Historically, small and medium-sized businesses have been disproportionately impacted by cybercrime compared to larger companies. In fact, just three years ago, 96% of all cyber-attacks targeted SMEs1. This is likely due to cybercriminals noticing that smaller companies had limited defence resources compared to bigger companies, giving them a greater chance of a successful breach.
While the picture is no longer quite so dire for SMEs, recent government data shows an even more surprising shift. According to the Government’s cyber breaches security survey 2025, there were significantly fewer cyber-attacks against SMEs (42%) compared to last year (49%) – a nearly 7% reduction. The same can’t be said for medium (64%) and larger (74%) businesses, which reduced only by a few points each.
You can’t (entirely) outsource your cyber defence
Clearly, SMEs are doing something right – but what?
While there are no hard and fast explanations, the survey pulls out strong management as a possible reason, noting that ‘organisations with active senior leadership demonstrated more robust security strategies.’
At the same time, the survey notes two things that, together, may be a cause for concern. The first is that there’s a downward trend in businesses who are aware of the Government’s Cyber Aware campaign, and the second is that SMEs are increasingly reliant on external cyber consultants for information.
While external consultants are an essential and invaluable resource for SMEs, particularly those unable to recruit for a role internally, they aren’t a replacement for developing your own cyber strategy. A truly effective cyber defence has to start from within your business. That means fostering a culture of cyber alertness in your workforce, informing your business processes, and staying ahead of the latest cyber developments.
Staying ahead of the hackers?
When you drive a car, you wear a seatbelt. You just do.
In the same way, if you run your own business, you need cyber insurance.
That’s because even businesses who do everything right can still be victims of a cyberattack, and the consequences can be as severe as losing your business. What’s more, in the cyber world, there’s simply no such thing as being ‘ahead’, as hackers are constantly honing and developing their techniques to breach more and more successfully.
That’s why insurance is crucial to your cyber defence strategy. [CTA]
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems, we recommend that professional advice be sought.
Sources