Small and medium sized enterprises (SMEs) throughout the United Kingdom are incurring annual losses amounting to £3.4billion due to inadequate cybersecurity measures., according to a new report from Vodafone Business.
The report Securing Success: The Role of Cybersecurity in SME Growth, also found that the average cost of a cyber-attack for a small business is £3,398 with the figure rising to £5,001 for those with 50 or more employees. Download the full report here: www.vodafone.co.uk/newscentre/press-release/cyberhackers-costing-uk-smes-3billion-per-year
The findings highlight the necessity for businesses to safeguard against rising cyber threats, which result in financial losses each year due to data breaches, system downtime, and reputational damage.
Cyber-attacks against SMEs have surged in recent years, with studies revealing that more than a third (35%) experienced a cyber incident in 2024 alone. More than a quarter (28%) suffered between one and five attempted attacks, while (6%) were targeted up to 10 times in a year.
Many SMEs encounter difficulties in addressing these threats due to budget constraints, limited expertise, and competing business priorities, which impact their ability to implement comprehensive cybersecurity strategies. This is corroborated by Vodafone Business’ own findings, which indicate:
- More than half (52%) of UK SME employees have received no cybersecurity training, while almost a third (32%) of SMEs had no cybersecurity protections in place at all.
- More than a third of SMEs (38%) invest less than £100 a year in cybersecurity, with more than two-thirds (64%) having staff working from home or other off-site locations regularly.
- Shockingly, 60% of SMEs allow employees to use their own IT equipment when working from home, with a fifth (19%) of remote workers being targeted by cyber criminals.
- To try and stem the problem, more than one in 8 (15%) SME employees have been banned from working from home due to the risk of falling victim to a cyber-attack.
Vodafone Business, a leading advocate for SME digital transformation, has reinforced the importance of proactive cybersecurity investments.
To provide SMEs with the necessary tools and knowledge for strengthening their cybersecurity defences, Vodafone is offering a complimentary one-month trial of CybSafe, the leading human risk management platform that utilises AI, data, psychology, and behavioural science to assess and enhance cybersecurity behaviour, awareness, and culture within organisations.
The trial version grants essential access to the platform’s education and training sections, featuring various modules designed to increase staff confidence in handling potential cyber threats, such as phishing or ransomware attacks. Additionally, the trial version can accommodate up to 100 employees.
Nick Gliddon, CEO, Vodafone Business UK, said: “SMEs are the backbone of our economy, yet they are losing a staggering £3.4billion annually due to inadequate cybersecurity. In today’s rapidly evolving digital landscape, cyber threats are becoming more sophisticated, and SMEs are increasingly in the crosshairs of cybercriminals. Investing in robust cybersecurity is no longer optional – it is a business imperative for protecting sensitive data, maintaining customer trust, and ensuring long-term resilience.
“At Vodafone Business, we understand the critical role SMEs play in driving innovation and growth, and we are committed to equipping them with the right tools and expertise to stay protected. However, SMEs cannot tackle this challenge alone. Greater collaboration between businesses, industry leaders, and government authorities is essential to providing these businesses with the resources, education, and support they need to strengthen their cyber defences. By working together, we can create a safer, more secure digital environment that empowers SMEs to grow with confidence in an increasingly connected world.”
Mathew Evans, Chief Operating Officer, techUK said: Accounting for 99.8% of the UK’s business population and employing two-thirds of the workforce, its indisputable that SMEs are the cornerstone of our economy. We also know that their digitisation is a key lever for growth and, in order to seize the opportunities that technology offers and unlock productivity, SMEs must take cyber security and resilience seriously.
“Vodafone UK’s report highlights the significant impacts that cyber-attacks are having on the UK’s SMEs, including an estimated £3.4 billion per year in lost revenue and 28% of SMEs saying that a single attack could put them out of business – demonstrating that that there is still much to do to build resilience and raise awareness about cyber security as a critical business and growth enabler. techUK has called for government’s Industrial Strategy to have a greater focus on raising technology adoption across the UK’s SMEs to increase productivity and to recognise cyber resilience as integral to growth. The findings and recommendations of this report only further underscore the need to give SMEs the attention they deserve, and to support them in implementing robust plans to build and increase their cyber resilience.”
Ibrahim Dogus, Co-Chair of SME4Labour said: “We at SME4Labour recognise that SMEs are the lifeblood of the UK economy, generating 25% of GDP and employing over 60% of the UK workforce. Integral to the government’s drive for economic growth, this Vodafone UK report demonstrates the importance of SME cybersecurity, and resilience more generally, to be seen as a part of business-critical decision making.
“This report highlights how we need to make sure we protect our growing businesses here in the UK, which in turn will protect the livelihoods of working people. We at SME4Labour call on the government – who have already made productive steps on supporting SMEs – to support the recommendations of this report.”
Phishing remains the most prevalent form of cyber-attack, with 70% of firms experiencing attempts to steal sensitive information through email, SMS, phone, or social media. Ransomware, affecting 23% of businesses, locks or corrupts files until a ransom is paid. Distributed Denial of Service (DDoS) attacks, impacting 20%, overload systems and disrupt operations. Another threat, water-holing, involves attackers creating fake websites or impersonating businesses to deceive users.
While SMEs have a critical role to play in strengthening their own cybersecurity, government intervention is essential to enable scalable and affordable solutions.
Vodafone Business has issued policy recommendations asking the UK government to ensure that cybersecurity tools are scalable and affordable for all SMEs which includes:
- Cyber Local scheme funding: The government’s Cyber Local initiative aims to provide tailored support to SMEs based on size and location. However, only a few successful grants specifically target SMEs, and the current scheme is limited to certain areas of England and Northern Ireland. Despite being a positive step, the £1.3 million investment indicates the need for increased funding and support.
- Targeted SME awareness campaigns: The Cyber Essentials programme, updated in 2022, is not sufficiently reaching UK SMEs, with many unaware of its existence – this must be addressed. Awareness schemes should engage SME owners during key business activities, such as tax submissions, employee data reporting, or new business registrations. For SMEs with over 50 employees, mandatory compliance could be integrated into existing reporting obligations.
- Incentivisation of cybersecurity investment: The tax system can incentivise cybersecurity investments through tools like R&D tax credits and full expensing for plants and machinery. However, cybersecurity software investments face complications under current capital expenditure definitions. Establishing a dedicated capital allowance for cybersecurity that covers both hardware and software would simplify access to tax reliefs.
- Encouragement of Public/Private Partnerships: Collaborating with larger businesses can enhance SME cybersecurity. Smaller firms can gain valuable insights from those with dedicated risk management teams. Ensuring smaller businesses integrate cybersecurity into critical decisions is essential.
To claim a free CybSafe trial for your business visit: https://www.vodafone.co.uk/business/cybsafe-1-month-free-trial