How cyber-savy are UK SMEs?
With so many cybercrimes against UK organisations reported during the last year, it is no surprise that concern among business owners is growing. To gauge the impact this rising threat is having on small businesses in the UK, we conducted a survey asking 500 SME owners their thoughts on the matter, as well as the challenges they are currently facing when it comes to cybersecurity.
UK SME's top cyber security concerns for the future
The survey discovered that three-quarters of UK SMEs are currently concerned about the cyber security of their business, but what is it exactly that concerns them?
The clear front runner according to the respondents was the increasing sophistication of cyber threats, with over six in ten stating this as a top concern. With the advancement of AI (Artificial Intelligence) technology, cyber criminals are discovering opportunities to use and exploit silicon-powered assistants to syphon data their way. According to a report by the National Cyber Security Centre, “AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations.” This introduces a new level of cyber threat, particularly for smaller businesses that may not have the software to mitigate against attacks of this sophistication. When asked about AI in the context of cyber security specifically, 63% of UK SME owners said they were concerned about the rise of AI.
The second biggest cyber security concern for SMEs in the UK was “securing remote work environments”, with 23% selecting this. Many UK businesses now offer a remote or hybrid working model - and while this flexibility is celebrated by employees, for the most part, it does introduce security issues when it comes to keeping data safe. In fact, the survey data showed that 69% of UK SME owners do not have a cyber security policy in place for remote workers.
When asked how those with remote workers ensure the security of remote workers or employees accessing company data from outside the office, the majority (52%) said they use virtual private network (VPN) access. However, 48% train their employees on secure remote work practices and 46% have remote access policies and controls in place.
The top cyber security concerns for UK SME owners in the future
| Cyber security concerns for the future | Respondents (%) |
|---|---|
| Increasing sophistication of cyber threats | 62% |
| Securing remote work environments | 23% |
| Ransomware and other forms of malware | 22% |
| Emerging technologies and their security implications (e.g. AI, blockchain) | 21% |
| Insufficient budget/resources for cybersecurity | 19% |
| Vulnerabilities associated with third-party vendors and suppliers | 19% |
| Compliance with data protection regulations (e.g. GDPR, CCPA) | 18% |
| Employee negligence or lack of awareness | 17% |
| Hybrid working environment | 17% |
| Growing reliance on connected IoT (Internet of things) devices | 10% |
Many SME owners are leaving their businesses vulnerable to attacks
Despite the increased potential for cyber-attacks and the concern felt among the UK SME community, our survey provided evidence that some businesses are putting themselves and the data they use at genuine risk.
Almost in four in ten (37%) of UK SME owners said that they are not aware of their legal obligations in respect to data protection and privacy regulations, such as GDPR (General Data Protection Regulation). Aside from the level of data security and protection that following such regulations brings to your organisation, the fines for not following GDPR are eye-watering: the Information Commissioner can issue a maximum fine of £17.5 million or 4% of a company's total annual worldwide turnover in the preceding financial year, whichever is higher.
Just as worrying is the statistic that nearly half of SME owners (49%) wouldn't know what to do in the event of their business suffering a cyber-attack. This lack of cyber security knowledge could go some way towards explaining figures that show holes in cyber security practices at many UK firms, leaving them open to data breaches in the future. For instance, 42% of those asked reported that they fail to regularly change passwords on their work devices, such as their laptops and phones.
As we've discussed, too many passwords are chosen based on how easy they are to remember, so a stolen laptop, mobile phone, or data stick full of poorly protected data is a potentially dangerous asset in the wrong hands.
Meanwhile, nearly four in ten UK SME owners have failed to implement any kind of encryption whatsoever for sensitive data stored on the systems used by their business. Data encryption is a vital tool against data theft. It converts readable data to into an unreadable format called ciphertext, using an encryption algorithm and a secret key, so if a cybercriminal accesses the data, it will be unintelligible to them without the key. So, as a form of data protection it is incredibly robust, but only if it's implemented in the first place and vigorously maintained as part of a data protection regime.
However, 24% of those we spoke to admitted that data encryption was a challenge to implement or maintain, while the most challenging cyber security measure for many (47%) was simply keeping up with the newest and evolving threats and tactics.
The most challenging cyber security measures to implement or maintain in business
| Cyber security measures | Respondents (%) |
|---|---|
| Keeping up with new/evolving threats and tactics | 47% |
| Securing remote workers devices | 41% |
| Regular software updates and patches | 40% |
| Backing up data regularly | 32% |
| Implementing multi-factor authentication | 31% |
| Access controls and user privileges management | 27% |
| Incident response planning and management | 25% |
| Data encryption | 24% |
| Compliance with cybersecurity regulations | 22% |
| Employee cybersecurity training and awareness programmes | 21% |
Prevention and protection against cyber attacks
Even with the challenges and concerns, many UK SMEs are at least taking some proactive measures to prevent cyber-attacks, 72% have invested in antivirus/anti-malware software. Nearly seven in ten make sure they regularly update their system software and 53% are keeping their IT systems up to date.
How UK SMEs are facing up to the cyber threat
| Measures in place to prevent cyber attacks | % of SMEs with these in place |
|---|---|
| Have antivirus/anti-malware software | 72% |
| Regularly update system software | 69% |
| Keep IT systems up to date | 53% |
| Use multi-factor or two-factor authentication | 52% |
| Email filtering for spam and phishing emails | 49% |
| Staff training | 49% |
| Have a firewall | 47% |
| Secure Wi-Fi networks | 46% |
| Conduct regular data backups | 46% |
| Data encryption | 44% |
| Encourage employees to update passwords | 35% |
Despite this data underlining why SMEs should ensure they have an insurance policy in place which will protect them in the event of a cyber-attack or data loss, the survey found over half (53%) of UK SME owners failed to have a cover of this kind in place.
Markel Direct are leading providers of business insurance, specialising in insurance for the self-employed and for SMEs. Make sure your business is protected by getting a tailored business insurance quote today.
-
Methodology
Data on the number of fraud and computer misuse offences referred to the National Fraud Intelligence Bureau (NFIB) by Action Fraud, by police force area as well as survey data about the impact on victims of cyber fraud, was collected from the Office for National Statistics
Data on the number of data breaches per sector was collected from the Information Commissioner's Office
Impact and cost of all cybercrime and breaches to business in the UK as a total was taken from the Cyber Security Breaches Survey 2024
Organisation cybercrime statistics in the UK was collected from the NFIB dashboard, filters for "Type of Victim: organisation" and "Fraud or Cyber Crimes: cybercrime" were used and the data was taken between May 1st 2023 and April 30th 2024, the dashboard is rolling and can be found on the ArcGIS dashboard
Data limitations specified on the dashboard include:
- Data is based on victim selection during the reporting process and this has not been verified.
- Losses are based on loss amounts as reported in Action Fraud recorded crimes and these have not been verified. Where possible, efforts have been made to review losses reported in excess of £500k but further investigation may be required to determine if loss amounts are a true reflection of the financial impact of the reported crime.
- Extreme outliers have been removed to limit data skew.
- All percentages have been rounded to the nearest whole number.
The top most-used password data was collected from Nordpass
Data on how long it takes to crack a password using Chat GPT hardware was taken from Hive Systems
The survey was conducted in May 2024 using Pollfish and included 500 UK based SME owners with businesses with an annual turnover or balance sheet total less than or equal to €50 million or €43 million and classed as an SME (approx. £42.5 million or £36.6 million).
V0.2.31
Privacy policy | Terms of use | Acceptable use policy | Cookies statement | Modern Slavery Statement | Complaints | Site map | Cookie Settings
Markel Direct is a trading name of Markel International Insurance Company Limited who is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority (Financial Services Register reference number 202570). Registered office address, 20 Fenchurch Street, London EC3M 3AZ.
© Markel Direct. All rights reserved 2026