Risk data shows UK energy sector most vulnerable to cyber attack

The UK’s energy sector, followed closely by retail and wholesale, business services, financial services, and governmental and non-profit bodies, has been revealed as the most at risk of cyber attack in new data compiled by insurance company Hiscox as part of its Cyber readiness report 2021 – which can be downloaded in full here.

Drawn from responses from over 6,000 executives, departmental heads, IT managers and key professionals from all over Europe – more than 1,000 in the UK – the report scores each sector from seven to 70 on a proprietary risk scale – energy received a score of 48 and retail 46.

The energy sector saw a median loss of about £25,000, despite a higher percentage of firms than in other sectors having upped their cyber security budgets. Hiscox suggested that the higher risk level could still be attributed to a lack of adequate preparation – its data suggests that while 84% of energy firms have a dedicated cyber security role, only 39% said reviewing cyber policies and procedures was a spending priority.

“The pandemic has presented greater cyber security risks for UK businesses, with the energy sector clearly the most impacted for the second year in a row, according to our threat table,” said Stephen Ridley, UK cyber underwriting manager at Hiscox.

“We know that this threat isn’t limited to particular countries, and while it is evident that UK businesses are continuously investing in cyber defences, it is important that increased investment continues to prevent grave financial losses.”

At the lower end of the scale, although by no means risk free, were sectors such as travel and leisure, property, manufacturing, and telecoms, media and technology. The pharmaceutical and healthcare sector scored in the mid-range despite the impact of the pandemic, and Hiscox’s analysts noted that that sector had dedicated the most budget to cyber during 2020.

Across all the sectors surveyed, the most common origin of a cyber attack was through an employee via phishing or targeted social engineering, accounting for 32% of cases, while the most common consequences of cyber attacks last year were computer virus outbreaks without an element of ransomware – accounting for 30% of cases.

The data also revealed some insight into how cyber risk can vary depending on company size, with the largest organisations experiencing substantially higher median costs of over £270,000, while small businesses with between 10 and 49 employees saw a median loss of £10,000 and a maximum loss of £2m.