A new survey* released today shows that the UK’s small and medium-sized enterprises (SMEs) lack implementation of best practice cybercrime protocols and are woefully unprepared to react to an incident, with only 1 in 5 (19%) having a recommended cyber incident response plan (IRP) in place.

While AI advancements continue to escalate both the complexity and spread of cyber attacks, the survey – commissioned by Cowbell, a leading provider of cyber insurance for SMEs and mid-market businesses – revealed a cavalier approach from UK leaders to the consequences:

77% of UK SMEs do not have any in-house security
32% of CEOs were confident a cyber attack would not impact their ability to do business
1 in ten (10%) of all business leaders said they do not need to improve their position regarding cyber risk
87% did not consider reputational damage as a significant risk to business

Data breaches cost UK businesses an average of £3.2m last year – with the UK being the sixth most expensive country for data breaches in the world. This is in addition to the Government’s latest Cybersecurity Breaches Survey, showing 59% of medium businesses experienced breaches or attacks in the last 12 months.


Despite these statistics – and GCHQ’s National Cyber Security Centre warning that global ransomware threats are expected to rise with AI – complacency among SMEs was seen across the leadership bench, with only 20% of CHROs, 22% of Director roles and 28% of CEOs considering cyber threats to be their biggest risk. Worryingly, the risk of cyber threats almost fell off the CFOs’ radar, who ranked it second to last out of 14 possible threats, with only 8% considering it their biggest risk.

Alongside a trend for underestimating the current cyber climate, the survey also highlighted confusion around first responses in the event of a cyber breach; nearly 1 in ten (8%) CEOs said that they would engage with the threat actor directly.

Rather than notifying the regulators or their insurance provider, over half of all respondents (52%) agreed their first course of action would be to notify the IT team should a breach occur.

When respondents were asked about the ‘first action they would take following a data breach’, a clear lack of unified response across the C-suite was evident:

CEOs: 10% said they would notify regulators, while a further 10% said they’d contact the in-house tech team
CFOs: 17% would notify the in-house tech team, 10% would inform clients/customers and a further and 10% would notify the finance team
HR Directors: 24% felt they should notify the in-house finance team first
Senior marketers: 31% thought they should first inform their tech team, while 25% said they’d notify their insurance provider

With cybersecurity protection out of sight and mind – and the first port of call post-attack varying wildly across the leadership board – VP and General Manager, Cowbell UK, Simon Hughes says that the UK’s SMEs are leaving themselves vulnerable and wide open to threat.

He comments: “Almost every day we see a new major cyber attack hit the headlines – and that’s just the ones big enough to warrant news coverage. Whether we put our heads in the sand or not, attacks are on the up. As developments in AI continue, we will almost certainly see an increase in the volume, complexity and impact of cyber attacks in the coming years. It’s not a case of if, but when. But now is not the time to scaremonger, it’s time for proactive planning.”

Broker specialist, Cowbell UK, Catherine Aleppo added: “Our research indicates some serious gaps in knowledge, leaving businesses highly exposed. The message is clear: resolving the confusion around first responses is a matter of urgency. More support and education on cyber risk and Incident Response Planning needs to happen if businesses are to navigate these incidents and recover quickly. There is work to be done, raising critical awareness of cyber vulnerabilities and safeguarding the UK’s SMEs who form the backbone of the UK economy.”