Cyber-Attacks Are Impacting GDP: Here's What That Means for Businesses

Cyber-Attacks Are Impacting GDP: Here’s What That Means for Businesses

By Kate O'Flaherty • 16 December 2025 • 6 min read

As resilience is mandated by a growing number of regulations, how can every organisation do their part?

By Kate O’Flaherty

Businesses across the UK are dealing with a sobering issue: Cyber-attacks are now having a measurable impact on GDP. Reports from the UK’s Cyber Monitoring Centre (CMC) and ONS suggest the Jaguar Land Rover (JLR) hack dented GDP growth, with the economy expanding by just 0.1% in the quarter from July to September as car production was dragged to a 73-year low.

Significant cyber incidents cost the UK economy £14.7 billion annually (~0.5% of GDP), and IP-related attacks alone could cost up to £8.5 billion, according to research from the department for Science, Innovation and Technology and Alma Economics.

If single large incidents such as the JLR attack can measurably affect GDP, the cumulative effect of thousands of smaller attacks is likely to be even greater. It’s a concerning picture that reframes cybersecurity as a systemic economic risk, beyond business and IT.

As resilience is mandated by an increasing number of regulations, how can every organisation do their part to minimise the impact of cyber-attacks on the UK economy?

The Cost Impact

The ONS figures are new, but the cost impact was always there. Every time a data ransom is paid, or a company is defrauded, the impact is around five times the value in lost opportunities and recovery costs, Harry Mason, head of client services at managed IT service provider Mason Infotech tells IO.

He cites the JLR breach as an example. “The attack halted production for several weeks, creating a huge backlog to clear once they were back up and running. This was also compounded by reputational damage from press coverage and loss of trust from consumers.”

Although for SMEs, the associated cost from cyber-events may be smaller, it is “no less damaging” and can ultimately result in businesses going under, he warns.

Today, modern ransomware, business-email compromise, cloud misconfiguration attacks and data-theft campaigns result in “longer recovery times and higher remediation costs”, Dominic Carroll, director of portfolio at e2e Assure tells IO. “Attackers also increasingly destroy backups or sit dormant until log retention windows have passed, meaning organisations can’t easily reconstruct what happened or recover cleanly, thereby further prolonging business disruption.”

The high-profile attacks against the UK this year have revealed just how critical these organisations are to the economy, says Carroll. “We simply can’t afford to lose that kind of productivity, nor rely on government bailouts,” he warns.

One of the biggest knock-on effects on the wider economy is related to investment. In an already risk-averse marketplace, attracting investors is going to be even more difficult if there’s a threat of being halted by a cyber-attack or other IT related downtime, says Mason. “For individual businesses, this means they need to be 100% focused on ensuring they have a security strategy in place to attract customers and investors – and keep existing ones.”

Cyber Resilience and Compliance Frameworks

In this challenging economic environment, cyber resilience and compliance frameworks such as ISO 27001, Network and Information Systems 2 (NIS 2) and Cyber Essentials are more important than ever for all businesses.

Frameworks such as these provide structured guidelines and best practices to help organisations identify, manage and reduce the impact of cyber risks, says Emma Hastings-Bray, legal director at Blacks Solicitors.

Adoption can also demonstrate a business’ commitment to compliance and accountability to their customers, partners, boards and regulators. “The frameworks can assist with ensuring that cyber resilience is embedded at board-level, as well as providing measurable metrics to assess performance and meet UK data protection requirements,” adds Hastings-Bray.

These regulations are especially key because they focus on the supply chain – an important factor in shoring up national security, says Carroll.

He points out that NIS2 now requires entities in scope to risk assess critical supply chains. Meanwhile, the US has seen the introduction of Cybersecurity Maturity Model Certification (CMMC 3.0), which will mandate security in the supply chain for all Department of Defence contracts from October 2026.

Closer to home, the Cyber Security and Resilience Bill formalises supply chain security for in-scope organisations, says Carroll.

Structured Resilience Planning

As cyber-attacks threaten to further dent GDP, structured resilience planning will help to reduce the cumulative impact.

Among the benefits, structured resilience planning ensures organisations can “break the cycle of economic drag” caused by cyber-attacks, says Carroll. “When companies routinely validate their detection coverage, run attack simulations and hard-wire rapid containment into their operations, incidents stop becoming week-long outages and turn into short-lived disruptions. That shift alone removes a huge amount of lost output from the economy.”

Structured resilience planning can help “soften the economic blow” of cyber-attacks by preventing incidents from spiralling into long disruptions, agrees Kerry Parkin, founder of The Remarkables. “When organisations plan for both the technical and communication response, they recover faster.”

As part of this, a clear comms strategy “helps leadership act quickly, keeps people informed and prevents the confusion that damages confidence across supply chains”, she says.

The National Resilience Picture

With cybersecurity and compliance on the national agenda, every firm’s effort matters in the wider resilience picture.

Businesses often assume they are too small to matter, but “one weak link can expose an entire network”, Parkin points out.

With this in mind, building basic cyber hygiene, having a rehearsed comms plan, and being honest about vulnerabilities strengthen the organisation – as well as the wider economy, she says.

Regulation already mandates that businesses must recognise the threats posed by cyber-attacks and be prepared. For example, under UK data protection law, all organisations are legally required to implement appropriate measures that protect personal data, says Hastings-Bray. “Resilience should be a priority for every business, from assessing supply chains and completing due diligence, through to training internal security champions and delivering regular staff education.”

The economic downside associated with cyber-attacks is certainly a motivating factor for businesses. However as a collective, there is still “huge work to be done” to ensure everyone is taking security seriously, says Mason. “This is particularly important for those in a position of leadership, as they have the ability to make changes and also ensure that buy-in filters down through the business.”