Cyber Security Breaches Survey 2019

The Office for National Statistics release their "Cyber Security Breaches Survey 2019" earlier this month (link at the bottom of this page).

This excellent report removes a lot of the sensationalism associated with most Information Security vendors who seem to "magic up" statistics in an attempt to terrify people into buying their products!

That said, there are still some startling statistics in there. Here we dig out some of the most suprising that we came across.

The cost of a breach

According to the report, the average cost of a data breach was just £4180 for businesses and £9470 for charities. The figure is higher for larger businesses, but still this is significantly lower than the figures you tend to see floating around the internet.

That said, we think this may be a little misleading where this figure appears to only account for the direct cost of the loss. It doesn't take into account loss of revenue, time, remedial work required, or, most importantly, the reputation damage that may have resulted from the breach.

GDPR made a difference

Thank goodness! For all the naysayers out there saying GDPR was a waste of time, the GREAT news is that 30% of businesses and 36% of charities have made changes (let's believe that means improvements) to their cyber security as a direct result of the change in legislation.

That means that our data, yours and mine, are better protected as a direct result of the GDPR.

We had a breach, so we did nothing

This one makes no sense to me. In the Micro/Small business category (that's businesses up to 250 employees) where 31% had identified a breach or attack in the last 12 months, a staggering 29% of businesses who identified a security breach DID NOTHING!

That's astonishing...and ridiculous.

It's happening a lot

For larger businesses, 60% had identified breaches or attacks in the last 12 months. The median number of breaches identified was 6 for medium businesses, and 12 for large businesses. That's quite a lot.

Security standards are still lacking

In the medium/large category, only a suprising 31%/46% have minimum cyber security standards for suppliers.

This is suprising - we know that standards like ISO 27001 insist on risk assessing your suppliers (Cyber Essentials hints at this too), which suggests that a small number of these businesses have cyber security standards themselves.


It's easy to live in an echo chamber. For us, EVERYONE knows about information security, that it's essential, that GDPR is for real and requires genuine effort, that looking at the business' cyber security posture should be a priority - but step out of that echo chamber and it seems that this is not the case for the majority of businesses or charities.

There is a lot of work to do - and for that I guess this business should be grateful!

The link

Need help with ISO27001 or GDPR?
Call now on: 01530 637 833

We look forward to speaking with you soon!

Share this post