99% of UK businesses fined for data breaches, study finds

More than 99% of UK businesses were fined for data breaches or violations of data protection rules over the last year, according to research conducted by ISMS.online. The findings shed light on the increasing complexity of legislation and the challenges businesses face in meeting compliance requirements.

Over the past year, the average fine for UK businesses rose to GBP £257,982. This comes amid a wave of significant breaches, including the ransom attack on UnitedHealth Group in April, which resulted in the suspension of the ChangeHealthcare platform and a claim from the BlackCat/ALPHV group that it stole 6 TB of data, leading to a financial loss of USD $872 million.

Despite an uptick in breaches, businesses and government entities are addressing these challenges by implementing updates to regulations and compliance mandates. According to the 2024 UK Cybersecurity Breaches survey, 75% of businesses report that cybersecurity is a high priority for senior management, with many continuing to invest the same amount or more in cybersecurity over the past year.

ISMS.online's survey, which included 502 information security professionals in the UK, found that despite continued investment, many businesses are still encountering data breaches. Only 19% of businesses cited that their main motivation for compliance and robust information security is to avoid fines and penalties. Increased customer demand (34%), protecting business information (33%) and remaining competitive (30%) were identified as the top motivations for compliance.

Luke Dash, CEO of ISMS.online, commented, "Businesses are failing to recognise that compliance and security come hand in hand, and if they want to protect their information and maintain their custom, meeting regulatory requirements will put them in a good position to do so. It will also demonstrate their willingness to put their customers and their data first. Should a breach occur, this should ease any financial repercussions, but will certainly bode well for loyalty and reputation to enable businesses to remain competitive despite any incident and setbacks that may ensue."

According to the survey, only 22% of respondents believe that complying to avoid fines and penalties provided a decent return on investment in information security compliance programmes. The majority, 32%, indicated that enhancing their business reputation as a secure and reliable entity was the best return on investment.

The landscape of compliance and fines is indeed shifting. Despite more than 99% of businesses incurring fines over the past 12 months, these penalties are becoming just one part of the broader compliance story. The findings suggest that competitive advantage, reputation, and information protection are now seen as the primary benefits of compliance.

Positively, businesses appear to be recognising the importance of building effective information security foundations. According to the ISMS.online survey, 45% of respondents reported that their businesses plan to increase their information security budget by up to 25% in the coming year. This commitment provides critical assurances to customers, shareholders, and regulators.

The survey also highlighted the demanding and time-consuming nature of current compliance processes. Over 65% of respondents reported that it took between 6-18 months to comply with GDPR. Similar proportions took as long to meet requirements for NIST, ISO27701, ISO270001, and The Privacy Act.

Warwick Tams, Head of Sales at Alcumus ISOQAR, stated, "There are solutions now that can streamline and automate these conformity audits, reducing manual tasks and enabling successful audit engagements. Being able to eliminate the frustration of sorting through diverse and complex systems and making audits more straightforward could be the difference between saving thousands or losing hundreds of thousands and your reputation to boot."