“There’s no budget for cyber security” is a line we hear a lot, usually from busy owners juggling a dozen bigger fires. It is an understandable position. Every pound is spoken for, and security rarely shouts as loudly as the tools that win new work. But having helped businesses across Brighton and Sussex recover from incidents that started with one convincing email, we think the budget conversation deserves better numbers. So here they are: what a cyber attack actually costs a UK business in 2026, where the real damage hides, and what protection costs by comparison.
How much does a cyber attack cost a UK business?
In November 2025 the UK Government published independent research on the economic impact of cyber attacks, carried out by KPMG. Its headline finding: the average cost of a significant cyber attack for an individual business in the UK is almost £195,000, with a significant attack defined as any successful incident costing at least £500, averaged across firm sizes and sectors in the UK. Scaled across the country, cyber attacks on the UK economy add up to around £14.7 billion a year, an annual UK cost of roughly 0.5% of GDP. Within that, Alma Economics estimates that attacks attempting intellectual property and knowledge-assets theft cost the UK between £1 billion and £8.5 billion in 2024, and the same report estimates that fraud episodes linked to organisational data breaches are likely to account for around £755 million a year.
The Government’s Cyber Security Breaches Survey 2025/2026 adds the frequency: 43% of UK businesses identified a breach or attack in the last year, rising to 65% of medium-sized firms. Global studies such as IBM’s Cost of a Data Breach Report 2025 put the global average cost of a data breach at $4.4 million, though that figure is dominated by large enterprises.
Here is the part that catches boards out. In the same survey, the median direct cost of a breach is close to zero, because most incidents are caught early and shrugged off. That is exactly why the risk gets waved through. The average is dragged up by the minority of incidents that go badly, and when one does, the worst-hit firms face five and six-figure bills. You are not budgeting for the typical attack. You are budgeting so the bad one does not become yours.
What the Marks & Spencer attack showed everyone
If you want a picture of how a cyber incident unfolds, the 2025 attack on Marks & Spencer is the clearest in recent memory. The retailer could not take online orders for 46 days. It initially told investors to expect around £300 million in lost operating profit. Cyber insurance eventually clawed back £100 million, leaving a final bill of roughly £136 million.
M&S had resources most businesses can only dream of, and it still took months to recover. Notably, the attack reportedly began with social engineering at a third-party supplier, making it a supply chain attack in all but name. It is an old pattern: the infamous 2013 Target Corporation breach in the United States started with a heating contractor’s stolen login. That detail matters for smaller firms: being part of a bigger customer’s supply chain makes you a target for cyber criminals, because you are often the easier way in. You do not have to be the target to be the victim.
Where the real cost of a cyber breach hides
The headline figure is never the whole story. Deloitte’s research on breach costs describes the visible, day-one spend as the tip of the iceberg, with the bulk of the impact landing below the surface in the months that follow.

The biggest hidden cost is usually time. Ransomware victims have historically averaged around three weeks of downtime. While your data and systems sit behind someone else’s encryption, revenue stalls, deliveries slip and staff are paid to wait.
For your business
As an illustration, a 50-person firm billing £500 per person per day loses £250,000 of billable work in ten working days offline, before spending a penny on recovery.
Then come the slower losses: reputational damage, customers who quietly move on, prospects who ask about your security posture and hear hesitation, and cyber insurance premiums that jump at renewal. Add the clean-up itself: forensic IT, legal advice on any customer data you may have exposed, replacement hardware and retraining. For some firms there is also intellectual property to think about, because designs, client lists and financial data walk out of the door with the attackers.
“My team would never click that link”
We hear this one a lot too, and it is usually said with complete sincerity. The Cyber Security Breaches Survey found phishing remains the most prevalent attack type by far, and 69% of breached businesses rated it the most disruptive thing that hit them. The people who click are not careless. They are smart, busy and distracted, exactly like your team on a normal Tuesday.
It is also getting harder to spot. The National Cyber Security Centre warns that artificial intelligence lets attackers write convincing lures “without the translation, spelling and grammatical mistakes that often reveal phishing”, and expects AI to increase both the volume and impact of attacks. The scruffy giveaways we all trained ourselves to spot are disappearing. A hacker no longer needs custom malware to break in when they can simply log in with a password bought on the dark web, then help themselves to sensitive data.

So the practical question is not whether someone will click. It is whether you have a plan for when they do. Only 25% of UK businesses have a formal incident response plan. Everyone else is improvising on the worst day of their year.
What cyber security protection actually costs
Now for the reassuring part. The cost of cyber attacks sounds frightening, but the cost of basic protection is genuinely modest. Cyber Essentials, the certification backed by the UK Government for UK organisations of every size, closes off the most common attack routes and has a fixed price based on your size:
| Organisation size | Cyber Essentials assessment cost |
|---|---|
| Micro (0 to 9 staff) | £320 + VAT |
| Small (10 to 49 staff) | £440 + VAT |
| Medium (50 to 249 staff) | £500 + VAT |
| Large (250+ staff) | £600 + VAT |
Set £440 against an average significant attack of £195,000 and the budget conversation changes shape. Certification is not the whole answer, of course. It is the baseline, and expectations are rising: the Cyber Security and Resilience Bill making its way through Parliament will tighten what regulators expect of suppliers and service providers. Real cyber resilience comes from security measures that work together as an integrated security setup: patched systems, multi-factor authentication, secure cloud computing setups, monitored backups, staff who know what a modern scam looks like, and a tested plan for the day something gets through. We have written before about cyber security for small businesses and the April 2026 Cyber Essentials vulnerability management changes if you want the detail.
How we help in Brighton and Sussex
Our cyber security professionals guide businesses anywhere in the United Kingdom, though most of our clients are within an hour of Brighton, through certification and the practical fixes behind it, from a plain-English security assessment to ongoing management of the essentials that stops small cyber security incidents becoming expensive ones. We hold the Assurix Trusted MSP certification, so you can see independent proof of how we run our own security rather than taking our word for it. No scare tactics, no jargon, just a clear view of your cyber risk and a sensible order to fix things in.
Frequently asked questions
How much does a cyber attack cost the UK?
Government-commissioned research published in November 2025 estimates the average cost of a significant incident at almost £195,000, and puts the annual cost of cyber attacks in the UK at around £14.7 billion, about 0.5% of GDP. Roughly two in five businesses in the UK are attacked or suffer an attempted attack in a typical year.
What is the most expensive cyber attack in UK history?
No official list ranks the number of data breaches by what they cost, but the 2025 Marks & Spencer incident is among the costliest suffered by a single UK business, at roughly £136 million after insurance. For the public sector, the 2017 WannaCry ransomware attack cost the NHS an estimated £92 million.
Do 90% of attacks really start with phishing?
The 90% figure is quoted often but loosely, usually from global cybersecurity vendor reports such as Cybersecurity Ventures, which expects cybercrime to cost the world more than $10 trillion a year. What the UK data shows is direction rather than a precise number: phishing attacks are the most common type by far, and the one businesses rate as most disruptive, which is why staff awareness and email protection give the best return.
Does cyber insurance mean I do not need certification?
No, they work together. Insurance transfers some financial risk, while certification reduces the chance of claiming at all. Insurers increasingly expect a security baseline such as Cyber Essentials, your policy will usually require basic controls anyway, and many offer cost savings on premiums when you hold it.
Final thought
Every business spends money on things that lose value from day one. Cars, phones, furniture: cybercrime does not care about any of them. Protection is one of the few investments that quietly holds its value, because it protects everything else on the balance sheet. The economics of cyber crime favour the attacker, but the cost of cybercrime lands hardest on firms that assumed it would land on someone else.
If you would like to know what a sensible security budget looks like for your business, we are happy to talk it through. No hard sell, just honest numbers like the ones above.
Sources
- UK Government: independent research on economic impact (November 2025)
- Cyber Security Breaches Survey 2025/2026
- National Cyber Security Centre: the near-term impact of AI on the cyber threat
- National Cyber Security Centre: Cyber Essentials overview
- Infosecurity Magazine: M&S braces for £300m breach costs