In the wake of a wave of cyber attacks on UK businesses, SMEs have been warned that they are perhaps the primary target for malicious activity. Despite this, a large minority of small companies have revealed that they have undertaken no cyber security training.
According to a new poll of 1,000 UK SMEs by BT in partnership with Be the Business, four in ten small UK businesses (42 per cent) and more than two in three medium-sized businesses (67 per cent) have been the victims of an attack or breach over the past year.
Small businesses can be hit especially hard by cyber attacks, with the most disruptive breaches costing small and micro businesses £7,960 on average, according to Government figures, and potentially taking them months to fully recover from.
Phishing scams are the most common form of attack that SMEs face, with 85 per cent of UK businesses having been the target of an email scam. Ransomware incidents are also common and more than doubled over the past year, affecting 1 in 100 businesses so far this year, compared to less than 1 in 200 businesses in 2024.
In a separate study, BT found that larger businesses (which are generally more proactive in cyber security measures) are more likely to secure growth, with “cyber agile” companies being found to have a 20 per cent higher growth rate on average.
However, despite the high costs of cyber attacks and the benefits that can be unlocked by investing in cyber security measures, the report found that approximately two out five UK SMEs (39 per cent - equivalent to around two million businesses) have not arranged cyber security training for their employees.
Discussing the findings of the report, BT Managing Director for Security Tris Morgan said that the company was aware of “the challenges SMEs face protecting themselves from growing cyber threats”, including “budget constraints and the lack of a dedicated cyber team”.
However, he continued, “for SMEs a cyber attack isn't just an inconvenience; it poses an existential threat.”
In response to the findings, BT says it is bolstering its suite of security products and launching dedicated security training designed to help SMEs understand the measures they can take to protect against cyber attacks and breaches.
Tris Morgan added: “The good news is that effective cyber security doesn't require corporate-grade resources. With the right training, basic security measures, and awareness, SMEs can dramatically reduce their risk profile. The key is recognising that, in today's digital landscape, cyber security is not a luxury but a foundation that enables companies to face forwards confidently, rather than forever looking over their shoulder.”
