More than two-thirds (69%) of UK small and medium enterprises (SMEs) lack a cybersecurity policy, according to figures from specialist insurance firm Markel Direct.

The research identified a significant lack of basic cybersecurity measures and hygiene in place across these companies.

This included 43% admitting that their employees are not trained on best practices and potential threats, while just 35% encourage their employees to update passwords.

Additionally, only around half (52%) of SMEs use multi-factor authentication (MFA).

Regarding security tooling and software, 72% of SMEs said they have antivirus/anti-malware software in place, 49% have email filtering for spam and phishing emails, 47% have a firewall and 46% have secure Wi-Fi networks.

Under half of surveyed companies conduct regular data backups (46%) and have data encryption (44%).

More than two-thirds (69%) regularly update system software.

The survey of 500 SMEs also found that half (49%) would not know what to do in the event a cyber-attack.

A similar proportion (53%) do not have cyber insurance in place in case of a breach.

When asked how they secure company data when accessed by employees working from home, 52% of SMEs said they use virtual private network (VPN) access, 48% train their employees on secure remote work practices and 46% have remote access policies and controls in place.

Biggest SME Cybersecurity Concerns

The biggest cybersecurity concern for UK SMEs for the future was the increasing sophistication of cyber threats (62%), fuelled by AI and other emerging technologies.

This was followed by securing remote work environments (23%), ransomware and other forms of malware (22%), emerging technologies and their implications (21%), insufficient budget/resources for cybersecurity (19%) and vulnerabilities associated with third-party vendors and suppliers (19%).

Rob Rees, Divisional Director of Markel Direct, commented: ‘Staying ahead of cyber threats is crucial for small business owners, especially as AI-driven attacks continue to evolve. Having a robust cybersecurity policy in place can help create a framework to safeguard against ongoing threats, whilst cyber insurance can help to protect your business in the event of a targeted attack.”

A survey by JumpCloud in July 2024 found that 49% of SME IT teams believe they lack the resources and staffing to defend their organization against cyber-threats.