Cyber risk complacency The importance of not falling victim

Small business directors are urged to remain vigilant of cyber attacks, despite encouraging signs of progress in the UK.

UK companies are now one of the least likely to encounter these attacks, according to the latest international data from Hiscox. Just under half (48%) have faced at least one incident over the past year.

Globally, the cost of recovery from cyberattacks has also dropped significantly for these firms, Hiscox’s 2023 Cyber Readiness Report reveals. The median cost has dipped to $24,200. And the maximum cost of a single attack is now under $5,000 for 42% of businesses – an improvement on 35% in 2021.

Room for further improvement as risks evolve

Behind the positive headline results, it’s clear that cyber risks continue to cast a long shadow over the UK’s business community.

The median number of attacks has doubled since 2021, climbing to six this time around. And hackers continue to vary their methods when accessing essential IT systems.

Business email compromise remains the most common entry point for attackers (37%). This is followed by corporate cloud servers (31%) and employee activities (26%).

The consequences of UK cyber attacks are equally varied. Misuse of IT resources is the most common outcome (29%), with virus outbreaks (27%) following closely behind. Elsewhere, ransomware attacks have risen up the agenda (18%).

A post-pandemic rise in remote working, and employees using personal devices for work, are among the main factors driving cyber anxiety.

Smallest businesses face increasing attacks

Globally, the smallest businesses are increasingly in the crosshairs of cyber criminals. More than a third (36%) of those with fewer than 10 employees have been hit. This figure has increased by over half in the past three years.

And despite falling costs, attacks can still run into the thousands of dollars. Globally, one in eight (12%) firms across all sizes say they have been forced to pay $250,000 or more.

Cyber risk has slid down priority lists for some nations. While five of eight countries still rank it as their top business risk, this previously stood at seven. Given the uncertain financial climate, it’s perhaps unsurprising that economic issues and competition have grown in importance this year.

The race to build cyber resilience

Both internationally and across the UK, businesses are taking the fight to cyber criminals with increased security spending and awareness.

Globally, median cyber security spending has jumped 39% over the past three years to $155,000. This is even more pronounced among smaller firms – with spending quadrupling in just two years for those with fewer than 10 employees.

In the UK, companies are mainly building their cyber resilience to reassure customers (27%) and avoid costly interruptions (26%). They now spend 23% of their overall IT budgets on cyber security. And almost a third (29%) have a standalone cyber insurance policy in place – up from 25% last time around.

Almost three-quarters (73%) of UK businesses say their brand would be damaged if they failed to handle their clients’ and partners’ data securely. Yet, they still have some way to go in becoming cyber security champions. The vast majority class themselves as cyber novices or having intermediate knowledge, rather than as experts.

Alana Muir, Head of Cyber at Hiscox, commented: “Improving digital resilience is a never-ending task for businesses, and the difference in how sectors are able to cope with this is marked. The uptick in attacks witnessed in the UK over recent years is concerning but not surprising. Cyber criminals are fast learners and often succeed in keeping one step ahead of the companies they are targeting. It’s important that cyber security and privacy are regularly reviewed, and necessary protections are put in place across all industries, to minimise damage to businesses and customers.”

Top five learnings for SME directors

The Hiscox Cyber Readiness Report shines a light on the main threats facing UK firms – and the positive actions they’re taking in response.

Here are five key learnings that directors of small and medium-sized enterprises could gain from it:

1. Educate your team on the different lines of attack

From compromised emails to hacked mobile devices, cyber criminals have many tactics at their disposal. Their methods continue to evolve, making blanket policies unwieldy.

Regular scenario training could boost awareness of different entry methods – across both leadership teams and your wider workforce. Password protection, phishing attempts and safe home working are just a few potential areas to focus on.

2. Create an advance recovery plan

Regular risk assessments could help you to spot vulnerabilities in your cyber defences. For example, they might flag outdated antivirus software or the risk of an employee losing sensitive data during their morning commute.

This process also encourages you to think about recovery steps following a cyber attack. How would you reassure clients and manage your hard-earned reputation? And would you automatically pay a ransomware demand, or join the 39% of UK firms who refuse to? Holding the answers to such questions may reduce short-term stress, should the worst happen.

3. Consider restricting access to vital data

Think carefully about the individuals who can access sensitive files and figures. Even in a tightknit SME, it may be wise to set different permissions to stop information falling into the wrong hands. Ask yourself whether new starters really need full access straight away. And if certain data could be ringfenced within specific teams.

If your defences fail, encryption may also act as a final data barrier. It works by scrambling data into complex codes, making everything unreadable without the right key.

4. Embrace tools for a safer hybrid world

With 36% of UK firms linking remote working to heightened cyber risks, a range of tools could ease fears about the modern hybrid world.

For starters, a virtual private network (VPN) might protect sensitive data and connections between remote devices and corporate networks. Elsewhere, multi-factor authentication confirms users’ identities after they’ve completed two or more sign-in methods.

5. Consider risk transfer through insurance

After you’ve worked to decrease your risk through best practices, another option might be to transfer that risk through insurance. Globally, around two thirds (63%) of businesses now have access to cyber insurance, either as standalone policies or within different cover.

This specialist type of insurance offers financial protection against cyberattacks and data breaches. It may assist you with direct losses, response costs and recovery fees.

Cyber and data insurance from Hiscox can help protect your business in the event of a cyber incident by covering the cost of any investigation and/or losses. To find out more and get a quote, click here or phone 0800 280 0354 (Mon-Fri, 9am-5pm, excluding bank holidays).


We work with Hiscox, who offer a wide range of policies to protect your business – including directors’ and officers’professional indemnitycyber and data risks, and office cover. As an IoD member, you benefit from a 12.5% discount* on their standard rates for the life of your policy.

Hiscox wants to help your small business thrive. Their blog articles will contain lots of useful information relevant to your growing business. But these articles do not constitute professional advice and must not be construed nor relied upon as such. To find out more on a subject we cover here, please seek professional assistance, specific to your circumstances.

*Any discount is only applicable to policies introduced via the Institute of Directors, whether existing or new, but could not be applied to policies that are being managed by an alternative third party such as an insurance broker.

Discount available for the lifetime of your policy applies on renewals while the Institute of Directors remains an Introducer Appointed Representative of Hiscox Underwriting Ltd.

Terms and conditions apply. For full terms and conditions see

The Institute of Directors is an Introducer Appointed Representative of Hiscox Underwriting Ltd. who is authorised and regulated by the Financial Conduct Authority. For UK businesses only.

Better directors for a better world

The IoD supports directors and business leaders across the UK and beyond to learn, network and build successful, responsible businesses.

Safeguarding your organisation and employees

Browse valuable cyber resources from the IoD.
Internet Explorer
Your web browser is out of date and is not supported by the IoD website. It is important to update your browser for increased security and a better web experience.