Risky business: the state of cybersecurity among UK SMEs

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

Small and medium-sized enterprises (SMEs (opens in new tab)) are the backbone of our economy and communities, making up 99.9% of the UK’s business population. But it’s fair to say this backbone has been under immense, unwavering pressure in the wake of the pandemic and the uncertainty this gave rise to.

About the author

Oliver Pinson-Roxburgh is CEO and Co-Founder of Defense.com (opens in new tab).

In spite of this, small businesses (opens in new tab) have shown remarkable resilience and resourcefulness to navigate this turbulent landscape and even chart a course beyond recovery towards growth. But in doing so, they’ve arguably been blinded to another glaring danger that has the potential to undo all of this hard work: cyber-attacks.

Such is the extent of this problem, back in 2018, a study by Hiscox revealed how UK SMEs are the target of an estimated 65,000 attempted cyber-attacks every day. But of course, this has only become more problematic during the pandemic, with cyber-attacks growing more frequent and sophisticated by the day. So, how are SMEs coping with this?

Well, according to recent research, they’re not. In fact, SMEs are largely oblivious to the problem, with small businesses spending almost as much on their Christmas party as they do on cybersecurity (opens in new tab) annually. But this laissez-faire approach to security has to change if SMEs are to protect their business and avoid financial hardship.

So herein lies the basis of the research explored below, because the first step to action is awareness.

Rightly self-assured or blissfully unaware?

Before diving into the crux of the survey’s findings, it’s positive to see that, right now, UK SMEs are feeling self-assured. Even though the past year and a half has been a trying period, over half (55%) of respondents believe their business is healthy from all points of view, such as financial, compliance, cybersecurity and customer (opens in new tab) retention.

One in ten (11%) leaders even go as far to say there are no threats to their business. But, as we’ve established above, this is not the case – and one has to wonder if this self-assuredness is misplaced. Especially when we consider that 35% of UK SMEs believe the pandemic increased their exposure to cyber risk, rising to 58% in London.

More worrying still is the third (34%) of SMEs that don’t believe a cybersecurity breach is likely to happen to them. Or at the other end of the spectrum, the 48% that believe they could deal with a cyber-attack. Because, while this confidence is encouraging, it seems unfounded given that 24% of SMEs spend nothing on cyber security and a further 25% spend less than £1,000 a year.

SMEs are leaving themselves wide open to threats

The recent research reveals how this lack of security (opens in new tab) spend is driven by a number of factors. Leading the way, however, is the fact that SMEs simply don’t see the need for cybersecurity, with 34% stating they don’t invest more because their business is too small. Similarly, 19% also say their data is not a target and that their business isn’t under threat.

Running parallel to this misguided sense of invulnerability is the financial burden of security, with 41% of SMEs – rising to 59% in London – saying investment in cyber security is too big a cost and that they’d prefer to take risks. Perhaps most worrying of all, however, is that this seems to stem from the top, with 35% saying their investors only care about growth and not cyber security.

Overall, this points to a lack of awareness and urgency, with SMEs and investors alike oblivious to the risks – and the potentially crippling financial impact should an attack ever take place. But without the necessary investment, they’re leaving themselves wide open to threats – and it may only be a matter of time before they’re inadvertently subjected to said financial pitfalls.

This is only reinforced by the survey’s findings that 29% don’t have a cybersecurity strategy in place, with almost a third (32%) also not having an emergency response plan in the event of a cyber-attack. Similarly, 31% also lack access to cybersecurity experts – with all roads leading to the likelihood that, should the worst happen, SMEs will almost certainly be impacted significantly.

Greater awareness and action is needed towards cybersecurity

Ultimately, the research findings show that UK SMEs are not taking cybersecurity seriously, often through no fault of their own. But with the rise in cyber-attacks and widespread remote working (opens in new tab), it’s imperative that business leaders become aware of the risks and are able to take the appropriate action to safeguard their business, customers and employees.

Doing so is not only a matter of avoiding attacks or financial implications – it could well be the difference between lost jobs and livelihoods, with a successful cyber-attack carrying the potential to put an SME out of business. So, why take a chance? Especially in an age where there’s accessible, affordable, enterprise-grade cyber security designed specifically for SMEs.

Oliver Pinson-Roxburgh is CEO and Co-Founder of Defense.com, a SaaS platform bringing enterprise security to small businesses in a simple and affordable way.