SMEs are losing billions from weak cybersecurity

According to Vodafone Business, small and medium-sized enterprises (SMEs) across the UK are collectively losing £3.4 billion each year from inadequate cybersecurity measures.

The average incident costs a small business £3,398. This figure rises to £5,001 for companies with 50 or more employees, demonstrating the escalating risk for growing businesses. Data breaches, system downtime, and reputational damage contribute to the substantial financial losses incurred annually.

Vodafone’s findings paint a stark picture of the vulnerabilities faced by UK SMEs, revealing that these businesses are increasingly targeted by cybercriminals. The report indicates a surge in cyberattacks against SMEs in recent years, with over a third (35%) experiencing a cyber incident in 2024 alone. Of those affected, more than a quarter (28%) faced between one and five attempted attacks, while a further 6% were targeted up to 10 times within the same year.

The report identifies several key factors contributing to this vulnerability. Many SMEs struggle to effectively address these threats due to budget constraints, a lack of in-house cybersecurity expertise, and the pressure of competing business priorities. This often hinders their ability to implement comprehensive cybersecurity strategies.

Vodafone Business’ research corroborates these challenges, revealing some alarming statistics:

• More than half (52%) of UK SME employees have received no cybersecurity training
• Almost a third (32%) of SMEs have no cybersecurity protections in place whatsoever
• Over a third of SMEs (38%) invest less than £100 annually in cybersecurity
• A majority (64%) of SMEs have staff working remotely or from other off-site locations on a regular basis
• 60% of SMEs permit employees to use their personal IT equipment for work purposes when working from home
• A fifth (19%) of remote workers have been targeted by cyber criminals

Nick Gliddon, CEO of Vodafone Business UK, said:

“SMEs are the backbone of our economy, yet they are losing a staggering £3.4 billion annually due to inadequate cybersecurity. In today’s rapidly-evolving digital landscape, cyber threats are becoming more sophisticated, and SMEs are increasingly in the crosshairs of cybercriminals. 

Investing in robust cybersecurity is no longer optional—it is a business imperative for protecting sensitive data, maintaining customer trust, and ensuring long-term resilience.

At Vodafone Business, we understand the critical role SMEs play in driving innovation and growth, and we are committed to equipping them with the right tools and expertise to stay protected. However, SMEs cannot tackle this challenge alone.

Greater collaboration between businesses, industry leaders, and government authorities is essential to providing these businesses with the resources, education, and support they need to strengthen their cyber defences. By working together, we can create a safer, more secure digital environment that empowers SMEs to grow with confidence in an increasingly connected world.”

The findings of the Vodafone Business report have resonated with industry bodies.

Mathew Evans, COO of techUK, commented: 

“Accounting for 99.8% of the UK’s business population and employing two-thirds of the workforce, it’s indisputable that SMEs are the cornerstone of our economy. We also know that their digitisation is a key lever for growth and, in order to seize the opportunities that technology offers and unlock productivity, SMEs must take cyber security and resilience seriously.

Vodafone UK’s report highlights the significant impacts that cyberattacks are having on the UK’s SMEs, including an estimated £3.4 billion per year in lost revenue and 28% of SMEs saying that a single attack could put them out of business—demonstrating that that there is still much to do to build resilience and raise awareness about cyber security as a critical business and growth enabler.

techUK has called for the government’s Industrial Strategy to have a greater focus on raising technology adoption across the UK’s SMEs to increase productivity and to recognise cyber resilience as integral to growth. The findings and recommendations of this report only further underscore the need to give SMEs the attention they deserve, and to support them in implementing robust plans to build and increase their cyber resilience.”  

Ibrahim Dogus, Co-Chair of SME4Labour, added:

“We at SME4Labour recognise that SMEs are the lifeblood of the UK economy, generating 25% of GDP and employing over 60% of the UK workforce. Integral to the government’s drive for economic growth, this Vodafone UK report demonstrates the importance of SME cybersecurity – and resilience more generally – to be seen as a part of business-critical decision making.

This report highlights how we need to make sure we protect our growing businesses here in the UK, which in turn will protect the livelihoods of working people. We at SME4Labour call on the government – who have already made productive steps on supporting SMEs – to support the recommendations of this report.”

The report also sheds light on the prevalent types of cyberattacks targeting SMEs.

Phishing remains the most common form of attack, with 70% of firms experiencing attempts to steal sensitive information via email, SMS, phone, or social media. Ransomware attacks, affecting 23% of businesses, involve locking or corrupting files until a ransom is paid. Distributed Denial of Service (DDoS) attacks, impacting 20%, overload systems and disrupt operations. Additionally, water-holing, a tactic where attackers create fake websites or impersonate businesses, poses another significant threat.

While the report emphasises the crucial role SMEs must play in strengthening their own cybersecurity posture, it also highlights the necessity of government intervention to enable scalable and affordable solutions. To this end, Vodafone Business has issued several policy recommendations for the UK government, urging action to ensure cybersecurity tools are accessible to all SMEs:

• Cyber Local scheme funding: Vodafone Business recommends increased funding and support for the government’s Cyber Local initiative, which aims to provide tailored support to SMEs based on their size and location. The report notes that while the current £1.3 million investment is a positive step, it needs to be significantly expanded and its reach extended beyond select areas of England and Northern Ireland.
• Targeted SME awareness campaigns: The report argues that the Cyber Essentials programme, despite its 2022 update, is not effectively reaching UK SMEs, with many still unaware of its existence. Vodafone Business suggests awareness schemes should actively engage SME owners during key business activities, such as tax submissions, employee data reporting, or new business registrations. For larger SMEs with over 50 employees, the report proposes integrating mandatory compliance into existing reporting obligations.
• Incentivisation of cybersecurity investment: Vodafone Business proposes leveraging the tax system to incentivise cybersecurity investments. While tools like R&D tax credits and full expensing for plants and machinery exist, cybersecurity software investments face complexities under current capital expenditure definitions. The report recommends establishing a dedicated capital allowance for cybersecurity that covers both hardware and software to simplify access to tax reliefs.
• Encouragement of public-private partnerships: The report advocates for fostering collaboration between larger businesses and SMEs to enhance cybersecurity. Smaller firms can benefit from the expertise of larger organisations with dedicated risk management teams. Vodafone Business stresses the importance of ensuring smaller businesses integrate cybersecurity considerations into their critical decision-making processes.

The Vodafone Business report serves as a timely reminder of the cybersecurity challenges facing UK SMEs and underscores the urgent need for a multi-faceted approach to mitigate these growing threats and safeguard the backbone of the UK economy.

(Photo by Basil James)

See also: Tech Transparency Project: Millions download covert Chinese VPNs

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: cybersecurity, Enterprise, europe, hacking, infosec, report, research, Security, sme, study, telecoms, uk, vodafone