The True Cost of Cyber Downtime: A UK Board-Level Briefing

Written by Sean Tilley, Senior Sales Director EMEA at 11:11 Systems

 

Cyber downtime carries measurable financial consequences, and those consequences are becoming clearer with each major incident. Research from 11:11 Systems shows that 78% of European organisations report losses of up to $500,000 per hour following a cyber-related outage, while 6% face costs exceeding £1 million per hour. When recovery extends beyond containment, the disruption begins to register in revenue performance, contractual exposure, and customer stability rather than remaining confined to the technology function.

For UK leadership teams, the issue centres on continuity of income, fulfilment of obligations, and the strength of customer relationships under strain.

 

Recovery delays compound risk

Half of organisations surveyed require between one and two weeks to fully recover from a cyber incident. Over that period, cost exposure builds in ways that are rarely reflected in early estimates.

 

Revenue stalls, particularly where digital platforms underpin billing and subscriptions, while service commitments are breached, supply chains experience secondary disruption, and internal teams divert time and budget away from planned initiatives towards remediation and communications.

 

Extended recovery places additional pressure on customer relationships, especially in sectors where availability is assumed as standard. Regulatory scrutiny increases in parallel, particularly under UK GDPR and sector-specific resilience requirements, where organisations must demonstrate that appropriate safeguards were established before the incident occurred.

 

A significant proportion of the cost emerges over time rather than immediately. Insurance premiums adjust at renewal, forensic specialists and legal advisers remain engaged, customer notification programmes continue long after systems are restored, and remediation work extends into future quarters. By the time the full impact is visible, the loss total often exceeds initial projections.

 

According to Cyber Monitoring Centre recent UK attacks across retail, healthcare and critical infrastructure have collectively cost businesses more than £1.9 billion. At an individual level, even a contained incident can translate into multi-million-pound losses once revenue interruption, remediation spend and longer-term customer attrition are properly accounted for.

 

Recovery time remains the decisive variable, steadily increasing commercial strain and regulatory attention the longer disruption persists.

 

For boards, cyber downtime is no longer a technical failure but a test of governance. In the immediate aftermath of an incident, external scrutiny rarely focuses on how the attack occurred. Instead, attention turns to whether leadership understood its exposure, validated recovery assumptions and exercised informed oversight before disruption struck. Where recovery falters, questions follow around board assurance, investment prioritisation and whether resilience was treated as a compliance exercise rather than a core commercial safeguard worthy of sustained board attention. In that context, prolonged downtime can quickly become a proxy for broader leadership risk.

 

The preparedness gap

Despite recent high-profile incidents, many organisations still overestimate their ability to recover.

Backup environments may exist without having been stress-tested under realistic conditions, recovery objectives are documented but rarely validated, crisis governance structures that appear clear on paper can lose coherence under pressure and visibility across cloud platforms, SaaS providers, and outsourced partners frequently remains incomplete.

 

Modern enterprises operate across layered digital ecosystems that depend on managed services, third-party infrastructure, and interconnected suppliers, each introducing dependencies that may sit outside direct oversight. Without a consolidated view of these relationships, recovery planning remains fragmented and assumptions around restoration timelines tend to be optimistic rather than proven. When those assumptions fail, cost exposure accelerates quickly.

 

Resilience as a strategic advantage

The organisations that recover fastest are rarely those with the most technology, but those with the clearest decision rights. During major incidents, value is lost less through system failure than through delayed executive judgement such as uncertainty over who authorises restoration priorities, how customer communications are sequenced, and which commercial trade-offs are acceptable under pressure. Boards that rehearse these decisions in advance shorten recovery by eliminating hesitation at the moment it matters most. In competitive markets, that decisiveness increasingly separates resilient businesses from those that merely survive disruption.

 

Containing the cost of downtime requires disciplined preparation rather than reactive response.

 

Scenario-based recovery testing that includes executive leadership brings clarity to decision-making authority, communication sequencing and operational prioritisation, while tabletop exercises expose governance gaps before they are tested in live conditions.

 

Disaster Recovery as a Service can materially reduce restoration timelines where isolated environments and immutable backups are properly implemented. Equal attention should be given to external dependencies, with clear understanding of partner capabilities, escalation paths, and recovery commitments established in advance of disruption.

 

Effective resilience planning therefore extends across internal systems, cloud providers, and supply chain partners, ensuring that recovery capability is aligned rather than siloed.

 

Preparation does not prevent incidents, but it materially reduces their financial and operational impact.

 

What This Means for Boards

The commercial exposure created by cyber downtime is now quantifiable and, in many cases, escalating. The central question for boards is how effectively the organisation can absorb disruption without sustained damage to revenue, customer trust or regulatory standing.

 

Organisations that embed recovery capability into broader business planning place themselves in a stronger position to manage that exposure with discipline, control and credibility.

Top Cyber Security Challenges Post Lockdown

By Sam Jones | Cyber Tec Security

Not too long ago things were looking bleak for the world, still under the dark cloud of the COVID pandemic, but with vaccine rollouts now taking place worldwide, there is finally a light at the end of the tunnel. It’s important to remember, however, as we slowly transition back into some semblance of normality, that there will be new challenges to face in all facets of life, and the Cyber Security sector is no exception.

The Rise in Cyber Threat
While the COVID pandemic loomed, the world was simultaneously dealing with a slightly different type of pandemic - a cyber one. The number of cyber attacks on businesses rose dramatically over the course of the last year, with estimated increases as high as 90%.

Organisations were forced to quickly adapt and move operations out of the office and into home environments, often bypassing best practices for a secure migration. Hackers took advantage of this confusion and chaos and focused on exploiting the vulnerabilities of those at home, who were working more independently and potentially on devices that did not align with critical security controls.

The pandemic offered new opportunities for cybercriminals to develop more sophisticated attacks, with the number of novel attack techniques rising to 35%, 15% greater than pre-pandemic. The good news is that the increase in cyber attacks has likely brought to light the importance of cyber security and implementing effective measures to protect against these threats.

Hybrid Working
The pandemic has proved that remote working is indeed possible and it is probable that not all businesses will return to the office post lockdown, at least not full time. There may be more leniency with employees wanting to work from home more frequently, but this new world of hybrid working could create challenges for cyber security.

Organisations will have to be wary that employees may be moving from a secure office environment to vulnerable home environments where they could be operating with inadequate security measures in place. In the rush to home working, companies were forced into being less restrictive with security policies and plenty of staff were using their own personal devices and network. But with such little visibility and control, there was no way of knowing what vulnerabilities there may have been - devices may not have been patched, home networks were potentially insecure, and company policies and processes ignored.

“This is all about understanding how we control an environment that is now a bigger risk because our network has increased from perhaps one or two locations to potentially hundreds.” CTO, Cyber Tec Security

If businesses are going to operate effectively in this hybrid working style, they will need to bear in mind certain security considerations. Many will find it beneficial to introduce a home working policy or alter other company security policies to reflect new vulnerabilities. While employees will still need to access company data at home, it is imperative that this is done securely, with data protection tools and policies put in place and the use of a VPN for secure communication channels. Companies might consider providing company hardware to remote employees, but if personal devices are used at home to access data, they will need to be securely set up and regularly audited.

Human error is still the number one cause of cyber attack and home working could make this even more prominent. In 2020, Verizon found that 67% of cyber attacks were down to phishing and Business Email Compromise. Phishing links are still clicked on and while this is likely due to poor cyber awareness, the situation could be worse in a home environment with greater dependence on email for work requests and less support and supervision.

Ultimately, organisations will need to cultivate a culture of security awareness and provide employees with relevant cyber training and resources to help minimise cyber risk and ensure individuals are fully equipped as they transition to this hybrid working style.

A Shift in Priorities
After a hard-hitting 12-14 months and a spike in cybercrime, businesses that may have not considered their cyber security before will now have it on their radar. Certain advancements can and should be made internally post-pandemic, such as developing new policies to incorporate home working and BYOD, and ensuring an incident response plan is in place.

Recent Supply Chain attacks like SolarWinds should also compel businesses to start looking at managing the security of their third parties, which are a common way for cybercriminals to gain access and cause disruption to multiple organisations in a supply chain.

Although some businesses will have the luxury of investing big money into more advanced security solutions and cyber insurance as a response to the pandemic, others will be facing budget limitations after a hard year. Regardless, no business can afford to ignore the cyber threat post-pandemic, but for most, it will be a case of identifying and prioritising risk reduction strategies to best fit your company’s funds and resources.

The pandemic has forged a new security landscape and businesses have been forced to see the importance of being able to quickly adapt to changes in our working styles and environments. Cybercrime is not going anywhere in the post-pandemic world but by being well prepared in the face of these new security challenges, businesses can stay secure and successfully protect against the cyber threat.

Seven Debunked Myths of Cybersecurity

Article by Kristin Herman, a writer and editor at Ukwritings.com and Academized.com

The term 'cybersecurity' has been tossed around lately. But although cybersecurity has been viewed as a saving grace for mobile devices, computers, etc. the topic is still cloaked in misconception. Things that might pop up, when it comes to cybersecurity, are:

• The idea of security
• Password strength
• Who cybersecurity threats target and affect
• If insurance will cover damages
• How effective an IT team actually is
• Cybersecurity “costs”
• What devices are most vulnerable to malware?

However, as one side says one thing, while the other side contests it, it’s easy to get caught up in believing the wrong things. In fact, a lot of people get it all wrong. So, to understand the truth about cybersecurity, then check out this quick guide, which will cover seven of the most debunked myths about the subject matter:

1. “Physical Security and Cybersecurity are Two Different Things”
“The truth is, physical security is not separate from cybersecurity,” says Angela Macquarie, a business writer at Academized and Oxessays. “Both can help safeguard machines and paper documents. And, while both can function online and offline, the things they protect will hold sensitive data, which can be at risk of being exposed if the owner or holder is not careful.”

2. “Having a Good Password Protects You”
When it comes to passwords, you can leave anything to chance. And even as weak passwords are still commonplace, it’s hard to imagine many people using passwords like “123456” or “qwerty,” especially after being warned not to do so. Therefore, it’s imperative to complicate your passwords – make it difficult for other people to figure out. And, always update your passwords, so that you can be one step ahead of cybercriminals every time.

3. “Cybercriminals only Attack Large Businesses”
Wrong. Cybercriminals will go after any type of business – big or small. Since cyber thieves don’t discriminate, it’s important to keep your devices and data safe with an effective cybersecurity framework, regardless of the size of a business.

4. “Insurance will cover Cybersecurity Breaches”
Wrong again. In actuality, most insurance policies won’t cover businesses in the event of a data breach. While some policies might cover financial losses that have transpired from it, most policies won’t.

So, when shopping around for business-related insurance, make sure that policies will be able to compensate you whenever the dreaded breach springs up at any time. Or, you can buy insurance and cybersecurity separately. Purchasing cyber and data insurance will be worth the investment if you’re looking to protect customer and or sensitive data from infiltration.

5. “The IT Team has you Covered”
Think that IT teams can save your business, whenever data breaches happen? Think again!

While IT staff will most likely know about potential vulnerabilities and hacker techniques, they still can’t control all the elements involved. Your IT staff, instead, will only act as a human firewall to prevent breaches that stem from human error. Therefore, make it your job to add more layers of protection, besides your IT team.

6. “Cybersecurity is Costly”
“When people think about cybersecurity, they assume that investing in it will cost hundreds, or thousands, of dollars,” says Sheila Flynn, a marketing blogger at Boom Essays and Paper Fellows. “However, having a strong human firewall to defend you against cybercrime is entirely free – apart from creating an IT security policy and training staff. Investment can go a long way, as cybersecurity will greatly benefit your business.”

As such, consider consulting a cybersecurity expert, or look into comprehensive training and advice from cybersecurity experts, to help you put together an effective system that will protect all of your devices and data.

7. “Viruses only affect Desktops”
As technology continues to evolve – especially with more advanced smartphones and tablets working in almost the same capacity as computers – viruses aren’t just a computer thing. In fact, smartphones, tablets, and other mobile devices can fall victim to malware, if the user doesn’t have enough protection for them. And although it only took Internet access for malware to get to computers, other devices that connect to the Internet are still just as vulnerable to viruses.

Conclusion
As you read through these seven debunked myths, we hope that you have a better understanding of cybersecurity. The ultimate goal of this guide is to keep you – the device user – informed. By learning how cybercriminals work, and learning the truth about today’s debunked myths, you’ll learn from the mistakes that you might be making now with your devices, and fix them right away.

About the Author: Kristin Herman is a writer and editor at Ukwritings.com and Stateofwriting.com. She is also a contributing writer for online publications, such as Essayroo.com. As a marketing writer, she blogs about the latest trends in online advertising and social media influencing.

Cyber Security Roundup for July 2017

Apologises for the delay in this month's Cyber Security Roundup release, I been away on holiday and taking a breach for monitor screens and keyboards for a couple of weeks.

The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss. 

The AA was heavily criticised after it attempted to downplay a data compromise of over 13 gigabytes of its data, which included 117,000 customer records. The AA’s huge data cache was incorrectly made available online after an AA online shop server was “misconfigured” to share confidential data backup files.

A customer databreach for the World Wrestling Entertainment (WWE) should serve as a stark warning for businesses to adequately assure third parties and to secure hosted cloud systems. Three million WWE fan records were compromised after a third party misconfigured a cloud hosted Amazon server used by the WWE online shop.

The aftershock of Peyta \ NotPeyta rumbles on with, with malware still reported as disrupting firms weeks after the attack. There there are claims the mass media coverage of the attack have improved overall staff cyber security awareness.

It was found that over 1.6 million NHS patient records were illegally provided to Google's artificial intelligence arm, DeepMind, without patient concern meant the NHS and Google have breached the Data Protection Act.

A 29 year old British hacker named as Daniel K, but better known by his hacker handle "BestBuy" or "Popopret" admitted to hijack of 900,000 Deutsche Telekom routers in Germany after he was arrested at Luton airport in February. He said he made "the worst mistake of my life" when he carried out a failed attack in November for a Liberian client who paid him 8,500 Euros to attack the Liberian's business competitors. BestBuy used a variant of the Mirai malware to take advantage of a security vulnerability in Zyxel and Speedport model routers which were used by Germany Internet Service provider, with his intention to increase his botnet, and so the scale of DDoS attacks he could perform on behalf of clients.

A document from the National Cyber Security Centre (NCSC) was obtained by Motherboard and was verified by the BBC with NCSC as being legitimate. The document states some industrial software companies in the UK are "likely to have been compromised" by hackers, which is reportedly produced by the British spy agency GCHQ. The NCSC report discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.

UniCredit Bank had over 400,000 customer loan accounts accessed through a third party. This is the second security breach at the Italian bank in a year.

Finally this blog was awarded with the Best Technology Blogs of 2017 by Market Inspector and by Feedspot this month.

NEWS

• Bupa Data Breach affects 100,000 Insurance Customers
• Bupa online statement,
• Bupa IPMI customer video notice
• AA fails to Alert Customers after Server Leaks 13 Gigabytes
• Report of Breach by Motherboard
• UniCredit Bank's Third Party leads to hack of 400,000 clients
• Bank Press Release
• Statement from the bank
• Multinational talks of £100 mil loss as Petya/NotPetya leaves its Mark
• Backdoor placed in popular Ukrainian software enabled NotPetya Attack
• blogpost by Eset
• Morestaff cyber-security aware following WannaCry devastation in May
• Petya cyber-attack still disrupting firms weeks later
• Unencrypted PII records leaked from WWE database hosted on AWS server
• NHS patients' data was illegally transferred to Google DeepMind
• Mirai Botmaster behind Deutsche Telekom Router Hijack pleads Guilty
• Deutsche Telekom hack part of global internet attack
• Lloyd's of London: Major global Cyber Attacks could cost £40 billion
• Verizon 3rd Party Data Security Vendor exposes Six Million Accounts
• UpGuard data breach discovery
• Verizon Press Release
• NICE blamed the leak on human Error
• Russia and China tighten Internet Controls
• Reinvigorated enforcement of an existing law
• Hackers 'Probably Compromised' UK Industry
• A copy of the document from the National Cyber Security Centre (NCSC)
• 17-year-old Auth Protocol Riddled with Vulnerabilities is Patched by Microsoft
• A patch for the flaws (CVE-2017-8563) was released by Microsoft 11 July 2017
• Adobe releases fixes for Critical Security Vulnerabilities in Flash Player
• Flash software to die by 2020, Adobe Announces
• SQL Injection Vulnerability found in popular WordPress Plugin Again
• Microsoft release Security Updates to fix 54 flaws including IE, Edge, Office, .NET & Exchange

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• The AlphaBay Dark Web Marketplace Disappears
• Dark web marketplaces AlphaBay and Hansa shut down

REPORTS

• Veritas 2017 GDPR Report: 31% of Enterprises Claim to Conform to Key Requirements
• Call Credit Fraud & Risk Report 2016
• BCI Cyber Resilience Report 2017
• CybSafe Supplier Cyber Security Study: Enterprises demand Stringent Security Standards
• Huawei Cyber Security Evaluation Centre: Oversight Board Annual Report 2017

PCI DSS Penalties & Fines? Cyber Insurance? How to Estimate the Cost of a Payment Card Breach

How much does a payment card breach cost? How large are the potential fines? What happens if we aren't PCI DSS compliant and suffer a cardholder breach?

Those are common unanswered questions which businesses accepting and processing debit and credit card payments rise, businesses which are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). In recent years a growing number of UK businesses are taking out cybersecurity insurance, and are more pressingly wanting to know whether their insurance coverage is sufficient enough to cover the cost of a payment card data breach.

It is not possible to produce a formula or calculator to provide precise payment card breach costs on a per card compromised basis, as no two business payment operations are ever the same, and there are just too many factors that can impact the overall cost of a breach.  So instead I have put together the following six pointers to aid the estimation of a payment card breach.

Calculating the Approximate cost of a Payment Card Breach 

1. All Payment Card Data breaches must be investigated by PCI qualified Forensic Investigator (PFI).  Depending on the technical complexity and scale of the breach, the cost equates to the number of investigator hours and days required, depending that expect to fork out around £20,000 to £100,000 for a PFI. It is worth noting should a business not play ball with the acquiring bank, card brands and card issuers in appointing a PFI, they can remove entire business' capability to take card payments altogether, so there is no choice but to dig deep from the outset upon a data breach discovery.

2. Following the forensic investigation, completion of remediation work and a successful PCI DSS level 1 QSA assessment is required. Remediation work and Qualified Security Assessor (QSA) assessment as a PCI DSS level 1 merchant or processor typically costs up to £100,000, depending on the environment that is in-scope of compliance. This will be a considerable new overhead for environments deemed as PCI DSS level 2, 3 or 4, as these would have previously been self-assessed by the business.

3. The cost per payment card breach is very subjective, however, Verizon's 2015 Data Breach Investigations Report page 30 figure 23, gives a good indication of the "cost per card lost", which I have converted from US dollars.

Optimists should read the left side of the table, pessimists should read the right side of the table.

4. Often there will be a penalty surcharge levied per transaction following a breach, adding an increase to every payment transaction.

5. Reputational damages, loss of customer and client trust in the business and brand, this is a hard figure to quantify, but it is worth noting most cyber insurance policies do not cover any business losses due to reputational damages following data breaches.

6. The Information Commissioners Office (ICO) regards payment card data as Personal Information, which means they can add an up to £500,000 per payment card data breaches. For example in 2015, the ICO fined insurance firm Staysure £175,000 after 5,000 hacked card details used for fraud.
And from May 2018 when the new GDPR data privacy regulation kicks in, potential data protection fines will ramp significantly, especially for large enterprises, with fines of up to 4% of the global turnover of the entire business.

So take the worse case breach scenario, namely a compromise of all payment cards ever stored and processed, apply the above costs, and you should have a worse case scenario ballpark figure. If that number doesn't focus minds and incentivise a robust PCI DSS compliance programme and investment in cyber security, nothing will.

Why Passing a PCI DSS Assesment isn't a 'Get out of Jail Free Card'

No business operating in a PCI DSS compliant state is known to have been breached. Passing a PCI DSS assessment does not mean the business is actually PCI DSS compliant, and it certainly is not a 'get out of jail free' card or carries any weight if a breach occurs. A PCI DSS compliance business means the in-scope of compliance environment and operations meets every single PCI DSS requirement in a continual state of operation, 365 days a year, 24 hours a day, and for every single second.