Lies, Damn Lies and Cyber Security Statistics

Lies, Damn Lies and Cyber Security Statistics

Figure 1: Chances of Dying in the UK in 2018 from Assorted Causes

Blog by Lawrie Abercrombie, Arcanum’s Technical Director.

There is no doubt that some statistics are more trustworthy than others.  For example, the ones in our infographic above are generally based on provable facts i.e. being Dead is provable, the NHS and its medical professionals are generally very good at finding out what people in the UK died from and we’re reasonably confident from Government figures that about 58 million people lived in the UK in 2018, plus or minus a couple of hundred thousand perhaps.

But Cyber Security statistics are different, they’re generally based on surveys and “representative samples” and there are no universally accepted definitions of what a cyber attack actually is. As part of our ongoing cyber security Risk Assessment and Risk Management practice,  we’ve had a look at the plethora of statistics that are available to try and work out the likelihood of suffering a cyber attack.

Here are some of the examples we’ve picked up about small businesses while looking at various surveys and reports:

  • Half of all Cyber attacks are targeted at small businesses. [1]
  • 43 percent of cyber attacks target small business. [2]
  • 31% of micro and small UK businesses identified breaches or attacks. [3]
  • 20% of small firms say a cyber-attack has been committed against their business in the two years to January 2019. [4]

Just looking at the last two, there’s a significant difference.  HMG statistics say that there were about 5.5 million small businesses in the UK last year.  So one of those two last bullets points says over 1,700,000 million businesses suffered a cyber attack in 2018.  The other says “20% over the last two years”, that averages at about 550,000 per year or less than a third of the other statistic.

To say that they are confusing is a gross understatement.

Other statistics we picked up include:

  • 60% of small companies go out of business within six months of a cyber attack. [5]
  • The average cost of a data breach in 2018 was $3.86 million. [6]
  • The average cost of a business breach in the UK in 2019 is £4,180. [7]
  • 76% of organizations and businesses were phishing targets. [8]
  • Over 60% of medium & large UK firms identified breaches or attacks in 2018. [9]
  • 48% of UK manufacturers are cybercrime targets. [10]
  • Average 49.6 day period between breach discovery and reporting dates. [11]
  • It typically takes companies over 6 months to notice a data breach. [12]
  • 34% of breaches in 2018 involved an internal actor. [13]
  • Organized crime groups were involved in 39% of breaches last year. [14]
  • Ransomware cost businesses more than $8 billion per year in 2018. [15]
  • 92% of malware attacks are via malicious emails. [16]
  • The cybersecurity unemployment rate is approaching 0%! [17]

These are just a sample of what we looked at, but even from these it’s clear that the figures vary hugely.  However, they do generally agree that the US is the most expensive place to suffer a data breach.  We suspect this is at least partly because data breaches there invariably result in class action law suits and millions in damages which is why most US organisations have cyber insurance to cover these costs.  Interestingly, the take up on cyber insurance seems to be on the rise in the UK as well.  What is also true is that the number and cost of breaches is going up every year across most of the western world, but by exactly how much is anybody’s guess.

There are some of these statistics we definitely wouldn’t trust, for example the first one about 60% of Businesses going bust.  This appears to come from a 2012 study by the US National Cyber Security Alliance and has been oft quoted in Congress.  However, the NCSA itself said that it was “not from NCSA and its original source cannot be confirmed”.  On investigation, many of the others are extrapolated from relatively small surveys and we’d be loathe to base our risk assessments on their figures.

In fact, the only one of these we suspect is even close to true is the last one.  Afterall, have you tried hiring a competent, experienced Cyber Security Specialist recently?

Lawrie Abercrombie M.CIISec is the Technical Director at Arcanum IS Ltd, a specialist Cyber Security Consultancy working with Businesses, Government and Defence Industry.  One of few Lead Security & Information Risk Advisors certified by the UK’s National Cyber Security Centre, Lawrie originally learnt his trade commanding the British Army’s first Cyber Security team.  Now working in both the Public and Private sectors, he specialises in risk management for IT and OT projects.

If you’d like to know more about how we can help you, Please give us a call 01558 669140 or email


[1] Source: CPO Magazine 11 Eye Opening Cyber Security Statistics for 2019

[2] Source: Small Business Trends, Cyber Security Statistics 

[3] Source: UK Cyber Security Breaches Survey 2019

[4] Source: The Federation of Small businesses,Small firms suffer close to 10,000 cyber-attacks

[5] Source: Small Business Trends, Cyber Security Statistics 

[6] Source: IBM’s 2018 Cost of Data Breach Study

[7] Source: DCMS’ Cyber Security Breaches Survey 2019

[8] Source: Wombat Security’s State of the Phish 2018 report

[9] Source: DCMS’ Cyber Security Breaches Survey 2019

[10] Source: Report by Make UK and AIG carried out by the Royal United Services Institute (RUSI).

[11]Source:  Report from security intelligence vendor Risk Based Security (RBS)

[12] Source: ZD Net, Most companies take over six months to detect data breaches

[13] Source: 2019 Data Breach Investigations Report (Verizon)

[14] Source: 2019 Data Breach Investigations Report (Verizon)

[15] Source: CyberCrime Magazine

[16] Source: Verizon’s 2018 Breach Investigations Report

[17] Source: Cyber Security Jobs report 201-21