Cyber hackers costing UK SMEs circa £3.4 billion per annum

The report, entitled Securing Success: The Role of Cyber Security in SME Growth, also finds that the average cost of a cyber attack for a smaller business is £3,398, with the figure rising to £5,001 for those with 50 or more employees.

The findings highlight the necessity for businesses to safeguard against rising cyber threats, which result in financial losses each year due to data breaches, system downtime and reputational damage.

Cyber attacks against SMEs have surged in recent years, with studies revealing that more than 35% of them experienced a cyber incident in 2024 alone. More than a quarter (ie 28%) suffered between one and five attempted attacks, while 6% of SMEs were targeted up to ten times in a year.

Many SMEs encounter difficulties in addressing these threats due to budget constraints, limited expertise and competing business priorities, which impact their ability to implement comprehensive cybersecurity strategies. This is corroborated by Vodafone Business’ own findings:

*more than half (52%) of UK SME employees have received no cyber security training, while almost 32% of SMEs had no cyber security protections in place *more than one-third of SMEs (38%) invest less than £100 a year in cyber security, with more than two-thirds (64%) having staff working from home or other off-site locations on a regular basis

*shockingly, 60% of SMEs allow employees to use their own IT equipment when working from home, with 19% of those remote workers being targeted by cyber criminals

*to try and stem the problem, more than 15% of SME employees have been banned from working from home due to the risk of falling victim to a cyber attack

Proactive investments

A leading advocate for SME digital transformation, Vodafone Business has reinforced the importance of proactive cyber security investments.

To provide SMEs with the necessary tools and knowledge for strengthening their cyber security defences, Vodafone is offering a complimentary one-month trial of CybSafe, the leading human risk management platform that uses AI, data, psychology and behavioural science to assess and enhance cyber security behaviour, awareness and culture within organisations.

The trial version grants essential access to the platform’s education and training sections, featuring various modules designed to increase staff confidence in handling potential cyber threats, such as phishing or ransomware attacks. Additionally, the trial version can accommodate up to 100 employees.

Nick Gliddon, CEO, Vodafone Business UK, said: “SMEs are the backbone of our economy, yet they’re losing a staggering £3.4 billion annually due to inadequate cyber security. In today’s rapidly evolving digital landscape, cyber threats are becoming more sophisticated and SMEs are increasingly in the crosshairs of cyber criminals. Investing in robust cyber security is no longer optional. It’s a business imperative for protecting sensitive data, maintaining customer trust and ensuring long-term resilience.”

Gliddon continued: “At Vodafone Business, we understand the critical role SMEs play in driving innovation and growth. We’re fully committed to equipping them with the right tools and expertise to stay protected. However, SMEs cannot tackle this challenge alone. Greater collaboration between businesses, industry leaders and Government authorities is essential for providing these businesses with the resources, education and support they need to strengthen their cyber defences.”

Policy recommendations

Vodafone Business has issued policy recommendations asking the Government to ensure that cyber security tools are scalable and affordable for all SMEs.

The Government’s Cyber Local initiative aims to provide tailored support to SMEs based on size and location. However, only a few successful grants specifically target SMEs. The current scheme is limited to certain areas of England and Northern Ireland. Despite being a positive step, the £1.3 million investment indicates the need for increased funding and support. 

The Cyber Essentials programme, which was updated in 2022, is not sufficiently reaching UK SMEs, with many unaware of its existence. This must be addressed. Awareness schemes should engage SME owners during key business activities, such as tax submissions, employee data reporting or new business registrations. For SMEs with over 50 employees, mandatory compliance could be integrated into existing reporting obligations. 

The tax system can incentivise cyber security investments through tools like R&D tax credits and full expensing for plants and machinery. However, cyber security software investments face complications under current capital expenditure definitions. Establishing a dedicated capital allowance for cyber security that covers hardware and software would simplify access to tax reliefs. 

Collaborating with larger businesses can enhance SME cyber security. Smaller firms can gain valuable insights from those with dedicated risk management teams. Ensuring smaller businesses integrate their cyber security regime into critical business decisions is essential.

*Claim a free CybSafe trial for your business at https://www.vodafone.co.uk/business/cybsafe-1-month-free-trial