’Our research indicates some serious gaps in knowledge, leaving businesses highly exposed,’ says broker specialist

UK small and medium-sized enterprises (SMEs) are leaving themselves open to cyber threats and lack the cyber crime protocols to handle incidents, new data has revealed.

Cyber insurer Cowbell’s new research highlighted that only 19% of surveyed SMEs had a recommended cyber incident response plan (IRP) in place.

It also showed that 77% of UK SMEs did not maintain any in-house security, while 32% of chief executives said that they were confident a cyber attack would not impact their ability to do business.

Moreover, 10% of all business leaders said they did not need to improve their position regarding cyber risk and the majority of respondents (87%) did not consider reputational damage as a significant risk to business.

Cowbell’s data was collected via a survey of 500 UK SME c-suite executives and senior managers between 1 and 15 September 2023.

However, data breaches cost UK businesses an average of £3.2 million in 2023, with the UK being the sixth most expensive country for data breaches in the world, according to the Cost of a Data Breach Report 2023.

This is in addition to the government’s latest Cybersecurity Breaches Survey, published earlier this year (24 January 2024), which revealed that 59% of medium-sized businesses experienced cyber breaches or attacks in the last 12 months.

Simon Hughes, Cowbell UK’s vice president and general manager, commented: ”Almost every day we see a new major cyber attack hit the headlines – and that’s just the ones big enough to warrant news coverage. Whether we put our heads in the sand or not, attacks are on the up.

”It’s not a case of if, but when. But now is not the time to scaremonger, it’s time for proactive planning.”


Cowbell’s research showed that complacency among SMEs was present across leadership positions, with only 20% of chief human resources officers, 22% of director roles and 28% of chief executives considering cyber threats to be their biggest risk.

However, chief financial officers ranked the risk as second to last out of 14 possible threats, with only 8% considering it to be their biggest risk.

Additionally, the survey also highlighted confusion around first responses in the event of a cyber breach, with 8% of chief executives saying that they would engage with the threat actor directly.

However, rather than notifying the regulators or their insurance provider, 52% of respondents agreed their first course of action would be to notify the IT team should a breach occur.

There was also a clear lack of response demonstrated when respondents were asked what their first actions would be following a data breach. 10% of chief executives said they would notify regulators, while a further 10% said they would contact the in-house tech team.

Catherine Aleppo, broker specialist at Cowbell UK, said: “Our research indicates some serious gaps in knowledge, leaving businesses highly exposed.

“The message is clear – resolving the confusion around first responses is a matter of urgency.”