Cyber security breaches: how SMEs may be affected by cyber crime - Barnes Commercial Limited
Cyber security breaches

Cyber security breaches: how SMEs may be affected by cyber crime

New report finds 32% of small businesses experienced a cyber attack in the last 12 months – are you prepared?

Cyber security is a growing issue for all businesses in the UK, but more specifically SMEs. Many SME owners feel that their business is too small or not valuable enough to be the target of a cyber attack. Yet according to data by insurer CFC, SMEs are the target of 96% of all attacks.

One reason for this is that cyber criminals see SMEs as soft targets for extortion, as they tend to lack the resources, time, or money to train employees on sufficient cyber security protocols.

Recently, released their annual cyber security breaches survey. Across the UK, 2,263 businesses were surveyed on topics including approaches to cyber security, impact of attacks, and dealing with breaches and attacks.

Let’s take a closer look at how SMEs were found to be affected.

In this blog we will look at:

cyber security breaches

Frequency and types of attack

Over the last 12 months, it was found that 32% of businesses overall, identified a breach or attack. Breaking this down further, 31% of microbusinesses, 32% of small businesses and 59% of medium sized businesses experienced a breach or attack in the last 12 months.

The most common attack method was phishing, which accounted for 79% of all attacks. This was followed by impersonation of organisations in emails and online (31%) and viruses, spyware or malware (11%). Some other attack methods included hacking or attempted hacking of online bank accounts (11%) and taking over users’ accounts (9%).

Among the organisations that reported having had breaches or attacks in the past 12 months, phishing attacks were commonly considered the most disruptive types of attack that organisations face. Read our blog for advice on how to spot a phishing email.

Financial Impacts of breaches and attacks

Across the 2,263 businesses surveyed, it was found that in organisations identifying any breach or attack, regardless of the outcome, the average cost to all businesses was found to be £410. Within this, the average cost to micro and small businesses was found to be £370, and for medium sized businesses the figure rose to £1,190.

In contrast, the financial repercussions to businesses who experienced a breach with an outcome (for example company website, or online services taken down or made slower, money stolen, personal data altered, destroyed or taken), the average cost to all businesses was £1,630, with micro and small businesses experiencing losses of £1,450 and medium sized and large businesses experiencing losses of £4,250.

Cyber Security procedures

Rules and controls

The survey also looked at the cyber security controls put in place by businesses. From 2,263 UK businesses, it was found that 76% had up to date malware protection, 70% had a password policy, which ensures users set strong passwords and 70% backed up data securely via a cloud service. Other measures that were commonly found to be put in place were restricting IT admin and access rights to specific users (67%), firewalls that cover the entire IT network (66%), and security controls on organisation-owned devices (59%).

It was also found that 37% of organisations implemented two factor authentication for networks, 34% had separate Wi-Fi networks for staff and visitors and 31% utilised VPNs for remote connections.

Despite this, the data was compared to the 2022 survey, and it was found that the deployment of controls and procedures has fallen amongst businesses:

  • using up-to-date malware protection was down from 83% to 76% among businesses
  • password policies fell from 75% to 70%
  • restricting admin rights decreased from 72% to 67%
  • network firewalls were down from 74% to 66%

When the data was then compared to data from the 2021 period, it was also found that:

  • password policies decreased (79% in 2021, vs. 70% in 2023)
  • network firewalls decreased (78% in 2021 vs. 66% in 2023)
  • restricted admin rights decreased (75% in 2021 vs. 67% in 2023)

However, it is important to note that these trends reflect the fact that the proportion of microbusinesses who feel that cyber security is a high priority has decreased from 80% in 2022 to 68% this year.

Since microbusinesses make up 82% of all businesses, the changes above are more significant for them and on each of the control measures, large businesses remained in line with where they were in 2022.

For small businesses, restricted admin rights are less common now than in 2022 (down from 87%, to 79%). For medium businesses, there has been a decline since 2022 in the proportion saying they have security controls on their devices (from 91% to 79%).

Taking all of this into account, the findings show that cyber security is an increasing challenge amongst small to medium enterprises.

Training of staff

Alongside this, the survey also focused on the proportion of businesses that implemented training or awareness raising sessions on cyber security in the past 12 months.

Amongst the 2,263 UK businesses that were surveyed, 18% of businesses overall have carried out training or awareness raising sessions. When broken down further, it was found that only 15% of microbusinesses, 28% of small businesses and 52% of medium businesses provided any training or awareness raising sessions.

Guidance from The National Cyber Security Centre on how organisations can train their staff can be found here.

Reviewing supply chains

Suppliers can pose various risks to an organisation’s cyber security, for example through:

  • third-party access to an organisation’s systems
  • suppliers storing the personal data or intellectual property of a client organisation
  • phishing attacks, viruses or other malware originating from suppliers

However, very few businesses are taking steps to formally review these risks. In fact, from the 2,263 businesses surveyed only 12% of micro businesses, 18% of small businesses and 27% of medium businesses have carried out work to formally review the potential cyber security risks presented by their immediate suppliers. As well as this, when looking at the proportion of organisations who reviewed the risks posed by their wider supply chain, it was found that only 7% of microbusinesses, 10% of small businesses and 15% of medium businesses carried out work to formally identify these risks.

Although relatively few businesses took steps to identify the risks posed by their suppliers, the businesses who did review the risks, faced challenges when attempting to do so. It was reported that the challenges businesses experienced were:

  • a lack of time or money (32%)
  • couldn’t get information from suppliers to carry out the checks (31%)
  • didn’t know what checks to carry out (25%)
  • didn’t feel that it was a priority when working with suppliers (25%)
  • lacked the skills to be able to check the suppliers (18%)
  • didn’t know which suppliers to check (13%)

Overall, 29% of businesses reported that none of the six listed challenges prevented them from understanding the cyber security risks in the supply chain. This figure has dropped from 32% in 2022, and 36% in 2021. This shows that organisations are more frequently facing one or more of the challenges listed and are therefore finding supply chain risk management more challenging than previous years.

The National Cyber Security Centre has published advice on supply chain security.

Cyber Insurance

Another particular area the research focused on was the proportion of businesses who have cyber insurance cover. Of the 2,263 businesses surveyed, it was found that just under four in ten businesses (37%) are insured against cyber security risks in some way.

Of these businesses, 6% of microbusinesses have a specific cyber insurance policy and 29% have cyber insurance cover as part of a wider insurance policy. Alongside this, only 11% of small businesses have a specific policy, but 33% have cyber insurance cover within their wider insurance package.

Of the medium sized businesses surveyed, 40% have cyber insurance as part of their insurance policy and 22% have a specific cyber insurance policy outside of their wider insurance package.

Cyber Liability Insurance financially protects your business against potential computer-related threats. These include data breaches which may result in the loss of sensitive information including your customers’ personal details, supplier information, employee records and confidential information about your business.

Cyber Liability Insurance will protect you from financial losses associated with:

  • Data recovery
  • Business interruption
  • Legal costs and potential compensation claims
  • Meeting ransom demands
  • Costs around informing clients of the breach
  • Restoring equipment

Click the link to find out more about Cyber Liability Insurance and why you need it.

We’re here to help

At Barnes Commercial, we work closely with our clients to gain an in-depth understanding of their business. This means that our recommended insurance programme will be unique to you, so if you should fall prey to a cyber related incident, you can be confident that your business will be financially protected.

Arrange an appointment to talk to us today about how we can help you to develop a Cyber Liability Insurance package for your business needs. You can call us on 01480 272727 or send an email to

George Wilkinson

Authored by: George Wilkinson 

Business Development Executive

07th June 2023

Contact us today

"*" indicates required fields