Small and medium sized enterprises (SMEs) throughout the UK are losing £3.4bn every year as a result of inadequate and unfit-for-purpose cyber security measures, with over 30% of businesses having no form of security protections in place whatsoever, and over a quarter being targeted multiple times every year according to a new report produced by Vodafone Business.
Vodafone’s report, Securing Success: The Role of Cyber Security in SME Growth found that the average cost of a cyber attack for a small business was around £3,400, rising to £5,000 for organisations that employ over 50 people.
Vodafone acknowledged the difficulties SMEs have in addressing the torrid threat environment, with budget constraints, skills gaps, and competing business priorities all taking their toll on their ability to implement comprehensive security strategies.
For example, over a third of the businesses surveyed do not give their employees security training, more than a third spend less than £100 in total every year, and just under two thirds allow employees to work from home using their own equipment, massively increasing their risk profiles.
“Cyber threats are becoming more sophisticated, and SMEs are increasingly in the crosshairs of cybercriminals. Investing in robust cyber security is no longer optional – it is a business imperative for protecting sensitive data, maintaining customer trust, and ensuring long-term resilience,” said Nick Gliddon, Vodafone Business UK CEO.
“SMEs cannot tackle this challenge alone. Greater collaboration between businesses, industry leaders, and government authorities is essential to providing these businesses with the resources, education, and support they need to strengthen their cyber defences. By working together, we can create a safer, more secure digital environment that empowers SMEs to grow with confidence in an increasingly connected world,” he added.
Vodafone today urged the government to do more to make security tools affordable and, crucially, scalable for SMEs. It called on Westminster to beef up its Cyber Local initiative, which is supposed to offer tailored support to SMEs based on size and location, but is limited to certain areas of England and Northern Ireland and only has a funding pot of £1.3m.
It also recommended updates to the National Cyber Security Centre (NCSC) Cyber Essentials programme, which it claimed is not sufficiently reaching SMEs with many remaining unaware of its existence, and suggested that financial tools such as tax credits, or a dedicated capital allowance, could be deployed to incentivise security investment.
Vodafone is also offering SMEs a one-month trial of its human risk management platform, CybSafe, including access to education and training sessions to help SME employees gain confidence in recognising potential threats.
Matthew Evans, techUK chief operating officer, said the report clearly set out the significant impact of cyber incidents on the UK’s SME community.
“TechUK has called for government’s Industrial Strategy to have a greater focus on raising technology adoption across the UK’s SMEs to increase productivity and to recognise cyber resilience as integral to growth,” he said.
“The findings and recommendations of this report only further underscore the need to give SMEs the attention they deserve, and to support them in implementing robust plans to build and increase their cyber resilience.”
Dan Bridges, Cyware technical director, added: “Vodafone’s policy recommendations – particularly calls for improved access to intelligence sharing, tax incentives, and stronger public-private partnerships – are well-aligned to motivate impactful changes.
“We see a major opportunity to democratise threat intelligence through collaboration and low-code automation, enabling SMEs to benefit from the same level of threat awareness and response capabilities as larger enterprises. Ultimately, cyber security is a growth enabler. Protecting digital assets builds customer trust, fuels innovation, and unlocks new markets. As SMEs continue to digitise, investing in intelligence-driven security solutions isn’t just about defense – it’s about ensuring long-term success.”
