UK SMEs Alarmingly Underprepared for Cyber Threats, Cowbell Reveals

A recent survey has highlighted a significant gap in cybercrime preparedness among the UK's small and medium-sized enterprises (SMEs), with a mere 19% possessing an adequate cyber incident response plan (IRP).

As AI technologies enhance the complexity and frequency of cyber attacks, the research, initiated by Cowbell, a foremost provider of cyber insurance for SMEs and mid-market firms, indicates a nonchalant attitude from UK business leaders towards the ramifications:

  • A substantial 77% of UK SMEs lack any form of internal security measures.
  • Despite the rising cyber threat landscape, 32% of CEOs believe a cyber attack would not affect their business operations.
  • Interestingly, 10% of business leaders maintain that there is no need to bolster their cyber risk management strategies.
  • A vast majority (87%) undervalue the potential reputational damage as a serious business risk.

Last year, data breaches cost UK businesses an average of £3.2 million, placing the UK as the sixth most costly country globally for data breaches. This comes against the backdrop of the Government's latest Cybersecurity Breaches Survey, which found that 59% of medium-sized businesses had suffered breaches or attacks in the preceding 12 months.

Despite these alarming statistics and warnings from GCHQ’s National Cyber Security Centre about the anticipated rise in global ransomware threats due to AI, a pervasive sense of complacency is evident among SME leadership. Only 20% of CHROs, 22% of directors, and 28% of CEOs identify cyber threats as a paramount concern. Alarmingly, CFOs place cyber threats nearly at the bottom of their list of concerns, with only 8% viewing it as the foremost risk.

The survey also sheds light on the confusion surrounding initial responses to a cyber breach; notably, 8% of CEOs would consider directly engaging with the cyber threat actor.

More than half of the respondents (52%) would first inform their IT team in the event of a breach, revealing a disjointed approach to incident response across executive roles:

  • 10% of CEOs would alert regulators, with another 10% turning to their internal tech team.
  • CFOs would predominantly inform the in-house tech team (17%), with 10% opting to inform clients/customers and another 10% the finance team.
  • HR Directors felt the finance team should be notified first (24%).
  • Senior marketers would primarily contact their tech team (31%), with 25% choosing to notify their insurance provider.

Simon Hughes, VP and General Manager of Cowbell UK, commented on the findings, emphasising the vulnerability of UK SMEs due to a widespread underestimation of cyber risks and a lack of coherent response strategies, leaving them dangerously exposed to threats.

He comments: “Almost every day we see a new major cyber-attack hit the headlines - and that’s just the ones big enough to warrant news coverage. Whether we put our heads in the sand or not, attacks are on the up. As developments in AI continue, we will almost certainly see an increase in the volume, complexity and impact of cyber attacks in the coming years. It’s not a case of if, but when. But now is not the time to scaremonger, it’s time for proactive planning.”

Broker specialist, Cowbell UK, Catherine Aleppo added: “Our research indicates some serious gaps in knowledge, leaving businesses highly exposed. The message is clear: resolving the confusion around first responses is a matter of urgency. More support and education on cyber risk and Incident Response Planning needs to happen if businesses are to navigate these incidents and recover quickly. There is work to be done, raising critical awareness of cyber vulnerabilities and safeguarding the UK’s SMEs who form the backbone of the UK economy.”