Research commissioned by Vodafone has found that the equivalent of 1.3m small businesses would go bust if they were targeted by hackers, leading to calls for the Government to put more money into cyber defences.

The report urged the Government to expand and to protect small and medium-sized businesses further by providing more support to the National Cyber Security Centre and making cybersecurity protections more accessible.

The report ‘Protecting our SMEs: Cybersecurity in the new world of work’ states that the UK’s economic recovery from COVID-19 is at risk if new policy recommendations are not introduced in line with the new risks that have emerged in the last 12 months.

According to the Federation of Small Businesses, SMEs account for 99.9% of the UK’s six million private sector businesses. This means they employ three-fifths of the UK’s workforce. The policy recommendations would provide much-needed support for a critical component of the UK economy.

While much has already been done to support the development of the cybersecurity segment in the UK, Vodafone believes the next step should be to create policy that supports SMEs directly. As the risks are constantly evolving, Government policy for cybersecurity should also.

The report makes the case for several policy recommendations, including a reduced 5% VAT rate on cybersecurity products, as well as additional investment and resources for the National Cyber Security Centre to expand a dedicated unit for cybersecurity for business to help secure recovery for SMEs.

Vodafone believes the positive relationship between the National Cyber Security Centre and private industry has led to the UK having a world-leading cybersecurity industry. The expansion of an SME-dedicated unit would build on these foundations, enabling small businesses to further enjoy the benefits of this leadership position.

The recommendations were prompted by polling for the report which found that 1.3 million SMEs in the UK would collapse if they fell victim to a cyber-attack. A successful cyber-attack has an average cost of £3,230; 23% of SMEs polled said that they could not survive a loss of this scale.

Pre-COVID-19, cyber-attacks cost the UK economy £34bn a year. But this report finds that almost a third of SMEs (31%) have seen an increase in attacks since the beginning of the first lockdown in March 2020 – so this figure may now be even higher.

The report assesses the heightened cybersecurity risks to SMEs through working remotely, arguing that the Government should treat SME cybersecurity as a matter of national resilience, taking proactive steps to raise awareness among SMEs of the risks they face and supporting them to protect themselves more effectively. With over 75% of UK SMEs now relying on remote working, the risks are heightened.

The report’s recommendations in full are:

  • The next National Cyber Security Strategy should include a section on SME protection, with reference to the increased risk associated with remote working.
  • The Government should consider additional funding for the National Cyber Security Centre to expand a dedicated unit for cybersecurity for business.
  • SMEs should be incentivised to strengthen their own cybersecurity through direct subsidies. This could be paired with a reduced 5% VAT rate on cybersecurity products.
  • The Government should commit an additional 5% to the National Cyber Security Strategy budget to support the delivery of local cybersecurity skills and training.
  • Part of the Government’s doubled and rebalanced R&D budget should go towards cybersecurity product development in research centres in the North and Midlands.

Anne Sheehan, Business Director, Vodafone UK, said: “Cyber-attacks are an existential threat to Britain’s small businesses, yet nearly a third have no cybersecurity strategy in place. This report’s stark findings are a warning that as SMEs do more and more of their business online, it is vital that they take the steps they need to keep themselves safe – and that Government does more to support them to do so. The UK needs successful, resilient small businesses.”

The polling results in full showed:

  • 23% of SMEs, roughly 1.3 million companies, said that an average cyber-attack costing £3,230 would destroy the business.
  • Another 16%, almost a million SMEs, said that it would probably mean having to lay off staff.
  • 23% said that it might mean having to use up financial reserves.
  • Only 22% of those polled said that a loss of this level would not have a material impact on the business.
  • 4 in 10 SMEs (41%) had experienced some form of cyber-attack in the previous 12 months, with 20% experiencing six or more attacks.
  • 31% said that they had seen an increase in cyber-attacks since the UK went into lockdown in March 2020.

Simon Fell, Chair of the All-Party Parliamentary Group on Cybersecurity, said “This new report from Vodafone shows that businesses often lack awareness of the cybersecurity risks they face, the protection they need to mitigate them, and the resources to withstand them.”

“SME cybersecurity is not a prosaic issue facing a few journeymen trying their hands at a new business during the pandemic, but rather an issue of national economic resilience.”