The true extent of cybercrime on the self-employed and SMEs

The true extent of cybercrime on the UK's self-employed and SMEs, revealed!

Cybercrime continues to rise across the globe, with the UK alone losing billions of pounds a year to fraud and online attacks.

Unfortunately, this type of criminal activity is always evolving and cyber criminals are known to exploit real-world changes or trends that affect online behaviour. The COVID-19 pandemic is one event that has altered people’s online behaviour, as well as the working practices and priorities of many businesses. In many cases, this has resulted in defences against cyber threats being lowered.

While you may associate online attacks with large corporations, in actual fact, businesses of every size are being targeted by this kind of crime. Self-employed workers and small to medium sized businesses (SMEs) are no exception. From hacking extortion, to malware infection, to phishing scams, there are a wide range of cyber-attacks that can pose a threat to these entities.

In this blog post, we explore the issue of cybercrime and its impact on the self-employed and SMEs in particular. We polled 1,000 self-employed workers and SME owners to learn more. Here’s what we found.

The average cost of a cyber-attack on a small business

When big brands, such as Facebook, Spotify and British Airways, as well as public bodies including the NHS and local authorities, are hit by online criminal activity, it often makes headline news. However, just because attacks on SMEs and the self-employed aren’t as widely reported doesn’t mean they’re not happening.

In fact, our survey found that 51% of SMEs have been the victim of cyber security breach, with the most common attack being a malware/virus breach (24%), followed by a data breach (16%), and phishing attack (15%). As a specialist insurer, we know first-hand the impact these breaches can have on small businesses. Not only do they affect the security of a business’ data, but they can also have financial repercussions.

For example, malware encrypting business-critical devices (such as laptops) can lead to an interruption to trading, directly impacting a business’ income. Or, employees being duped into providing usernames or passwords by phishing emails can result in cyber criminals gaining unauthorised access to confidential data, which can lead to legal defence costs and an investigation by the ICO. Cyber insurance can help protect your business against such scenarios, including the costs involved with restoring data and equipment, as well as legal costs and damages you are legally liable to pay other parties.

Of those polled, 53% of SMEs and self-employed workers said the attacks had impacted them financially, with over two thirds (68% ) reporting the cost of the breach was up to £5,000.

Approximate cost of a cyber-security breach

Cyber security measures by small businesses

Of those polled, 88% of businesses had at least one form of cyber security in place (such as antivirus, firewalls or multi-factor authentication), with 70% feeling fairly confident or extremely confident in their cyber security arrangements.

One of the main reasons for organisations not having cyber security measures in place was due to a perception of them being ‘unnecessary costs’, with 26% of respondents stating that this was why they had not implemented any within their business. However, it is important for businesses of any size to carefully consider why having such arrangements in place is vital to prevent breaches and hacks.

Developing an IT security policy is a vital step for businesses to take in protecting against cybercrime, and should include procedures around protection of confidential data, management of employee access rights and a response plan to a ransomware attack. The Markel Law hub, our legal document hub with over 1,200 DIY legal templates and guidance, has a number of guides to help implement this in your business.

Of those who have cyber security measures in place, 31% said they conducted risk assessments and internal/external audits on a monthly basis. 53% of respondents said they already have antivirus/malware software in place, while 48% said firewalls and secure networks were other measures they had taken. Taking precautionary measures like this can help prevent cyber-security attacks from happening in the future.

A  further 21% had arranged cyber insurance as a way to protect their interests in the event of a breach or threat. Whilst a relatively small businesses appear to be arranging cyber cover, the benefits of insuring against targeted cyber-attacks is significant. The cost of informing clients of a data breach, restoring equipment or meeting ransom demands can be eye-wateringly high and would see a business have to meet these costs themselves, if they don’t have cover in place.

Additionally, having access to a cyber response helpline that provides advice from cyber security specialists in the event of a breach can be invaluable. It can be difficult to know where to turn following a cyber-attack, and having experts lend their technical knowledge and experience can help to bring the incident to an end as swiftly as possible. Access to 24 hour cyber response helplines are available through various cyber security providers, or included as standard when you arrange cyber insurance with Markel Direct.

We also asked respondents how much they are willing to spend on cyber security each month, with 28% saying they would spend up to £50.00 per month and just 11% respondents saying they wouldn’t spend anything on cyber-security.

As mentioned, our survey found that malware breaches represented the most common cyber-attack experienced, which is why it is so important for businesses to ensure that the appropriate measures are in place. Take a look at our guides to cyber security for help on protecting your business.

UK cybercrime reports and losses

To understand the effect cybercrime has on all types of business across the UK, we used secondary research from the National Fraud Intelligence Bureau (NFIB) to allow us to understand the full extent of cybercrime on the nation’s businesses.

Crime Type

Cybercrime Reports vs Losses by Type

To compare the number of cases reported by cybercrime type to the reported losses amount (£), ‘Hacking social media and email’ had the highest number of reported cases, with a reported loss total of £5,900,000. 

Although the number of reported malware/spyware cases was much lower at 415, the reported losses from October 2020 to 2021 remained high at £1,200,000. Other crime type cases that had reported losses include hacking PBX/dial through which saw 115 reported cases with reported losses of £172,200, and server hacking with 297 reported cases with losses of £98,000.

Organisations most affected

Cybercrime Reports vs Losses by Organisation type

Using the same research from the NFIB, we found that limited companies (large and small) had the highest number of reported cases, with 69% of total reported cases totalling £6,166,860. The second highest reported losses came from limited liability partnerships (LLP) at £511,300 from 96 reported cases.

Sole traders had 188 reported cases with reported losses of £185,650, while charities had reported losses of £735 from 164 reported cases. But what can these affected organisations do to prevent cybercrime moving forward?

 Organisations should:

  • Ensure that they have antivirus software installed on all devices
  • Make sure firewalls are properly configured to shield your network and computers from cyber-attacks
  • Consider multi-factor authentication to prevent unauthorised access
  • Arrange cyber insurance to cover the costs involved with a cyber-attack
  • Conduct training in data protection and cyber security for all staff

 Cybercrime by UK region

Given cybercrime’s impact on UK businesses, we wanted to find out which region was affected the most.

Unsurprisingly, London was the area that was most affected by the number of cybercrime reports in the UK, with a total of 580 cases reported costing £1,083,100. Whilst London saw the most reported cases, surprisingly businesses in Wales were the most affected financially with just 65 cases totalling £4,150,300.

The Eastern region of the UK was the second most affected with 338 reported cases totalling losses of £282,900. Meanwhile, the South West had 278 reported cases, with reported losses of £351,800.

Cyber criminals are likely to consider the self-employed and SMEs as easy targets, given large businesses have the resources to invest millions into network security. SMEs and the self-employed who become targets of a cyber-attack can end up facing financial and operational consequences, of which some may never recover from.

The importance of cyber security and cyber insurance

As cybercrime continues to evolve, taking the proper precautionary measures has never been more important. Large corporations, SMEs, and self-employed workers all need to ensure that the risk of a cyber-attack is reduced by implementing cyber security arrangements that will prevent breaches and threats from taking place. For further guidance on how to implement cyber security measures in your business, take a look at the Markel Law Hub’s Cyber Security resources (included as standard with all Markel Direct policies).

Businesses should also ensure that they have suitable cyber insurance policies in place. From a targeted attack that wipes business-critical data to the theft of personally identifiable client information, cyber insurance can protect against the legal defence costs (as well as damages a business may be liable to pay other parties), the cost of informing clients of a data breach and restoring data and equipment should the worst happen. Get an online quote now and you can protect your business in minutes.

Though the costs of cyber security and insurance may seem unnecessary to some businesses, the true cost of reported losses across the UK that we have highlighted in this post shows the financial and operational effects it can have.

Does your business have cyber security measures in place? Have you been held to ransom by hackers? Let us know by joining in the conversation on social using #SMEcybercrime.


All figures quoted in sections headed ‘The average cost of a cyber-attack on a small business’ and ‘Cyber security measures by small businesses’ based on an independent survey of 1,000 self-employed and small business respondents conducted in August 2021.

All figures quoted in sections headed ‘UK cybercrime reports and losses’, ‘Organisations most affected’ and ‘Cybercrime by UK region’ based on data from the National Fraud Intelligence Bureau (NFIB) for the Period 1st October 2020 – 25th October 2021.

Business insurance from £5 a month