AON

How might a data breach impact your business?

With the scope of personally identifiable data widening since the introduction of GDPR, larger fines and the addition of compensation for non-material damage all businesses, big or small, need to understand the risks associated with a data breach.

Learn More
Data Breach

What are the causes of a data breach?

The most widely known cause of a data breach are external attacks from hackers and while they do account for the majority of causes, accidental breaches account for 1/4 of reported breaches. If one of your suppliers is breached this can also directly or indirectly impact you as it may give them access to your data or credentials that can be used to access your systems.

Common Threats

Common threats

As we produce and store more and more data every day, it has become harder for businesses to protect and manage.

External threats

Spear phishing

A more sophisticated version of phishing that attempts to gain private information by impersonating a legitimate service you use often combined with publicly available data.

Malware attacks

Despite advances in anti-virus software, malware is still prevalent and has affected a third of all businesses.

Exposed passwords

If your data has been breached, hackers may attempt to use your credentials to access other services, like cloud computing, to gain access to your data.

Internal threats

Lost hardware

USB drives, laptops, mobile phones all pose a serious risk as they may contain PII data or allow access to your systems.

Wrong recipient

Sending an email attachment to wrong person can be a costly mistake but not all breaches are digital, with client letters being sent to the wrong recipient also common.

Open access

A recent investigation found that many companies were inadvertently sharing confidential data because they had made their cloud documents public.

Target

How is my industry targeted?

Select your industry to see what types of hackers use to target businesses in your industry.

49%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

37%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

29%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

10%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

5%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

4%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

3%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

3%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

3%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

2%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

55%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

41%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

34%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

10%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

4%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

7%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

6%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

5%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

3%

Identify theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

2%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

45%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

41%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

20%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

9%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

1%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

1%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

1%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

5%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

3%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

1%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

47%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

32%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

22%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

21%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

4%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

2%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

2%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

4%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

3%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

1%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

52%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

43%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

28%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

14%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

4%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

0%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

3%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

5%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

0%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

3%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

38%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

28%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

24%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

16%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

4%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

2%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

0%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

2%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

2%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

2%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

38%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

28%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

28%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

4%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

13%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

7%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

7%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

6%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

4%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

3%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

43%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

44%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

35%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

4%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

5%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

0%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

0%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

0%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

0%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

0%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

57%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

43%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

38%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

4%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

3%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

1%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

2%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

1%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

2%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

1%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

51%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

41%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

33%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

10%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

10%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

10%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

0%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

4%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

7%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

4%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

66%

Phishing

Phishing uses link manipulation in emails and website spoofing to trick users into thinking that a spoofed website is genuine to gain their personal and financial details.

51%

Spear phishing

Spear phishing uses social engineering to send more sophisticated messages which contain information directly related to the victim.

21%

Malware attack

Viruses, worms, trojan horses and spyware are all forms of malware which infect computers in order to delete or obtain protected data.

8%

Card not present fraud

Comprised financial data can be used by hackers to make fraudulent payments online or over the phone where the PIN isn’t required.

3%

Denial of service attack

DDoS is a type of attack that bombards the targeted server with vast volumes of information requests crashing the target website.

3%

Ransomware attack

Ransomware infects a computer, making it inaccessible with the intention of extorting money from its owner in order to regain access.

11%

Online IP

The open nature of the internet has made it difficult to manage and police IP infringement and piracy as well as code cloning.

0%

Online invoice fraud

Another variant of phishing, where attackers impersonate companies sending cloned invoices often marked as urgent to intercept payments.

7%

Identity theft of business owners

Victims of cyber-attacks where personal details have been stolen are often used to conduct fraudulent activity in their name online.

0%

Website cloning

Hackers often imitate other websites, copying the design and content to mislead users into entering their personal and financial details.

Source: FSB UK - Cyber Resilience Report

Common Threats

How cyber-attacks can impact a business

While cyber-attacks and data breaches may have a direct financial impact on the business in the form of fines or compensation they also cause mass disruption and long-term costs which are harder to define. The calculator below only takes into consideration costs related to cyber-attacks, to calculate the potential costs of a data breach scroll to the bottom of the page.

cyber-attack

What are the average costs of a cyber-attack?

Select your number of employees

Micro / Small
(0 - 49 employees)
Medium Business
(50 - 249 employees)
Large Business
(250+ employees)
Total Costs:£21,400

Cost Breakdown

Direct Costs

Direct Costs

£13,800

This includes costs from staff being prevented from carrying out their work; lost, damaged or stolen outputs, data, or assets; and lost revenue if customers could not access online services.

Direct Costs

Recovery Costs

£4,800

This includes additional staff time needed to deal with the breach or to inform customers or stakeholders; costs to repair equipment or infrastructure; and any other associated repair costs.

Direct Costs

Long Term Costs

£2,800

This includes the loss of share value; loss of investors or funding; long-term loss of customers; costs from handling customer complaints; and any compensation, fines or legal costs pre-GDPR.

Source: Cyber Security Breaches Survey 2018

How can you reduce the risk of a data breach?

With the scope of personally identifiable data widening since the introduction of GDPR, larger fines and the addition of compensation for non-material damage all businesses, big or small, need to understand the risks associated with a data breach.

1

Prevent

The first step any business should take is to reduce the risk of a data breach is by implementing some basic cybersecurity, putting in place strict data management controls and educating your staff on spotting risks.

Learn More
2

Prepare

Despite their frequency and commonality, very few (13%) of business have a cybersecurity incident1 management process in place and with just 72 hours to report a data breach, once discovered, to the ICO being prepared is vital for any business.

Learn More
3

Protect

No cybersecurity software can guarantee the prevention of a cyber-attack and won’t stop an accidental breach or consequential one. Cyber and data liability insurance are there for when the worst happens might be something you’d want to consider.

Learn More

What next?

Find out more about how cyber insurance can help if a data breaches occurs or get a personalised cyber risk report.

Cyber calculator

Cyber Calculator

Use our cyber calculator to see how much a data breach could cost your business

Calculate my risk
Cyber insurance hub

Cyber Insurance Hub

For further information on the issues covered above, please contact Aon on 0333 4553 159

Learn more