Vodafone Business reports that UK small and medium-sized enterprises (SMEs) are collectively losing an estimated £3.4 billion each year because of insufficient cybersecurity measures.
On average, a cybersecurity incident costs a small business £3,398. For companies with 50 or more employees, the average cost rises to £5,001, illustrating that risks and potential losses grow as businesses expand. Financial harm stems from data breaches, system downtime and reputational damage, all of which contribute to significant annual losses.
Vodafone’s research highlights the scale of the threat to UK SMEs, showing they are increasingly targeted by cybercriminals. The report found a marked rise in attacks in recent years: more than a third (35%) of SMEs experienced a cyber incident in 2024. Among those affected, 28% reported between one and five attempted attacks, and 6% said they were targeted up to ten times within the same year.
Several factors leave SMEs particularly exposed. Budget constraints, a shortage of in-house cybersecurity expertise and competing business priorities often prevent smaller firms from developing and deploying comprehensive cyber defence strategies.
Key findings from Vodafone Business underline these vulnerabilities:
- Over half (52%) of UK SME employees have received no cybersecurity training
- Almost a third (32%) of SMEs have no cybersecurity protections in place
- More than a third (38%) of SMEs spend less than £100 a year on cybersecurity
- A majority (64%) of SMEs have staff who regularly work remotely or from other off-site locations
- 60% of SMEs allow employees to use personal IT equipment for work when working from home
- One in five (19%) remote workers have been targeted by cybercriminals
Nick Gliddon, CEO of Vodafone Business UK, said:
“SMEs are the backbone of our economy, yet they are losing a staggering £3.4 billion annually due to inadequate cybersecurity. In today’s rapidly evolving digital landscape, cyber threats are becoming more sophisticated, and SMEs are increasingly in the crosshairs of cybercriminals.
Investing in robust cybersecurity is no longer optional—it is a business imperative for protecting sensitive data, maintaining customer trust and ensuring long-term resilience.
At Vodafone Business, we understand the critical role SMEs play in driving innovation and growth, and we are committed to equipping them with the right tools and expertise to stay protected. However, SMEs cannot tackle this challenge alone.
Greater collaboration between businesses, industry leaders and government authorities is essential to providing these businesses with the resources, education and support they need to strengthen their cyber defences. By working together, we can create a safer, more secure digital environment that empowers SMEs to grow with confidence in an increasingly connected world.”
Industry organisations have echoed the report’s concerns. Mathew Evans, COO of techUK, commented:
“Accounting for 99.8% of the UK’s business population and employing two-thirds of the workforce, it’s clear that SMEs are the cornerstone of our economy. Their digitisation is a key lever for growth, and to seize technology’s opportunities and boost productivity, SMEs must take cybersecurity and resilience seriously.
Vodafone UK’s report highlights the significant impacts that cyberattacks are having on the UK’s SMEs, including an estimated £3.4 billion per year in lost revenue and 28% of SMEs saying that a single attack could put them out of business—showing there is still much to do to build resilience and raise awareness about cybersecurity as a critical business and growth enabler.
We have called for the government’s Industrial Strategy to increase focus on technology adoption across SMEs to lift productivity and to recognise cyber resilience as integral to growth. The findings and recommendations of this report underscore the need to give SMEs the attention they deserve and to support them in implementing robust plans to improve cyber resilience.”
Ibrahim Dogus, Co-Chair of SME4Labour, added:
“We at SME4Labour recognise that SMEs are the lifeblood of the UK economy, generating 25% of GDP and employing over 60% of the workforce. This Vodafone UK report demonstrates the importance of SME cybersecurity—and resilience more broadly—being treated as part of core business decision-making.
The report shows why we must protect growing businesses across the UK, which in turn protects livelihoods. We call on the government to support the report’s recommendations and continue the progress already made in backing SMEs.”
The research also details the most common attack types affecting SMEs. Phishing is the widespread leading threat, with 70% of firms reporting attempts to steal information via email, SMS, phone or social media. Ransomware, which locks or corrupts files until a ransom is paid, affected 23% of businesses. Distributed Denial of Service (DDoS) attacks, which overwhelm systems to disrupt operations, impacted 20%. Water-holing—where attackers create fake websites or impersonate legitimate businesses—was also identified as a meaningful risk.
While the report stresses the responsibility SMEs have to strengthen their security, it also calls for government action to make scalable, affordable solutions widely available. Vodafone Business puts forward several policy recommendations aimed at improving SME access to cybersecurity tools and support:
- Expand Cyber Local funding: Vodafone recommends increasing investment in the government’s Cyber Local initiative so tailored support reaches more SMEs across the UK. The report says the current £1.3 million is a helpful start but needs to be scaled and broadened beyond selected areas of England and Northern Ireland.
- Targeted awareness campaigns: The report finds many SMEs remain unaware of programmes such as Cyber Essentials. Vodafone suggests awareness campaigns be timed around key business activities—tax submissions, employee data reporting or business registration—to reach owners effectively. For larger SMEs (50+ employees), the report proposes linking compliance to existing reporting obligations.
- Tax incentives for cybersecurity investment: Vodafone proposes adapting the tax system to encourage cybersecurity spending. Unlike other investments that benefit from clear tax reliefs, cybersecurity software can face classification issues. The report recommends a dedicated capital allowance for cybersecurity covering hardware and software to simplify access to tax incentives.
- Promote public-private partnerships: The report advocates facilitating collaboration between larger companies and SMEs so smaller firms can tap into the expertise and risk management capabilities of larger organisations. Vodafone stresses that cybersecurity should be embedded into SME decision-making processes.
Vodafone Business’s report is a timely reminder of the escalating cybersecurity challenges faced by UK SMEs and underscores the need for a coordinated approach—combining business action, industry support and government policy—to protect this vital segment of the economy.
(Photo by Basil James)
See also: Tech Transparency Project: Millions download covert Chinese VPNs
Want to learn more about cybersecurity and the cloud from industry leaders? Attend the Cyber Security & Cloud Expo events in Amsterdam, California and London. These conferences are co-located with related events such as Digital Transformation Week, IoT Tech Expo, Blockchain Expo and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge.