How cyber-savy are UK SMEs?
With so many cybercrimes against UK organisations reported during the last year, it is no surprise that concern among business owners is growing. To gauge the impact this rising threat is having on small businesses in the UK, we conducted a survey asking 500 SME owners their thoughts on the matter, as well as the challenges they are currently facing when it comes to cybersecurity.
UK SME's top cyber security concerns for the future
The survey discovered that three-quarters of UK SMEs are currently concerned about the cyber security of their business, but what is it exactly that concerns them?
The clear front runner according to the respondents was the increasing sophistication of cyber threats, with over six in ten stating this as a top concern. With the advancement of AI (Artificial Intelligence) technology, cyber criminals are discovering opportunities to use and exploit silicon-powered assistants to syphon data their way. According to a report by the National Cyber Security Centre, “AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations.” This introduces a new level of cyber threat, particularly for smaller businesses that may not have the software to mitigate against attacks of this sophistication. When asked about AI in the context of cyber security specifically, 63% of UK SME owners said they were concerned about the rise of AI.
The second biggest cyber security concern for SMEs in the UK was “securing remote work environments”, with 23% selecting this. Many UK businesses now offer a remote or hybrid working model - and while this flexibility is celebrated by employees, for the most part, it does introduce security issues when it comes to keeping data safe. In fact, the survey data showed that 69% of UK SME owners do not have a cyber security policy in place for remote workers.
When asked how those with remote workers ensure the security of remote workers or employees accessing company data from outside the office, the majority (52%) said they use virtual private network (VPN) access. However, 48% train their employees on secure remote work practices and 46% have remote access policies and controls in place.
The top cyber security concerns for UK SME owners in the future
Cyber security concerns for the future | Respondents (%) |
---|---|
Increasing sophistication of cyber threats | 62% |
Securing remote work environments | 23% |
Ransomware and other forms of malware | 22% |
Emerging technologies and their security implications (e.g. AI, blockchain) | 21% |
Insufficient budget/resources for cybersecurity | 19% |
Vulnerabilities associated with third-party vendors and suppliers | 19% |
Compliance with data protection regulations (e.g. GDPR, CCPA) | 18% |
Employee negligence or lack of awareness | 17% |
Hybrid working environment | 17% |
Growing reliance on connected IoT (Internet of things) devices | 10% |
Many SME owners are leaving their businesses vulnerable to attacks
Despite the increased potential for cyber-attacks and the concern felt among the UK SME community, our survey provided evidence that some businesses are putting themselves and the data they use at genuine risk.
Almost in four in ten (37%) of UK SME owners said that they are not aware of their legal obligations in respect to data protection and privacy regulations, such as GDPR (General Data Protection Regulation). Aside from the level of data security and protection that following such regulations brings to your organisation, the fines for not following GDPR are eye-watering: the Information Commissioner can issue a maximum fine of £17.5 million or 4% of a company's total annual worldwide turnover in the preceding financial year, whichever is higher.
Just as worrying is the statistic that nearly half of SME owners (49%) wouldn't know what to do in the event of their business suffering a cyber-attack. This lack of cyber security knowledge could go some way towards explaining figures that show holes in cyber security practices at many UK firms, leaving them open to data breaches in the future. For instance, 42% of those asked reported that they fail to regularly change passwords on their work devices, such as their laptops and phones.
As we've discussed, too many passwords are chosen based on how easy they are to remember, so a stolen laptop, mobile phone, or data stick full of poorly protected data is a potentially dangerous asset in the wrong hands
Meanwhile, nearly four in ten UK SME owners have failed to implement any kind of encryption whatsoever for sensitive data stored on the systems used by their business. Data encryption is a vital tool against data theft. It converts readable data to into an unreadable format called ciphertext, using an encryption algorithm and a secret key, so if a cybercriminal accesses the data, it will be unintelligible to them without the key. So, as a form of data protection it is incredibly robust, but only if it's implemented in the first place and vigorously maintained as part of a data protection regime.
However, 24% of those we spoke to admitted that data encryption was a challenge to implement or maintain, while the most challenging cyber security measure for many (47%) was simply keeping up with the newest and evolving threats and tactics.
The most challenging cyber security measures to implement or maintain in business
Cyber security measures | Respondents (%) |
---|---|
Keeping up with new/evolving threats and tactics | 47% |
Securing remote workers devices | 41% |
Regular software updates and patches | 40% |
Backing up data regularly | 32% |
Implementing multi-factor authentication | 31% |
Access controls and user privileges management | 27% |
Incident response planning and management | 25% |
Data encryption | 24% |
Compliance with cybersecurity regulations | 22% |
Employee cybersecurity training and awareness programmes | 21% |
Prevention and protection against cyber attacks
Even with the challenges and concerns, many UK SMEs are at least taking some proactive measures to prevent cyber-attacks, 72% have invested in antivirus/anti-malware software. Nearly seven in ten make sure they regularly update their system software and 53% are keeping their IT systems up to date.
How UK SMEs are facing up to the cyber threat
Measures in place to prevent cyber attacks | % of SMEs with these in place |
---|---|
Have antivirus/anti-malware software | 72% |
Regularly update system software | 69% |
Keep IT systems up to date | 53% |
Use multi-factor or two-factor authentication | 52% |
Email filtering for spam and phishing emails | 49% |
Staff training | 49% |
Have a firewall | 47% |
Secure Wi-Fi networks | 46% |
Conduct regular data backups | 46% |
Data encryption | 44% |
Encourage employees to update passwords | 35% |
Despite this data underlining why SMEs should ensure they have an insurance policy in place which will protect them in the event of a cyber-attack or data loss, the survey found over half (53%) of UK SME owners failed to have a cover of this kind in place.
Hello