One in five businesses in the UK has fallen victim to a cyberattack in the past 12 months, with larger firms considered a juicer quarry for hackers than their smaller counterparts, according to a new report released this week by the British Chambers of Commerce (BCC).

The powerful business network, which surveyed over 1,200 firms in January of this year, found that 20% had been hit by a cyberattack in the past 12 months. The majority of the firms in the study were small-to-medium companies. A total of 22% operated in the manufacturing sector with the remainder in the services sector.

The results found UK firms are most reliant on third-party IT providers (63%) to resolve issues after an attack, compared to banks and financial institutions (12%) or police (2%).

Interestingly, over a fifth of respondents said cybercrime prevented their company from growing.

"Cyberattacks risk companies' finances, confidence and reputation, with victims reporting not only monetary losses but costs from disruption to their business and productivity," said Dr Adam Marshall, director general of the British Chambers of Commerce, in a statement.

He continued: "While firms of all sizes – from major corporations to one-man operations – fall prey to attacks, our evidence shows that large companies are more likely to experience them.

"Businesses should also be mindful of the extension to data protection regulation coming into force next year, which will increase their responsibilities and requirements to protect personal data.

"Firms that don't adopt the appropriate protections leave themselves open to tough penalties."

From May 2018, all firms handling personal data will have to ensure they are compliant with the new General Data Protection Regulation (GDPR) legislation. They could be hit with fines of up to 4% of annual revenue if found guilty of misusing customer data or failing to report data breaches.

The BCC survey found a quarter (24%) of businesses surveyed had cybersecurity accreditations – certificates earned by those who pass satisfactory training and meet government standards. One major scheme in the UK is called "Cyber Essentials" and is needed to receive state contracts.

Over the past two years there has been a spike in cyberattacks hitting big-name companies, from Tesco Bank to TalkTalk. However according to John Madelin, chief executive of Reliance ACSN, the findings from the BCC were unsurprising.

"A cyberattack can mean anything from an entry-level phishing scam – which targets every business large or small – to sophisticated and targeted high-impact attacks, and everything in-between," he said. "There is a distinct lack of knowledge on how organisations can protect themselves."

Madelin said there needs to be a "culture shift" in the relationship between industry and government. "The current security systems that many organisations use to hold people's data, like retailers and banks, just aren't being managed in the right way," he asserted.

The BCC is an independent business network and regularly issues reports and commentary about the UK economy, drawing on a network that represents business interests in Westminster and Brussels. On its website, it boasts accredited chambers in every region of the UK.

Tips on how to stay secure from security firm Tripwire:

  • Start by understanding the risk you have. You have to conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. The attackers will be doing the same.
  • Don't ignore the simple, best practices. Keep software up to date, apply security patches, change passwords, and make sure terminated employees and contractors don't have access. This security hygiene goes a long way to making the attackers' job more difficult.
  • Train your employees on how to recognise a scam. Much of cybersecurity is about human nature and social engineering. Training must be ongoing because the attackers change their tactics.