UK Government to support small businesses tackling soaring cyber risk

The UK’s Department for Business, Innovation and Skills has released the following statement:


More small businesses than ever are facing the threat of losing confidential information through cyber attacks, according to research published today by the Department for Business, Innovation and Skills (BIS).

The 2013 Information Security Breaches Survey has shown that 87 per cent of small businesses across all sectors experienced a breach in the last year. This is up more than 10 per cent and cost small businesses up to 6 per cent of their turnover, when they could protect themselves for far less.

This comes as the Technology Strategy Board extends its Innovation Vouchers scheme to allow small and medium enterprises (SMEs) to bid for up to £5,000 from a £500,000 pot to improve their cyber security by bringing in outside expertise. BIS is also publishing guidance to help small businesses put cyber security higher up the agenda and make it part of their normal business risk management procedures.

Minister for Universities and Science David Willetts said:

“Keeping electronic information safe and secure is vital to a business’s bottom line. Companies are more at risk than ever of having their cyber security compromised, in particular small businesses, and no sector is immune from attack. But there are simple steps that can be taken to prevent the majority of incidents.

“The package of support we are announcing today will help small businesses protect valuable assets like financial information, websites, equipment, software and intellectual property, driving growth and keeping UK businesses ahead in the global race.”

The survey also showed that:

Large organisations are also still at high risk with 93 per cent reporting breaches in the past year

  • The average cost of the worst security breach for small organisations was £35,000 to £65,000 and for large organisations was between £450,000 and £850,000. The vast majority of these were through cyber attack by an unauthorised outsider
  • The median number of breaches suffered was 113 for a large organisation (up from 71 a year ago) and 17 for a small business (up from 11 a year ago), meaning that affected companies experienced roughly 50 per cent more breaches than on average a year ago
  • Several individual breaches cost more than £1 million
  • 78 per cent of large organisations were attacked by an unauthorised outsider (up from 73 per cent a year ago) and 63 per cent of small businesses (up from 41 per cent a year ago)
  • 81 per cent of respondents reported that their senior management place a high or very high priority on security, however many businesses leaders have not been able to translate expenditure in to effective security defences
  • 84 per cent of large businesses report staff-related cyber breaches (the highest figure ever recorded) and 57 per cent of small businesses (up from 48 per cent a year ago)
  • 12 per cent of the worst security breaches were partly caused by senior management giving insufficient priority to security.

Andrew Miller, PwC information security director, said:

“UK businesses face more advanced threats than ever before from unauthorised outsiders. The business world has changed and companies of all sizes, in all countries and across industries, are now routinely sharing information across business borders, whether it’s with business partners or employees’ personal devices. Cyber security is critical. It is no longer only an IT challenge; business leaders need to make sure they are protecting what is most critical to their organisation’s growth and reputation.

“Organisations also need to make sure that the way they are spending their money in the control of cyber threats is effective. Spending on cyber control as a percentage of an organisation’s IT budget is up this year from an average of 8 per cent to 10 per cent, but the number of breaches and their impact is also up  as well so it is clear that there is work to be done in measuring the effectiveness of the security spend.”

Mike Cherry, National Policy Chairman, Federation of Small Businesses said:

“Cyber security is an increasing risk for small and micro businesses and more and more, a barrier to growth. The FSB is very pleased to see the Government announce a package of measures including specific guidance for small firms, helping them take steps towards more effective cyber security.  Information security should be part and parcel of good business practice. We need to cut through the jargon to give straightforward and practical advice, to help businesses put in place protections in their business.”

According to Government Communications Headquarters (GCHQ), it is estimated that 80 per cent or more of currently successful attacks can be prevented by simple best practice. This could be steps as straightforward as ensuring staff do not open suspicious-looking emails or ensuring sensitive data is encrypted.

Notes to editors

Case studies (these are real, anonymised incidents)

 Management at a small London insurer didn’t focus enough on security at their service provider – this led to a substantial data security breach. Information (such as announcements and business development reports) which they believed could only be accessed internally were actually being indexed by web crawlers and being made available in search rankings. It took nearly a month to detect the problem, and then systems had to be taken offline for a week to fix it.

A mid-sized energy company suffered disk corruption in their storage area network. Unfortunately, it hadn’t been designed with sufficient redundancy in place. As a result, it took nearly a month to restore service to ‘business as usual’, after several man-weeks of effort and tens of thousands of pounds spent.

Following reports in the media of similar attacks, a large technology company discovered that hackers had accessed their website through a known vulnerability. The attack specifically targeted the organisation and was facilitated by the lack of priority placed on security. The company suffered significant adverse media coverage after taking a month to restore business as usual.

  1. In the survey small businesses are those with one to 50 employees, and large businesses are those with more than 250 employees
  2. The 2013 Information Security Breaches Survey (ISBS) was funded by BIS and carried out by PwC in conjunction with Infosecurity Europe. The results will be revealed on Tuesday 23 April at the Infosecurity Europe event. Copies of the report are available from the BIS press office.
  3. This annual survey is carried out to increase understanding and transparency of the cyber security landscape in the UK. The survey is anonymous, enabling government and businesses to benefit from accurate information on the cyber risks that businesses are facing, and how businesses are managing them.
  4. This guidance has been tailored to meet the needs of small businesses and helps them to understand and deal with cyber risk. It follows on from the “10 Steps to Cyber Security” guidance released by HM Government in September 2012, which was aimed at larger businesses and encouraging them to make cyber security a Board level responsibility. Copies are available from the BIS press office.
  5. BIS carries out this work under the National Cyber Security Programme which in turn delivers the UK Cyber Security Strategy, a key objective of which is to tackle cyber crime and make the UK one of the most secure places in the world to do business in cyberspace.
  6. The Technology Strategy Board is the UK’s innovation agency. Its goal is to accelerate economic growth by stimulating and supporting business-led innovation. Sponsored by the Department for Business, Innovation and Skills (BIS), the Technology Strategy Board brings together business, research and the public sector, supporting and accelerating the development of innovative products and services to meet market needs, tackle major societal challenges and help build the future economy. For more information please visit