Small real estate firms lose more than £125 million annually to cyberattacks, making the sector the UK’s second most financially affected, according to new research.
The study, conducted by money.co.uk, analysed government cyber breach data, which indicates that cyberattacks now cost small and micro UK businesses a combined estimated total of £921.2 million each year.
To help businesses safeguard themselves, the finance experts at money.co.uk have identified the industries most at risk and shared practical tips for small businesses to reduce their exposure to cybercrime.
Estimated cost of cyberattacks on small businesses by sector:
|
Rank |
Industry sector |
Businesses that identified breaches or attacks in the last 12 months✝ |
Number of micro & small businesses |
Estimated attack prevalence |
Estimated annual cost |
|
1 |
Professional, scientific, or technical |
55% |
183,435 |
100,889 |
£152.3m |
|
2 |
Administration or real estate |
48% |
173,725 |
83,388 |
£125.9m |
|
3 |
Construction |
40% |
191,555 |
76,622 |
£115.7m |
|
4 |
Retail or wholesale |
32% |
238,285 |
76,251 |
£115.1m |
|
5 |
Information or communications |
69% |
73,280 |
50,563 |
£76.4m |
|
6 |
Utilities or production |
48% |
87,805 |
42,146 |
£63.6m |
|
7 |
Food or hospitality |
30% |
139,515 |
41,855 |
£63.2m |
|
8 |
Entertainment or service |
42% |
95,740 |
40,211 |
£60.7m |
|
9 |
Health or social care |
41% |
58,195 |
23,860 |
£36.0m |
|
10 |
Transport or storage |
35% |
45,020 |
15,757 |
£23.8m |
|
11 |
Finance or insurance |
48% |
22,800 |
10,944 |
£16.5m |
In second place are the administration and real estate sectors. These industries rely heavily on digital invoicing and project management platforms. That dependency can create weak points, exposing firms to invoice fraud, phishing, and ransomware.
Government data shows that 85% of all reported breaches involve phishing attacks, making these firms particularly vulnerable as they juggle multiple stakeholders, subcontractors, and hybrid operations.
Further Study Insight: Nearly half – 48% – of real estate firms experienced a cyber breach in the past year, making it the UK’s third most-targeted sector.
Joe Phelan, money.co.uk business bank accounts specialist, said: “Cyberattacks continue to pose a serious risk, particularly for smaller businesses, as the data shows average costs to micro and small firms have risen by more than 90% in the last 12 months. No business is too small or too large to be a target – all need to take steps to protect themselves against cyberattacks and plan for any incidents.
“That means building cyber awareness into everyday operations by prioritising measures like staff training, regular software updates, and early detection systems that flag unusual activity. It’s also crucial to plan for the potential financial impact of an attack or being forced to close temporarily due to a threat.
“You can be better prepared to cover any unexpected costs or financial losses by building a financial buffer in a high-interest, instant-access business savings account. Having this financial safety net in place allows you to continue operating confidently and have a pot to draw on for investing in better cybersecurity over time as well.
“Using a dedicated business bank account also offers preventative protection. For example, many banks offer business accounts with built-in fraud prevention tools, such as Positive Pay controls, which verify outgoing checks against your company’s list of issued checks. Features like this can help you spot and block fraudulent transfers early, reduce the chance of account takeover, and limit the losses from hacks.
“Proactive planning, both technically and financially, gives businesses the best chance of recovering quickly and minimising the long-term impact of cyber breaches.”
The reported figure of £125.9 million for annual losses in the “Administration or real estate” sector is subject to scrutiny due to methodological issues and potential commercial bias:
1. Overbroad Sector Aggregation: The most significant flaw is the grouping of “Administration” with “Real Estate.” The administration sector includes a vast range of small firms (e.g., outsourced legal services, data processors) that handle highly sensitive information and may naturally have a higher frequency and cost of cyber incidents. By lumping them together, the study significantly inflates the total financial impact and risk perception specifically attributed to typical real estate agencies.
2. Ambiguous and Inflated Cost Methodology: The “estimated annual cost” figure is derived from analysing government cyber breach data. These cost estimations typically include highly subjective, non-financial components like “reputation damage,” “lost staff time,” and “business interruption.” These indirect costs are often calculated using worst-case scenarios and lack precise auditing, making the final aggregate cost figure inherently high and potentially unrealistic for smaller, successful breach recoveries.
3. Counter-Intuitive Rankings: The data’s calculation method is questionable, as it ranks the Finance or insurance sector (which deals with high-value transactional data) with the *lowest* estimated annual cost (£16.5m). This suggests the methodology used to translate breach prevalence into financial loss is inconsistent or fails to capture the true financial exposure of high-risk sectors, undermining the credibility of the ranking.
4. Commercial Incentive Bias: The report was conducted by money.co.uk, a financial service comparison site. The resulting advice focuses on the need for businesses to “build a financial buffer in a high-interest, instant-access business savings account” and use “dedicated business bank accounts” with fraud tools. This provides a strong indication that the alarmist headline figures are designed to function as fear-based marketing to drive small businesses toward specific financial products and services.
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register