One in eight small businesses have experienced a cyber-attack and more than half fear they would be vulnerable to a critical data breach in the future, according to a new study.

A survey of 500 businesses found that, while many small-and-medium sized enterprises (SMEs) have implemented basic cyber security measures, critical gaps remain in training, incident response planning, and strategic preparedness that could prove catastrophic in the event of a serious breach.

Of those who responded, most said they lacked the resilience to withstand a prolonged operational shutdown, fewer than one in ten provide regular cyber security awareness training for staff, and less than a third have invested more in cyber security in the past two years.

The findings follow a sustained period of heightened cyber security risk for businesses, with the National Cyber Security Centre (NCSC) reporting record levels of ransomware attacks, business email compromise fraud, and supply chain vulnerabilities in recent years.

There have been several high-profile attacks reported on UK businesses recently – including Jaguar Land Rover, Arnold Clark, and major retailers, including Marks and Spencer and the Co-op – and there is evidence that attackers are targeting smaller businesses with weaker security defences.

The online survey – commissioned by Glasgow and Ayrshire-based IT support specialist Innovec – gathered responses from a randomised sample of SMEs across the country, spanning a range of sectors, from construction and financial services to hospitality and information technology.

Of the businesses that responded, 12.5% said they had experienced a cyber security breach in the past. Incidents included ransomware attacks, compromised email leading to financial loss (phishing), theft of customer and employee data and denial-of-service attacks.

A greater number said they felt their company was vulnerable to a future attack, with most indicating they would face critical financial pressure if they had to close operations.

One in eight respondents said their company would be unable to survive a complete shutdown lasting 48 hours or more, while almost a third estimated their maximum survival window in such circumstances would be three to seven days.

Iain Wham, managing director of Innovec, said the findings serve as a reminder that cyber security remains a significant business resilience challenge to a large proportion of the UK’s SME community.

He said: “As threats continue to evolve, and attackers increasingly target smaller businesses as entry points into larger supply chains, the need to act has never been greater.

“The question for SMEs and business support organisations is whether current levels of awareness, investment, and preparedness are sufficient to combat the next, inevitable wave of attacks.”

For SMEs, which often lack the dedicated IT security teams and financial reserves of larger corporations, the consequences of a successful attack can be existential.

Vulnerability self-assessment reveals widespread concern

When asked to rate their vulnerability to a cyber-attack on a scale of one to five – where one represents “not at all vulnerable” and five “extremely vulnerable” – more than half of businesses (52%) placed themselves at level three or above.

A significant minority rated their vulnerability at level four or five, indicating a genuine and acknowledged exposure to risk.

Wham said: “The survey results suggest that, even among those who have implemented technical defences such as multi-factor authentication and regular data backups, the capacity to weather a prolonged disruption remains dangerously limited.

“They show that more than three-quarters of SMEs surveyed would face severe financial distress within a month of a complete operational shutdown – and for nearly half, the critical threshold would be reached within just two weeks or less.

“For many small businesses operating on thin margins, such a scenario would likely prove terminal.”

What measures are in place?

When asked about the cyber security measures currently deployed, the survey revealed a mixed picture.

Multi-Factor Authentication (MFA) and automated data backups were the most commonly implemented measures – adopted by 67% and 62% of businesses respectively – while encrypted data storage and transmission were present in 43%, and endpoint detection and response (EDR) or next-generation antivirus software was used by 40%.

There were wide variations in cyber security awareness for staff, with more than two thirds of businesses limiting provision to annual training sessions or longer. Only 14% of respondents said they provided monthly updates.

One in five businesses reported providing training at least quarterly, while just 14% said they provided training at least monthly.

The ransomware dilemma: policies largely absent

Despite the growing prevalence of ransomware attacks and high-profile cases that have made national headlines, the survey found that the vast majority of SMEs have no formal policy on whether to pay a ransom in the event of an attack.

Only 12% reported having a formal policy never to pay a ransom, while 88% either had no formal policy or were unsure.

Asked what factors would influence their decision whether to pay a ransom or not, the length of potential business disruption was the most significant factor, with 50% of businesses ranking it as their top consideration.

The assurance that data would be decrypted was also highly valued, as were concerns about becoming a target for future attacks.

Investment trends: cautious progress

When asked how their organisation’s investment in cyber security had changed over the past two years, the responses revealed a pattern of cautious progress.

Around one in five respondents reported that investment had “slightly increased,” while one in 10 said it had “significantly increased”. Some 38% of businesses said investment had “stayed the same” while seven per cent said they did not invest specifically in cyber security.

Areas identified as requiring the most investment over the next 12 months included employee training and awareness programmes, cited by more than a third of businesses, while upgrading hardware and software was cited by one in four.