New research calls for ‘less fear and more action’ from SMEs, as cyber-naivety leaves 4 out of 5 businesses wide open to threats

Survey lifts the lid on worrying state of cyber vigilance, revealing just 19% of UK SMEs have a cyber incident response plan in place

Divided and failing: more education needed as C-suites left at risk, with no clear unified approach to cyber threats

March 18, 2024 – A new survey* released today shows that the UK’s small and medium-sized enterprises (SMEs) lack implementation of best practice cybercrime protocols and are woefully unprepared to react to an incident, with only 1 in 5 (19%) having a recommended cyber incident response plan (IRP) in place. 

While AI advancements continue to escalate both the complexity and spread of cyber attacks, the survey – commissioned by Cowbell, a leading provider of cyber insurance for SMEs and mid-market businesses – revealed a cavalier approach from UK leaders to the consequences:

  • 77% of UK SMEs do not have any in-house security
  • 32% of CEOs were confident a cyber attack would not impact their ability to do business
  • 1 in ten (10%) of all business leaders said they do not need to improve their position regarding cyber risk  
  • 87% did not consider reputational damage as a significant risk to business

Data breaches cost UK businesses an average of £3.2m last year – with the UK being the sixth most expensive country for data breaches in the world. This is in addition to the Government’s latest Cybersecurity Breaches Survey, showing 59% of medium businesses experienced breaches or attacks in the last 12 months.

Despite these statistics – and GCHQ’s National Cyber Security Centre warning that global ransomware threats are expected to rise with AI – complacency among SMEs was seen across the leadership bench, with only 20% of CHROs, 22% of Director roles and 28% of CEOs considering cyber threats to be their biggest risk. Worryingly, the risk of cyber threats almost fell off the CFOs’ radar, who ranked it second to last out of 14 possible threats, with only 8% considering it their biggest risk.

Alongside a trend for underestimating the current cyber climate, the survey also highlighted confusion around first responses in the event of a cyber breach; nearly 1 in ten (8%) CEOs said that they would engage with the threat actor directly. 

Rather than notifying their insurance provider, over half of all respondents (52%) said their first course of action would be to notify the IT team should a breach occur. 

When respondents were asked about the ‘first action they would take following a data breach’, a clear lack of unified response across the C-suite was evident:  

  • CEOs: 10% said they would notify regulators, while a further 10% said they’d contact the in-house tech team 
  • CFOs: 17% would notify the in-house tech team, 10% would inform clients/customers and a further and 10% would notify the finance team 
  • HR Directors: 24% felt they should notify the in-house finance team first 
  • Senior marketers: 31% thought they should first inform their tech team, while 25% said they’d notify their insurance provider 

With cybersecurity protection out of sight and mind – and the first port of call post-attack varying wildly across the leadership board – VP and General Manager, Cowbell UK, Simon Hughes says that the UK’s SMEs are leaving themselves vulnerable and wide open to threat. 

He comments: “Almost every day we see a new major cyber attack hit the headlines – and that’s just the ones big enough to warrant news coverage. Whether we put our heads in the sand or not, attacks are on the up. As developments in AI continue, we will almost certainly see an increase in the volume, complexity and impact of cyber attacks in the coming years. It’s not a case of if, but when. But now is not the time to scaremonger, it’s time for proactive planning.”

Broker specialist, Cowbell UK, Catherine Aleppo added: “Our research indicates some serious gaps in knowledge, leaving businesses highly exposed. The message is clear: resolving the confusion around first responses is a matter of urgency. More support and education on cyber risk and Incident Response Planning needs to happen if businesses are to navigate these incidents and recover quickly. There is work to be done, raising critical awareness of cyber vulnerabilities and safeguarding the UK’s SMEs who form the backbone of the UK economy.”

*  Independent survey research was carried out by Research Without Barriers between 1st September 2023 and 15th September 2023
, based on a sample of 500 SME UK C-Suite and senior managers.
**based on 5.6 million SMEs in the UK.

About Cowbell (UK)
Cowbell is a pioneer of Adaptive Cyber Insurance, a leader in providing businesses – from small and medium-sized enterprises (SMEs) to companies with up to £1 billion annual turnover – with coverage adaptable to today’s and tomorrow’s threats and the advanced warning of cyber risk exposures. In its unique AI-based approach in risk selection and pricing, Cowbell’s continuous underwriting platform, powered by its patented risk rating factors, Cowbell Factors – an offering not available with any other cyber insurance provider – compresses the insurance process from submission to issue in less than 5 minutes, and gives businesses with the ability to benchmark their IT security against industry peers.

Cowbell is backed by 20 prominent leading global (re)insurance partners and serves SMEs and mid-market companies in 50 U.S. states, the District of Columbia and the United Kingdom. Founded in 2019, Cowbell is based in the San Francisco Bay Area with employees across the U.S., Canada, India, and the U.K. For more information, please visit

Find Out How Cowbell Protects Businesses