More than half of small and medium-sized enterprises (SMEs) have faced a cyberattack in the past year, according to Hiscox’s ninth annual Cyber Readiness Report.
The insurer’s research found that 59% of SMEs surveyed were targeted in the last 12 months, with a third (33%) subsequently incurring substantial fines.
The financial and operational fallout was wide-ranging. About 30% reported a drop in business performance indicators such as share price, while 29% faced higher costs linked to notifying affected customers. Another 29% said attracting new business became more difficult. Payment diversion fraud left 44% out of pocket, and 32% reported employee burnout following incidents.
Ransomware continues to be a prominent risk, with 27% of businesses saying they had been targeted. Of those, 80% opted to pay a ransom to recover or protect data, but only 60% recovered all or part of it. Nearly a third (31%) of those who paid faced repeat demands for additional sums. With governments reviewing potential disclosure requirements, 71% of SMEs surveyed said firms should be compelled to reveal whether they had paid ransoms and how much.
According to Eddie Lamb, global head of cyber at Hiscox, attackers increasingly prioritise sensitive corporate data such as contracts, financials and intellectual property. Criminals then use reputational threats to set payment demands, leaving companies without insurance support especially exposed.
Artificial intelligence, meanwhile, is both a tool and a threat. While 65% of SMEs viewed AI as an opportunity, 57% had already experienced cyber incidents linked to AI vulnerabilities. These included deepfakes, manipulated social engineering attempts, and weaknesses in third-party AI tools. In response, 94% plan to increase cyber security investment over the next year, 70% aim to expand employee training, and 60% expect to hire additional staff.
The findings support broader concerns raised by the World Economic Forum, which described SMEs as the “soft underbelly” of the global economy. With around 90% of businesses worldwide falling into this category, limited budgets and expertise leave many unprepared for advanced cyber threats. The WEF urged collective action to improve defences, arguing that smaller firms’ vulnerabilities can destabilise supply chains and affect larger enterprises and public infrastructure.
Research highlighted by Computer Weekly paints a similar picture in the UK, where 5.5 million SMEs employ 60% of the workforce. The CyCOS project, led by Nottingham University and partners, found that nearly a quarter of SMEs struggle to find cyber security advice, while others find existing guidance difficult to understand or implement. The project aims to build “communities of support” to improve access to knowledge and collaboration among SMEs.
The Hiscox report also included practical recommendations for businesses, such as installing security software, using password managers, keeping systems updated, backing up data securely, and restricting access to sensitive information.
How should SMEs balance investment in cyber defences with the financial pressures of daily operations? Share your thoughts in the comments below.
