Almost a third of small businesses have no cyber security strategies

A new report from Business in the Community reveals that many small businesses are leaving themselves vulnerable to cyber attacks.

A worrying 30% of small businesses don’t have any cyber security strategies in place at all, according to new research from Business in the Community (BITC).

The report, Would you be ready for a cyber attack?, reveals some eye-opening findings for small businesses. For example, only 35% of small and medium-sized businesses have a basic data protection policy and a meagre 23% have a policy for controlling access to their systems.

A worrying number don't have cyber security strategies in place
Source: Business in the Community

In terms of cyber security software, 17% or less of small and medium businesses reported not knowing when they update each of these programs or do not use them at all.

Which sectors are most at risk?

The legal and IT telecoms sectors have the most measures in place with only 8% of both sectors indicating they have nothing.

Retail (43%), construction (39%) and real estate (36%) have the fewest cyber security measures in place.

Meanwhile, the transportation and distribution sector was the least likely sector to know what, if any, cyber security measures were in place (34%).

Regions with no cyber security measures

A substantial 40% of businesses in Wales and 32% in the North East said they had no cyber security measures in place at all.

By contrast, 18% of small and medium-sized business in London and 20% of businesses in the East of England and East Midlands indicated they have no cyber security measures.

Staff training beyond the IT department

Small businesses were more likely to think it is not necessary (34%) or have no particular reason (28%) for training all of their staff in cyber security, rather than just the IT department. That’s compared to 17% and 18% of medium-sized businesses respectively.

Reasons small businesses don't invest in cyber security training

Source: Business in the Community

Of the sectors surveyed, retail (46%), hospitality and leisure (40%) and education (33%) were most likely to think that training isn’t necessary.

Cyber security recommendations for small businesses

To help your small business improve on the cyber security front, Business in the Community has these recommendations:

Take a test

To get an overview of your business’ resilience against cyber attacks, Take Business in the Community’s readiness test – you can find it at At the end of the test you can download a PDF which has tips and links to resources. You can also opt in to a small business resilience community to get future resilience communications.

The basics

The following is the minimum number of things a business should do to be more cyber resilient, according to the National Cyber Security Centre (NCSC).

  • Use a firewall to protect your internet connection. You’ll find built in firewalls on most devices.
  • Choose the most secure settings for your devices and software (check the manual for more information)
  • Take control of who has access to your data and information using passwords and specific user accounts
  • Make sure your anti-virus software is up-to-date

Back up your data

Back-up your business-critical data regularly, preferably automatically and in one place. Updating software straight away leaves fewer holes and bugs in your software that can be exploited by hackers. If you can’t update manually, the NCSC recommends that you set up notifications from your software provider, so you know there’s going to be a change.

Develop a cyber security policy (if you don’t have one already)

Develop a cyber security policy that includes cyber security. This needs to be shared with all new and current employees with regular training provided by the company – including disciplinary procedures as a deterrent.

Provide regular, appropriate training for your staff

Training must be appropriate for the department. For example, the IT department will be more involved in the implementation of policies so they should have more in-depth training.

Get involved in the cyber security world

Pay attention to what’s going on in the cyber security world too. Follow authorities on the subject through social media and sign up to newsletters where you can.

Invest in cyber insurance

It also helps to invest in cyber insurance as a support should there be a case of disruption to your businesses or there are costs involved with data loss or replacement of equipment. You’ll also have access to specialists at short notice helping to stop an attack and get you back on track as soon as possible.

Help with managing your company’s reputation should a breach occur and paying any fines associated with a breach.

Read more on cyber security

Small business cyber security: An essential guide

Avatar photo

Anna Jordan

Anna is Senior Reporter, covering topics affecting SMEs such as grant funding, managing employees and the day-to-day running of a business.

Related Topics

Cyber Security