top of page

News & Views

Firms get hefty fines for data breaches and violation

Latest research from ISMS.online the auditor approved compliance platform, reveals that over the past year, more than 99% of UK businesses have received fines for data breaches or violation of data protection rules.

According to research, by into the '
State of Information Security’, the auditor approved compliance platform, despite hefty fines – the average UK fine for data breaches and violation of data protection rules now amounts to £257,982 – only 19% of businesses cite that their main motivation for compliance and robust information security is to avoid fines and penalties

This year has seen an influx in large scale breaches and the UnitedHealth Group ransom attack in April this year is one example of the huge financial impact these breaches can have.  This attack alone resulted in the ChangeHealthcare platform being suspended, with the BlackCat/ALPHV group claiming it stole 6 TB of data and resulted in a massive $872 million loss.

As data breaches continue to surge, government entities and trade bodies are in turn, trying to meet these challenges with updates and implementation of regulations and compliance mandates.  Equally, businesses are prioritizing cybersecurity.  According to the
UK Cybersecurity Breaches survey 2024, three-quarters of businesses (75%) reported that cybersecurity is a high priority for their senior management and many organizations have continued to invest either the same amount or more in cybersecurity over the last 12 months.  This is in part a response to the perceived increase in the number of cyber-attacks and their sophistication.

“Businesses are failing to recognize that compliance and security come hand in hand, and if they want to protect their information and maintain their custom, meeting regulatory requirements will put them in a good position to do so.  It will also demonstrate their willingness to put their customers and their data first,” says Luke Dash, CEO, ISMS.online.  “Should a breach occur, this should ease any financial repercussions, but will certainly bode well for loyalty and reputation to enable businesses to remain competitive despite any incident and setbacks that may ensue.”

This is supported by the findings given that a mere 22% of respondents believe that complying to avoid fines and penalties has provided a decent return on their investment in information security compliance programmes.  The majority (32%) cite enhancing their business reputation as a secure reliable entity was the best ROI.

“The landscape is certainly changing when it comes to compliance and fines.  It is staggering to see that over 99% of businesses have received fines over the past 12 months, yet it seems that these penalties are now seen as a small part of the compliance story,” adds Dash.

“Businesses previously saw compliance as a way to sidestep hefty fines and negative publicity, however as our research shows, competitive advantage, reputation and protecting information are now seen as the main benefits of compliance.”

Positively, businesses do seem to be recognizing that building effective information security foundations is essential for compliance, and it is encouraging to see that 45% of the ISMS.online survey respondents noted that their businesses plan to increase their information security budget by up to 25% in the coming year to do so.  This provides critical assurances to customers, shareholders and regulators.  

ISMS.Online’s research also found that current compliance processes can be demanding and time-consuming with over 65% citing that it took between 6-18 months to meet compliance with GDPR alone.  Similarly, 60% took the same length of time to comply with NIST and ISO27701, and 57% struggled to meet ISO270001 and The Privacy Act, needing as much as 18 months to do so.  This is just a snapshot of the legislation businesses are facing and these rising regulatory fines, as highlighted by the ISMS.online research, prove there’s still some way to go.
bottom of page