Only a quarter of small businesses see cybersecurity as a top priority

  • One in six (17 per cent) small business professionals say that cybersecurity isn’t a priority for their organisation
  • Just 16 per cent of small business professionals rate their knowledge of cybersecurity risks across their organisation as excellent, while 15 per cent say that it isn’t good
  • This is despite nearly half of all small businesses (49 per cent) having experienced a cyber-attack

Only a quarter (26 per cent) of small business professionals see cybersecurity as a top priority for their organisation, according to new research by Direct Line business insurance.1 One in six (17 per cent) don’t see this as a priority at all.

The level of knowledge around cybersecurity is also poor, just 16 per cent of small business professionals rate their awareness as “excellent”, while 15 per cent say that it “isn’t good”. This is concerning given that nearly half of respondents (49 per cent) say that their organisation has experienced a cyber-attack. The reasons for these attacks have been diverse, including malware and phishing.

When it comes to why SMEs experienced a cyber-attack, human error accounts for almost half (42 per cent) of all cyber-attacks. This highlights the importance of cyber insurance as cybersecurity software won’t protect small businesses from this specific vulnerability. In addition, almost one in ten (eight per cent) businesses cited out of date patch software as to why they experienced a cyber-attack.

Reasons for cyber-attacks on small businesses, Direct Line business insurance, 2022:

Reasons for cyber-attack on small business

Percentage of small business professionals who said that this was the cause of the cyber-attack

The security breach occurred via a third party

20 per cent

Employee plugging in an external device containing malicious software

15 per cent

Employee clicking on an email or website containing malicious software

14 per cent

Employee accidentally divulging confidential information

13 per cent

We didn’t have any cyber security protection

13 per cent

Weak password protection

10 per cent

We hadn’t updated our systems with the latest patches for apps, software, and operating systems

8 per cent

Source: Direct Line Business Insurance

The consequences of these cyber-attacks have been devastating for many businesses. Almost a quarter (24 per cent) have had to deal with costs associated with legal action, 23 per cent have had to deal with the financial implications of data recovery and 22 per cent have had to cope with severe brand reputational issues. Nearly one in five (19 per cent) enterprises lost business as a result. Yet just 24 per cent regard cyber insurance as essential for their business.

Recent research from the Cyber Security Breaches Survey also found that the average cost of a cyber-attack is a staggering £4,200. This is a huge cost for any business, but particularly for SMEs, which highlights even more the need for cover.

On a more positive note, more than half of small business professionals (53 per cent) agree that cybersecurity ought to be taken more seriously.

Within this group, 29 per cent said that this was because of cyber criminals becoming increasingly sophisticated in their scamming attempts.  Over a quarter (26 per cent) said it’s because they are storing more customer, employee, supplier and third-party data on their systems and the same proportion stated it was because they had moved to an online business model and were therefore processing more information.

Alison Traboulsi, Product Manager at Direct Line business insurance commented: “Our latest research shows that small businesses continue to face a diverse range of cyber threats. Cyber criminals are clever, and phishing and malware continue to be a key cause of cyber security breaches. Criminals will look to catch unsuspecting employees off-guard and lure them in to doing something they shouldn't, like opening an attachment in a fake email, sharing sensitive information, or inadvertently allowing them to bypass cybersecurity. If this happens and criminals get their hands on sensitive customer data, systems or access to bank accounts, the impact on businesses can be devastating.

“It’s important that employees are trained to identify potential points of vulnerability to help prevent cyber-attacks and that businesses consider taking out cyber insurance to help them deal with the consequences of a breach.

“Direct Line’s Cyber Risks offering provides cover for loss of business income, recovery costs for fixing computer system damage, fines and compensation costs, as well as access to public relations and brand management experts to minimise reputational damage.”

You can find out more about Direct Line’s cyber insurance services at the following webpage:

For some tips on cybersecurity from an ethical hacker, please visit:



(1) Opinium survey of 2,000 UK adults, 175 of whom had decision-making responsibilities within their small business, conducted 17th-20th May 2022

Direct Line Group

Unni Henry

PR Manager

Email: [email protected]

About Direct Line business insurance

Launched in 2007 Direct Line business insurance now has over half a million customer policies, providing a flexible range of insurance products for the landlord, van and small business sectors.

Direct Line business insurance policies are underwritten by U K Insurance Limited, Registered office: The Wharf, Neville Street, Leeds LS1 4AZ. Registered in England and Wales No 1179980. U K Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

Direct Line business insurance and U K Insurance limited are both part of Direct Line Insurance Group plc.

Customers can find out more about Direct Line business insurance products or get a quote by calling 0345 301 4827 or visiting