How cyber-savy are UK SMEs?

Person sitting on a mountain at sunset, using a laptop, with a cityscape the background.

With so many cybercrimes against UK organisations reported during the last year, it is no surprise that concern among business owners is growing. To gauge the impact this rising threat is having on small businesses in the UK, we conducted a survey asking 500 SME owners their thoughts on the matter, as well as the challenges they are currently facing when it comes to cybersecurity.

UK SME's top cyber security concerns for the future

The survey discovered that three-quarters of UK SMEs are currently concerned about the cyber security of their business, but what is it exactly that concerns them?

The clear front runner according to the respondents was the increasing sophistication of cyber threats, with over six in ten stating this as a top concern. With the advancement of AI (Artificial Intelligence) technology, cyber criminals are discovering opportunities to use and exploit silicon-powered assistants to syphon data their way. According to a report by the National Cyber Security Centre, “AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations.” This introduces a new level of cyber threat, particularly for smaller businesses that may not have the software to mitigate against attacks of this sophistication. When asked about AI in the context of cyber security specifically, 63% of UK SME owners said they were concerned about the rise of AI.

The second biggest cyber security concern for SMEs in the UK was “securing remote work environments”, with 23% selecting this. Many UK businesses now offer a remote or hybrid working model - and while this flexibility is celebrated by employees, for the most part, it does introduce security issues when it comes to keeping data safe. In fact, the survey data showed that 69% of UK SME owners do not have a cyber security policy in place for remote workers.

When asked how those with remote workers ensure the security of remote workers or employees accessing company data from outside the office, the majority (52%) said they use virtual private network (VPN) access. However, 48% train their employees on secure remote work practices and 46% have remote access policies and controls in place.

The top cyber security concerns for UK SME owners in the future

Cyber security concerns for the futureRespondents (%)
Increasing sophistication of cyber threats 62%
Securing remote work environments 23%
Ransomware and other forms of malware 22%
Emerging technologies and their security implications (e.g. AI, blockchain) 21%
Insufficient budget/resources for cybersecurity 19%
Vulnerabilities associated with third-party vendors and suppliers 19%
Compliance with data protection regulations (e.g. GDPR, CCPA) 18%
Employee negligence or lack of awareness 17%
Hybrid working environment 17%
Growing reliance on connected IoT (Internet of things) devices 10%

Many SME owners are leaving their businesses vulnerable to attacks

Despite the increased potential for cyber-attacks and the concern felt among the UK SME community, our survey provided evidence that some businesses are putting themselves and the data they use at genuine risk.

Almost in four in ten (37%) of UK SME owners said that they are not aware of their legal obligations in respect to data protection and privacy regulations, such as GDPR (General Data Protection Regulation). Aside from the level of data security and protection that following such regulations brings to your organisation, the fines for not following GDPR are eye-watering: the Information Commissioner can issue a maximum fine of £17.5 million or 4% of a company's total annual worldwide turnover in the preceding financial year, whichever is higher.

Just as worrying is the statistic that nearly half of SME owners (49%) wouldn't know what to do in the event of their business suffering a cyber-attack. This lack of cyber security knowledge could go some way towards explaining figures that show holes in cyber security practices at many UK firms, leaving them open to data breaches in the future. For instance, 42% of those asked reported that they fail to regularly change passwords on their work devices, such as their laptops and phones.

As we've discussed, too many passwords are chosen based on how easy they are to remember, so a stolen laptop, mobile phone, or data stick full of poorly protected data is a potentially dangerous asset in the wrong hands

Meanwhile, nearly four in ten UK SME owners have failed to implement any kind of encryption whatsoever for sensitive data stored on the systems used by their business. Data encryption is a vital tool against data theft. It converts readable data to into an unreadable format called ciphertext, using an encryption algorithm and a secret key, so if a cybercriminal accesses the data, it will be unintelligible to them without the key. So, as a form of data protection it is incredibly robust, but only if it's implemented in the first place and vigorously maintained as part of a data protection regime.

However, 24% of those we spoke to admitted that data encryption was a challenge to implement or maintain, while the most challenging cyber security measure for many (47%) was simply keeping up with the newest and evolving threats and tactics.

The most challenging cyber security measures to implement or maintain in business

Cyber security measuresRespondents (%)
Keeping up with new/evolving threats and tactics 47%
Securing remote workers devices 41%
Regular software updates and patches 40%
Backing up data regularly 32%
Implementing multi-factor authentication 31%
Access controls and user privileges management 27%
Incident response planning and management 25%
Data encryption 24%
Compliance with cybersecurity regulations 22%
Employee cybersecurity training and awareness programmes 21%

Prevention and protection against cyber attacks

Even with the challenges and concerns, many UK SMEs are at least taking some proactive measures to prevent cyber-attacks, 72% have invested in antivirus/anti-malware software. Nearly seven in ten make sure they regularly update their system software and 53% are keeping their IT systems up to date.

How UK SMEs are facing up to the cyber threat

Measures in place to prevent cyber attacks% of SMEs with these in place
Have antivirus/anti-malware software 72%
Regularly update system software 69%
Keep IT systems up to date 53%
Use multi-factor or two-factor authentication 52%
Email filtering for spam and phishing emails 49%
Staff training 49%
Have a firewall 47%
Secure Wi-Fi networks 46%
Conduct regular data backups 46%
Data encryption 44%
Encourage employees to update passwords 35%

Despite this data underlining why SMEs should ensure they have an insurance policy in place which will protect them in the event of a cyber-attack or data loss, the survey found over half (53%) of UK SME owners failed to have a cover of this kind in place.

Markel Direct are leading providers of business insurance, specialising in insurance for the self-employed and for SMEs. Make sure your business is protected by getting a tailored business insurance quote today.
Methodology

© Markel Direct 2024 | Privacy Policy | Terms of Use | Acceptable Use Policy | Cookies Statement | Sitemap | Modern Slavery Statement

Cookie Settings

Markel Direct is a trading name of Markel International Insurance Company Limited who is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority (Financial Services Register reference number 202570). Registered office address, 20 Fenchurch Street, London EC3M 3AZ.