2019 Cyber Security Breaches Survey

The Cyber Security Breaches Survey is a quantitative and qualitative survey by the DCMS of UK businesses and charities. It is designed to help organisations to understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the Government to shape future policy in this area.

Key findings can be seen here:


The report highlighted that:

  • Around a third (32%) of businesses and two in ten charities (22%) report having cyber security breaches or attacks in the last 12 months. As in previous years, this is much higher specifically among medium businesses (60%), large businesses (61%) and high-income charities (52%).

  • The most common types are:

    • phishing attacks (identified by 80% of these businesses and 81% of these charities)

    • others impersonating an organisation in emails or online (28% of these businesses and 20% of these charities)

    • viruses, spyware or malware, including ransomware attacks (27% of these businesses and 18% of these charities)

  • One plausible explanation for fewer businesses identifying breaches is if they are generally becoming more cyber secure. The survey shows that businesses have increased their planning and defences against cyber attacks since 2018. This may have resulted in fewer attacks overcoming their systems, and fewer businesses recording any cases.

  • Among the 32 percent of businesses recording breaches or attacks, this resulted in a negative outcome, such as a loss of data or assets, in 30 per cent of cases. Among the charities recording breaches or attacks, this happened 21 per cent of the time.

  • In businesses that had these kinds of negative outcomes, the average (mean) cost to the business was £4,180 in 2019. This is higher than in 2018 (£3,160) and 2017 (£2,450). It indicates a broad trend of rising costs in cases where cyber attacks are able to penetrate an organisation’s defences.

  • Around three-quarters of businesses (78%) and charities (75%) say that cyber security is a high priority for their organisation’s senior management. These proportions are higher than in 2018 (when it was 74% of businesses and 53% of charities). For businesses, there is a longer-term upwards trend going back to 2016 (when it was 69%).

  • Written cyber security policies are more common both among businesses (33%, vs. 27% in 2018) and charities (36%, vs. 21% in 2018).

  • GDPR has played a large part in these changes. Three in ten businesses (30%) and over a third of charities (36%) say they have made changes to their cyber security policies or processes as a result of GDPR.

  • Around one in five businesses (18%) and one in seven charities (14%) require their suppliers to adhere to any cyber security standards.

  • Six in ten businesses (59%) and just under five in ten charities (47%, up from 36% in 2018) have sought external information or guidance on cyber security in the last 12 months.