UK small and medium sized enterprises (SMEs) are incurring annual losses amounting to £3.4 billion due to inadequate cybersecurity measures, according to a new Vodafone Business report.
The report, entitled Securing Success: The Role of Cybersecurity in SME Growth, also found that the average cost of a cyber-attack for a small business is £3,398, with the figure rising to £5,001 for those with 50 or more employees.
The findings highlight the necessity for businesses to safeguard against rising cyber threats, which result in financial losses each year due to data breaches, system downtime and reputational damage.
Cyber-attacks against SMEs have surged in recent years, with studies revealing that more than one third (35 per cent) experienced a cyber incident in 2024 alone. More than one quarter (28 per cent) suffered between 1 and 5 attempted attacks, while (6 per cent) were targeted up to 10 times in a year.
Many SMEs encounter difficulties in addressing these threats due to budget constraints, limited expertise and competing business priorities, which impact their ability to implement comprehensive cybersecurity strategies. This is corroborated by Vodafone Business' own findings, which indicate that:
• More than a half (52 per cent) of UK SME employees have received no cybersecurity training, while almost one third (32 per cent) of SMEs had no cybersecurity protections in place at all.
• More than one third of SMEs (38 per cent) invest less than £100 a year in cybersecurity, with more than two-thirds (64 per cent) having staff working from home or other off-site locations regularly.
• Sixty per cent of SMEs allow employees to use their own IT equipment when working from home, with one fifth (19 per cent) of remote workers being targeted by cyber criminals.
• To try and stem the problem, more than one in 8 (15 per cent) SME employees have been banned from working from home due to the risk of falling victim to a cyber-attack.
Nick Gliddon, CEO, Vodafone Business UK, said, "SMEs are the backbone of our economy, yet they are losing a staggering £3.4billion annually due to inadequate cybersecurity. In today’s rapidly evolving digital landscape, cyber threats are becoming more sophisticated, and SMEs are increasingly in the crosshairs of cybercriminals. Investing in robust cybersecurity is no longer optional - it is a business imperative for protecting sensitive data, maintaining customer trust, and ensuring long-term resilience.”
Mathew Evans, chief operating officer, techUK, said, “Accounting for 99.8 per cent of the UK’s business population and employing two-thirds of the workforce, its indisputable that SMEs are the cornerstone of our economy. We also know that their digitisation is a key lever for growth and, in order to seize the opportunities that technology offers and unlock productivity, SMEs must take cyber security and resilience seriously.”
Ibrahim Dogus, co-chair of SME4Labour, said, “We at SME4Labour recognise that SMEs are the lifeblood of the UK economy, generating 25 per cent of GDP and employing over 60 per cent of the UK workforce. Integral to the government’s drive for economic growth, this Vodafone UK report demonstrates the importance of SME cybersecurity, and resilience more generally, to be seen as a part of business-critical decision making.”
Phishing remains the most prevalent form of cyber-attack, with 70 per cent of firms experiencing attempts to steal sensitive information through email, SMS, phone or social media. Ransomware, affecting 23 per cent of businesses, locks or corrupts files until a ransom is paid. Distributed Denial of Service (DDoS) attacks, impacting 20 per cent, overload systems and disrupt operations. Another threat, water-holing, involves attackers creating fake websites or impersonating businesses to deceive users.
Vodafone Business has issued policy recommendations asking government to ensure that cybersecurity tools are scalable and affordable for all SMEs which includes:
• Cyber local scheme funding: Government's cyber local initiative aims to provide tailored support to SMEs based on size and location. However, only a few successful grants specifically target SMEs, and the current scheme is limited to certain areas of England and Northern Ireland. Despite being a positive step, the £1.3 million investment indicates the need for increased funding and support.
• Targeted SME awareness campaigns: The Cyber Essentials programme, updated in 2022, is not sufficiently reaching UK SMEs, with many unaware of its existence - this must be addressed. Awareness schemes should engage SME owners during key business activities, such as tax submissions, employee data reporting or new business registrations. For SMEs with more than 50 employees, mandatory compliance could be integrated into existing reporting obligations.
• Incentivisation of cybersecurity investment: The tax system can incentivise cybersecurity investments through tools such as R&D tax credits and full expensing for plants and machinery. However, cybersecurity software investments face complications under current capital expenditure definitions.
• Encouragement of public/private partnerships: Collaborating with larger businesses can enhance SME cybersecurity. Smaller firms can gain valuable insights from those with dedicated risk management teams.