60% of British CTOs Say UK Government is Performing Poorly in Protecting Firms from Cyberattacks

Cyberattacks Cost UK Businesses Over £34 billion, according to Centre for Economics and Business Research (Cebr) Study

LONDON — June 9, 2015 — Veracode, a leader in protecting enterprises from today’s pervasive Web and mobile application threats, today issued findings from a joint Cebr/Veracode study of over 200 C-level British executives revealing a significant gap between industry expectations and government cybersecurity performance.  According to Cebr, one of the UK’s leading independent commentators on economics and business trends, some 60% of CTOs feel the government is not doing enough to prevent cyberattacks.  In addition, the top three concerns of UK business executives are breach costs (including forensic, cleanup and legal costs), reputation and brand damage, and lost revenue due to downtime.

Cyberattacks pose a serious financial threat to the UK economy, according to the report. Cybercrime and other attacks cost UK businesses a total of £34 billion per year, consisting of £18 billion in lost revenue and £16 billion on increased IT spending as a result of breaches.  The issue is widespread, according to the Department for Business, Innovation and Skills (BIS), which found 81% of UK business suffered from a breach in 20141 .

With cyberattacks predicted to cause much more damage in the future, according to the Royal United Service Institute (RUSI)2, businesses aren’t waiting for the government to rescue them.  More than half (57%) of CEOs hold themselves accountable for major cybersecurity incidents, and 88% of businesses have increased their annual IT spending following a cybersecurity breach.  However, 70% of CTOs also believe their current cybersecurity policies stifle innovation, which potentially indicates a need for more streamlined and automated risk assessments.

Surprisingly, respondents listed theft of corporate intellectual property (IP) as their sixth priority (second from last) in terms of top cybersecurity concerns.  This is in stark contrast to US perceptions, where board members ranked theft of IP — leading to loss of competitive advantage — amongst their top three cybersecurity worries3.  The UK result may indicate a lack of awareness by UK executives, given that 34% of cybercrime in UK businesses is tied to IP theft4. 

“The UK economy is under siege from cyberattackers and the UK government should look to other successful private/public partnerships — such as Swiss banking regulations, German data privacy laws and US breach disclosure laws — as a model of how to improve the situation for us all,” said Adrian Beck, Veracode’s director of enterprise security program management. “For example, disclosure laws would require firms to report breaches in a timely fashion, thereby protecting consumers from identity theft and encouraging companies to implement best practices when dealing with cybersecurity.”

The joint Cebr / Veracode report with detailed statistics and conclusions can be found at: https://info.veracode.com/analyst-report-cebr-business-and-economic-consequences-of-inadequate-cybersecurity.html


The joint Cebr/Veracode “Business and Economic Consequences of Inadequate Cybersecurity” survey was conducted electronically between 23rd and 30th May, 2015.  The 201 C-level executives were asked about attitudes to the government’s policies on cybersecurity as well as insights into how seriously executives take cybersecurity and the costs associated with security breaches.

The survey, and data collected from the Annual Business Survey (ABS), allowed Cebr to estimate the number of businesses that were affected by cybercrime. Cebr also estimated the revenue lost due to cybercrime in the UK and the extent of the increase to IT spending in order to react to a cybersecurity breach.


1 Department for Business, Innovation and Skills (BIS) and PwC, “Information Security Breaches Survey 2014”

2 Royal United Service Institute (RUSI), “Threat Assessment of Cyber-Crime to the UK”

3 NYSE Governance Services / Veracode, “Cybersecurity in the Boardroom”

4 Detica / Office of Cyber Security and Information Assurance in the Cabinet Office, 2011