Eight in ten UK SMEs pay a ransomware demand

Small and medium sized businesses (SMEs) in the UK have seen cybersecurity resilience decline in the last year, according to new research from Censornet. Over half (51%) of SMEs believe their cybersecurity requires development to be future-proofed, up from 40.5% the previous year.   

Just over one in three (37%) can block ‘dangerous’ attachments 

The new findings are taken from Censornet’s ‘Cyber Resilience Report 2023’ -  an annual survey gathering insights from 200 UK-based IT and security leaders. The research shows email attacks emerged as the top cyber security incident, with one in three organisations suffering a serious attack due to an employee opening a compromised email, up from 16% a year earlier.  

This is likely due to SMEs' ability to prevent email attacks - which is in decline. Just over one in three (37%) can block ‘dangerous’ attachments from reaching the email inbox of users, a 14% decrease since last year. Only 29% of organisations can successfully quarantine suspicious or malicious emails, down from 34.5% a year earlier. In the public sector, these figures fall even lower to 33% and 23% respectively.  

Number of SMEs paying a ransomware payment jumps to 85%, from 21%  

While email attacks are increasing, other types of cyber breaches and attacks are showing signs of falling. Only 17% of organisations suffered a ransomware attack, compared to 21% a year earlier. The average cost of a ransomware attack has also fallen by 37% from £144,000 to £91,000. However, the number of SMEs paying the ransom has jumped dramatically from 21% to 85%.  

Less than a fifth (19%) of businesses suffered a significant outage lasting more than a day, down from 33% last year. While the number of SMEs experiencing data loss from a cyber-attack fell from 30% to 26%. 

The cost of cyber attacks also goes beyond the immediate cost of paying a ransom, leaving organisations facing reputational damage, poor moral and regulatory fines. Over a quarter (27%) of SMEs had a meaningful percentage of the workforce leave the company or change roles, 25% believe their customer service and support staff were negatively impacted, and 22% suffered damage to shareholder and customer confidence.  

“Small and medium-sized businesses play a vital role in the UK economy, accounting for three-fifths of employment and nearly half of turnoverin the private sector,” said Ed Macnair, CEO of Censornet. “Given these businesses are responsible for storing and processing large volumes of the UK’s data, it’s imperative they are confident they can protect data adequately with an integrated security platform that ensures all bases are covered.” 

Nearly a quarter (22%) suffer from sleep deprivation 

Nearly a quarter (22%) of cybersecurity professionals believe they are suffering from sleep deprivation due to cybersecurity concerns, significantly up from 9% in 2022. The average sleep for cybersecurity professionals has dropped from 5.7 to 5.4 hours per night in the last year - below the NHS recommended average of 7 hours per night. This puts cybersecurity professionals at risk of reduced alertness, poorer judgement, and slower reaction times.  

Four in 10 call for access to cybersecurity innovation offered to large enterprises   

Organisations are gradually shifting away from legacy technologies and recognise that there is a need for consolidation in the security stack. In the last year, one in six businesses (15%) have moved away from a reliance on legacy technologies designed for on-premise environments and re-architected for the cloud. While 63% of organisations reduced the number of security vendors, with 61% opting for a consolidated approach. 

There is also a growing demand to simplify cyber security and for technologies to be made more accessible. More than four in 10 businesses (43%) want access to the cybersecurity innovation that is on offer to larger enterprises and 40% would like enterprise-grade security implementation to be made less complex. More than half (55%) also want security vendors to open traditionally closed point-products to enable automated responses to cyber threats, an increase of 20% year-on-year.  

“As the UK’s growing businesses expand and extend their network boundaries, their attack surfaces expand dramatically. But buying more point products won't keep them safe. 

So it’s reassuring that UK plc is moving away from individual point products and towards integrated security platforms,” added Macnair. “For businesses that typically have smaller budgets and fewer resources, there is a growing need to simplify security via a platform approach that offers automation, intelligence and integration.”