Simply Business homepage
  • Business insurance

    Business insurance covers

  • Support
  • Claims
  • Sign In
Call Us0333 0146 683
Our opening hours
Knowledge centre

Cyber fraud costs small businesses £35,000 – here are 7 ways to safeguard your livelihood

5-minute read

Lauren Hellicar

25 April 2019

Share on FacebookShare on TwitterShare on LinkedIn

Cyber attacks can cost thousands of pounds in repairs and loss of business, and a new report indicates that small businesses may be more at risk.

Despite this, 30 per cent of small businesses don't have any cyber security strategies in place, and only 23 per cent have a policy for controlling access to systems that are limited to certain employees, according to the report by Business in the Community (BITC).

The high cost of cyber attacks on small businesses

The report, ‘Would you be ready for a cyber attack?’, also highlights two further pieces of research.

According to the Cyber Security Breaches Survey 2018, the average cost of a cyber breach to a micro or small business is £894, while a report from Barclays found that “frauds against small and medium-sized enterprises (SMEs) cost £35,000 on average”.

Whichever figure you go by, it’s clear that a cyber attack can lead to significant financial difficulties for small businesses.

Has GDPR affected small business attitudes to cyber security?

It may at first seem promising that complying with GDPR was the main driver for small and medium-sized businesses who have implemented cyber security measures in the past 12 months (44 per cent).

However, GDPR was implemented in May 2018 and according to the BITC report:

  • only 35 per cent of small and medium-sized businesses have a basic data protection policy
  • only 29 per cent have a policy for controlling access to systems
  • 25 per cent of small and medium-sized businesses do not have any cyber security strategies

For the self-employed, freelancers and contractors, perhaps the most useful part of the report can be found towards the end, where BITC lists seven cyber security recommendations for small businesses.

We take a look at them in turn to see what small businesses should do to live up to their cyber responsibilities.

1. Implement the National Cyber Security Centre’s (NCSC) cyber essentials

The following five steps are the minimum action the NCSC recommends small businesses take:

  • use a firewall to secure your internet connection – most devices have built in firewalls
  • choose the most secure settings for your devices and software
  • control who has access to your data and services – using passwords and specific user accounts
  • protect yourself from viruses and other malware using anti-virus software and staff training
  • keep your devices and software up to date – using auto-update mechanisms

In the last 12 months, 40 per cent of small businesses haven’t taken any cyber security action, whether that’s policies, insurance, staff training, or other measures. And more than three quarters (77 per cent) have no policy for controlling access to their data systems.

2. Back up your data

Small, medium or large – all businesses have data that they’d be lost without. In the report, small business owners are advised to back up their business-critical data as often as possible.

Automatic updates are noted as being the preferred way of doing this, and it’s always worth saving your data in more than one location, whether that’s cloud storage or an external drive.

10 per cent of small businesses never back up essential data.

3. Update your software

Stop opportunistic hackers from taking advantage of your security weaknesses and bugs in older versions of the software you use for your business, by updating your software as soon as a new update's released. This includes your:

  • antivirus software
  • antimalware
  • firewalls

68 per cent of small and medium-sized businesses automatically update their antivirus software when a new update is released. For malware, 65 per cent apply automatic updates, and for firewalls that figure is 61 per cent.

4. Write your security policy

The report recommends developing a security policy that includes cyber security. If you have employees currently, or you think you might hire them in the future, you should be mindful to share the policy with all of them, ensuring your people are kept up to speed.

Only 35 per cent of small and medium-sized businesses have a basic data protection policy, and only 29 per cent have a policy for controlling access to systems.

5. Train your employees

If you employ people, you’ll want to make sure they’re working safely online. This includes ensuring they know what to look out for – and the steps to take – to stop your business from falling prey to a cyber attack. And make sure the training you provide suits the person and role being trained.

34 per cent of small businesses think it’s unnecessary, and 28 per cent say they have no particular reason, to provide cyber security training for employees.

6. Stay alert

Make sure your business is as secure as it can be by staying up to date with what’s happening in the cyber security world. BITC recommends following the NCSC’s Twitter feed for all the latest on the current threats out there.

7. Invest in cyber insurance

Cyber insurance can’t replace good cyber security practice – but if you do experience an attack, it can give you peace of mind that there’ll be a limit to the disruption you’ll experience due to things like data loss or having to replace your equipment.

You can read more about this type of cover in our article: What is cyber insurance? A guide for small businesses and the self-employed.

8. Merge your cyber security with a physical security strategy

Although cybercrime rates have skyrocketed and it's fast become a primary security concern, many cybercrime incidents are surprisingly linked to oversights within a business’s physical security plans and measures.

As systems and applications increasingly go cloud-based and mobile, it's becoming virtually impossible to achieve a continuity of identity and sensitive data protection without merging cyber security practices with physical security strategies.

Top tips for merging securities include:

  • installing surveillance and access control systems to any area that houses personally identifiable information (PII) or other sensitive data
  • restructuring teams so that IT leaders and physical security specialists work together
  • ensuring that security system providers and internal teams all work to the same cybersecurity best practices
  • creating formal collaboration channels between security teams to best use insights for heightened security across-the-board

Summary of the BITC's findings

Here's a quick overview of the key takeaway points from the BITC's report:

Size matters when it comes to cyber security

The evidence in the report shows that small businesses don’t invest as much time or money into their cyber security as medium-sized businesses.

And small and medium-sized businesses tend to have fewer resources in place to deal with cyber attacks than the big corporates. But it’s clear that cyber security isn’t something any size of business can afford to leave on the back burner.

Cyber security diligence varies by sector

Equally, there seems to be a link between the type of business you operate and the likelihood of you having adequate cyber security measures in place.

For example, only eight per cent of small and medium-sized businesses in the legal, and IT and telecoms sectors have no measures in place.

The worst performing sectors were:

  • retail (43 per cent)
  • construction (39 per cent)
  • real estate (36 per cent)

And 34 per cent of businesses in the transportation and distribution sector didn’t know what cyber security measures they had in place.

There are regional variations in attitudes to cyber security

Compared to other locations in the report, Wales admits to having fewer cyber security measures in place and being less likely to update antivirus, antimalware and firewall software.

Wales also trails behind in the rankings for businesses with no cyber security measures in place:

Best two regions:

  • London (18 per cent)
  • East of England and East Midlands (20 per cent)

Worst two regions:

  • the North East (32 per cent)
  • Wales (40 per cent)

Let us know which cyber security measures your business has in place, in the comments below.

Ready to set up your cover?

As one of the UK's biggest business insurance providers, we specialise in public liability insurance and protect more trades than anybody else. Why not take a look now and build a quick, tailored quote?

Start your quote

We create this content for general information purposes and it should not be taken as advice. Always take professional advice. Read our full disclaimer

Find this article useful? Spread the word.

Share on Facebook
Share on Twitter
Share on LinkedIn

People also liked

19 November 20202-minute read

Landlords could be targeted in new capital gains tax raid

Landlords could be hit by another massive tax raid, as the Office of Tax Simplification outlines its recommendations for an overhaul of…

Read more

Keep up to date with Simply Business. Subscribe to our monthly newsletter and follow us on social media.

Subscribe to our newsletter


Popular articlesBusiness resources from FarillioGeneral businessGuestInsuranceLandlordLandlord resources from FarillioLegal and financeMarketingNewsOpinionProperty maintenanceTradesmanCovid-19 business support hub


6th Floor99 Gresham StreetLondonEC2V 7NG

Sol House29 St Katherine's StreetNorthamptonNN1 2QZ

© Copyright 2022 Simply Business. All Rights Reserved. Simply Business is a trading name of Xbridge Limited which is authorised and regulated by the Financial Conduct Authority (Financial Services Registration No: 313348). Xbridge Limited (No: 3967717) has its registered office at 6th Floor, 99 Gresham Street, London, EC2V 7NG.