Reducing cyber-attack costs for ecommerce brands in the festive season
UK businesses can reduce cyber-attack costs by up to 75% (£30b) by implementing simple cyber security basics more widely.
This is the view of international insurance intermediary group Howden, which recently revealed that cyber-attacks have cost UK businesses £44bn in the last five years.
Half (52%) of UK businesses, representing 1.3 million private sector companies, have suffered at least one cyber-attack in the past five years, costing on average 1.9% of revenue. Businesses with an annual revenue of more than £100m were the most targeted group, with 74% of those surveyed having suffered a cyber-attack over the past five years.
But SMEs are also at risk, with 49% of those with revenues between £2m and £50m also experiencing a cyber-attack in the same period.
In just 2023 alone, the UK Government’s Cyber security breaches survey 2024 revealed 50% of UK business and 32% of UK charities had experienced some form of cyber security breach or attack.
Medium size business reports higher at 70%, large businesses at 74% and 66% for charities with £500,000 or more in annual income.
Around 560,000 new cyber threats are discovered daily, and SMEs account for 81% of those, with the average cost to remedy an attack being £21,000. The majority of companies that are victims of cyber-attacks do not live to see the end of year. In fact, 60% of small companies go out of business within six months of a cyber-attack.
For the survivors, the event is a major set-back to the business. On average, such an event will set them back £65k. Breaking the figure down, most of it goes for salvaging damaged assets, paying financial penalties and bearing the brunt of business downtime.
Cyber-attack costs for individuals
The Government estimate for the economic cost of cybercrime to UK citizens is £3.1bn per year. This includes:
- £1.7bn per annum for identity theft (similar estimates by CIFAS5 and the IFSC6 were £1.7bn and £1.2bn per annum respectively);
- £1.4bn per annum for online scams;
- £30m for scareware and fake anti-virus software (based on data published by Symantec7).
The estimate for the economic cost of cybercrime to the Government is £2.2bn per year.
Even with this high-risk factor being well-known, only 22% of UK businesses have a formal cybersecurity incident management plan in place.
In 2024, only 31% of businesses and 26% of charities undertook a cyber security risk assessment/health check, suggesting that many businesses are not adequately prepared for the threat of cybercrime.
Festive spending in the e-Commerce Sector
In the run up to the festive period eCommerce remains a desirable – and profitable – target for cybercriminals because of the vulnerabilities which can be exploited in websites.
With many shoppers now preferring to buy online rather than visit a bricks and mortar store, it’s imperative that all business owners have the right cybersecurity in place to protect against malicious bots.
In 2023, American consumers spent around $38 billion online during the Thanksgiving period and that was expected to rise by 8.8% this year. The British Retail Consortium is predicting festive spending in the UK to see a £1.1 billion boost on last year’s sales in the “Golden Quarter” (November to January).
Singles Day (November 11) reigns as the biggest shopping event in China. The extravaganza rose 27% in 2024 to $203.81 billion, per data analytic platform Syntun.
A FedEx survey carried out in October this year gathered responses from 200 small and medium-sized businesses (SMEs) and 300 consumers across 12 APAC markets.
70% of SMEs were expecting year-on-year sales growth this festive season, with nearly 80% forecasting this growth in sales from within Asia—especially from Southeast Asia.
The survey also found more than half (57%) of consumers prefer shopping on e-commerce platforms.
Shoppers lost more than £11 million to cyber criminals during last year’s festive shopping period, with clothing, high-end tech products and cars among the most common products cited, with each victim losing £695 on average.
The latest figures, which come from reports made to Action Fraud and analysed by the National Fraud Intelligence Bureau (NFIB), revealed that 7,168 reports (43%) mentioned a social media platform, with online marketplaces being mentioned in 18.9% of reports.
They also revealed that those aged 30-39 submitted the largest number of reports (23%), closely followed by 40–49-year-olds (20%). The average age of victims was 42.
Bot threats for the eCommerce sector
According to Signal Science (now part of Fastly), the top attack types for eCommerce sites were:
- Account takeover (ATO) 29.8%,
- Bot imposter 24.1%,
- SQL injection (SQLI) 8.2%,
- Cross-site scripting (XSS) 8.7%,
- Backdoor file (6.4%),
- Other (22.8%).
In Asia Pacific (APAC) bad bots accounted for 25.9% of website traffic in 2021. The three most common bot attacks were account takeover (ATO), content or price scraping, and scalping to obtain limited-availability items.
Account takeover (ATO) works in the following way:
- After a third-party breach occurs, username and password pairs are exfiltrated and then posted to public paste sites, sold in bulk or traded on Dark Web marketplaces.
- A threat actor acquires the leaked usernames and credentials
- The attacker uses automated credential stuffing tools like Sentry MBA to test the stolen credentials against sites with user bases that store high-value data and personally identifiable information (PII).
There is a higher risk this year for eCommerce from two new technologies, driven by current trends and powerful economic forces.
Generative AI (GenAI)
AI has become a powerful new weapon for cybercriminals, with a PwC report, in collaboration with Stop Scams UK, published last December finding identifying the scale of AI use by scammers was proving difficult.
Analysis reveals scraping is now one of the top five most popular attacks – and fastest growing- for all industries, increasing 432% in Q2 over Q1 2023.
GenAI is being used to:
- Evolve simple scrapers into account takeover class infrastructure;
- Increase the number of commercial scraper services.
Cybercrime-as-a-Service (CaaS)
More concerning is the growing rise of cybercriminals offering a service deploying bots and unleashing attacks that cause trillions of dollars in damages.
The availability of these services enhances the efficiency and reach of cyber threats, posing a tangible and immediate risk to the security of online transactions, customer data, and overall operations.
Glaring lack of security measures in UK business
Although the growing threat posed by cyberattacks is well-known, take up of even the most basic cybersecurity measures remains low. This highlights a critical cybersecurity knowledge gap within UK business, and SMEs in particular, many of whom think they’re not a likely target for cybercriminals.
Currently only 61% of businesses are actively using antivirus software and 55% are employing network firewalls. Organisations cite a number of obstacles to improving their cyber security, including cost (26%), insufficient knowledge (26%) and lack of internal IT resource (22%).
Cost savings for UK business with cybersecurity
Howden estimates UK business could reduce cyber-attack costs by up to around 75%, a saving of around £3.5m across a 10-year period, equating to a 25% return on investment (ROI).
Sarah Neild, Head of UK Cyber Retail, said: “Cybercrime is on the rise, with malicious actors continuing to take advantage of cybersecurity vulnerabilities, particularly as firms become ever reliant on technology for their operations.
“UK businesses are currently losing a significant amount of revenue to cyber-attacks, and the insurance industry is crucial to strengthening resilience and raising awareness of the security measures needed to help businesses protect their operations,” she added.
Cyber security needn’t be a daunting challenge for small business owners. The UK’s National Cyber Security Centre (NCSC) has plenty of guidance for SMEs on how to improve their cyber resilience including a Small Business Guide.
Dedicated tools will also help mitigate against malicious bots. Veracity’s Bot Protection Suite is an Artificial Intelligence (AI)-powered, patented solution to stop malicious attacks, data theft, ad click fraud and more.
It works by using Machine Learning (ML) and AI at ultra-fast speed, to identify bot traffic, intelligently using this information to detect behavioural patterns and protect against potentially malicious bots.
Our award-winning bot protection suite helps businesses mitigate against the risks, reduces wasted spend, improves customer experiences, and provides deep reporting insight into your system’s true performance.
Don’t miss our 12 months for the price of one offer: