Audit & Risk

How much does a cyber security breach really cost?

New research shows that the cost of cyber attacks is estimated to be higher for UK businesses than companies in the US, Germany, France, Sweden, Norway and Switzerland.

in News.

Article Image

Everyone can agree that the risk of cyber security breaches is on the rise, but what’s the average cost to a UK business of such an attack? 

Answer: £1.2m. And that’s before hidden costs such as reputational and brand damage are taken into account, plus an average anticipated drop in revenues of 13 per cent as consumers and other firms take their business elsewhere. 

This is according to research by global information security and risk management company NTT Com Security, which found that the UK's expected costs are higher than for any other country in the survey. 

Taken globally, across enterprises of all sizes, the average cost of a cyber breach is expected to be just short of $1m. However, the anticipated financial burden is heavier for larger companies. Businesses with fewer than 1,000 employees are on average liable to lose $362,550 compared with $1.47m for companies with more than 5,000 staff. 

In terms of remediation costs following a security breach, 18 per cent of a UK company’s costs would be spent on legal fees, 18 per cent on fines or compliance costs, 17 per cent on compensation to customers, and 11 per cent for third-party remediation resources. Other anticipated costs include PR and communications (14 per cent) and compensation paid to suppliers (12 per cent) and to employees (11 per cent).

Stuart Reed, a senior director at NTT Com Security, said in a statement: “Attitudes to the real impact of security breaches have really started to shift, and this is no surprise given the year we have just had. We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their reputation.”

NTT surveyed 1,000 business decision makers in the US, UK, Germany, France, Sweden, Norway and Switzerland. Its findings show that while 48 per cent of UK businesses say that information security is vital to their organisation and just half agree it is good practice, a fifth admit that poor information security is the single greatest risk to the business, ahead of decreasing profits (12 per cent), competitors taking market share (11 per cent) and on a par with lack of employee skills (21 per cent).

Access the full report here

The IIA: find out more

Visit the main IIA site


IT Audit Assistant Manager

Grade: Assistant Manager
Business Unit: Consulting
Location: Birmingham
Reporting to IT Audit Directors and Partners

Internal Auditor (Qualified Senior to Assistant Manager)

Grade: Qualified Senior or Assistant Manager
Business Unit: Governance, Risk, & Internal Controls – Public Sector
Location: London, City (Tower Bridge House)
Reporting to Internal Audit Managers and Partner
Key Relationships: Internal Audit Team, new and existing clients

Audit Senior

Grade: Senior
Business Unit: Audit and Assurance
Location: Poole
Key Relationships: Business Unit Leader, Appraising Manager, Assignment Team, Audit Managers, Audit Partners and Clients

Careers advice

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Room to grow

If you feel stuck in your role or sector, yet are keen to progress in an internal auditing career, what are your options? You could become a non-executive director or contribute your experience to higher education, suggests Ann Brook CFIIA.

Time to volunteer

Rachel Bowden, chair of the IIA’s Guidance Working Group, explains why she started volunteering and what she has gained from the experience.

Training & Development

CPD: work in progress

Staying up to date is essential if you want to have a successful career in internal audit – and the IIA’s CPD competency framework is designed to help.

Tap into a rich resource

The IIA's website has loads of useful and important resources for members and the institute is committed to improving services by putting digital at its heart. So what is available – and where can you find it?


Mapping the road to assurance

Assurance maps are a vital tool that guide internal audits and give audit committees peace of mind. Sandie Dawson, director at Dawson Corporate Advisory, offers insight into effective assurance mapping.

Practical approaches to auditing culture

Corporate culture is high on audit committees' agendas, but few understand what to look for and how to measure something as nebulous and intangible as culture. Alexander Glebovskiy, internal auditor at an FCA-regulated firm, shares his advice.

Need for speed: risk velocity in control design

The importance of velocity as a risk assessment factor has been widely acknowledged by the risk management community in recent years. But so far the profession has largely failed to agree on a meaningful concept for measuring and weighting velocity as a risk factor. Maybe a simplistic approach can help, write Matt Rigby and Christian Thurow.