35 per cent of companies globally carry out phishing simulations to help employees know what to look out for and what to not click. And the same report found that only 56 per cent of organisations have a security awareness program in place to train their employees.
This is set to shift. An awareness of how cyberminds are working in the modern age will be key to understanding the future of cyberattacks and defence, according to cyber expert Bruce Schneier, Harvard University.
However, knowing which will take precedence in the short and long term remains uncertain. Some experts say businesses might even want to fall back onto “classic” cybersecurity skills. Founder and CEO of Hack The Box, Haris Pylarinos predicts: “I expect to see a growing demand for retro cybersecurity skills, as businesses revert to old, cheaper ways of working while cybercriminals use modern skills to hack into legacy technology,” anticipating the best ways that business can outdo hackers this year.
It will be crucial for companies to get the right type of cyber insurance and make phishing and other types of cyber attack tests for employees as ritualistic as fire drills. Future strategy is also about building a supportive and security-first environment; using AI for threat intelligence or for enhanced risk assessments; implementing extended detection and response (xdr); considering a healthy zero trust architecture (which saved some companies an average of US$1 million in average breach costs); and exploring more paths that can contribute to lower data breach costs and shorter identification times.
If you own a small UK business, there are still lots of affordable ways to protect your company, the NCSC has a sound online resource you can utilise. That being said, there is a 3.4 million shortage of cyber-professionals, so there is definitely room for those who are up for the challenge of outsmarting cybercriminals beyond 2024.
There are a few simple steps you can take to ensure you’ve got the basics covered when it comes to protecting yourself or your place of work from cybercrime. As well as staying aware of the latest data breaches and crimes in the UK and further afield, here are some more tips to consider:
Keep your guard up against phishing links and leads on email, text or via any manner of communication for that matter. Note that unsolicited emails may be designed to look like your bank or a reputable industry/service like the NHS or Post Office in the UK. Check authenticity by analysing the domain name (the text after @ symbol) matches the website before clicking any links or opening attachments.
If you do still want to open an attachment from an email like this, which isn’t recommended, scan it with anti-virus first. Bear in mind that even what might appear as a seemingly harmless PDF file can be an app in disguise and install all manner of nasty malware on your computer or phone. Also note that your bank will be able to let you know how to recognise a legitimate email or other type of communication from them so confirm directly before getting caught out.
Especially when using public wifi or when connecting to a sensitive website such as your bank or pension provider. There are even some reputable free VPNs that can protect you without breaking the bank.
Update passwords regularly and make them complex. You can use password generator tools and there are now different password management extensions to keep them all securely in one place.
This will minimise the risk of hackers finding faults in your system to easily access files or mess about with any online security settings.
Keeping settings private. If you typically use your pet(s)’ name(s) as the answer to basic security questions online, keep it under wraps or reconsider. If you have kids, ensure they are aware of how to stay safe online too and make sure they feel confident in talking to you if they come across or are subjected to any form of harassment or cyberbullying.
Generally speaking, it’s better to be safe than sorry. Some banks don’t reimburse money lost if you have given your data away so it’s important you can spot the signs and avoid cybercrime and all costs.