Small and medium-sized enterprises (SMEs) are being urged to take cyber resilience more seriously as attacks surge and many firms remain dangerously exposed.

Gamze Konyar, head of cyber at Marsh Europe, warned that SMEs are increasingly in the firing line – not only because they often manage sensitive customer data, but because their lack of defences can ripple across broader supply chains.

“According to the European Union’s (EU) annual report, SMEs make up over 99% of the businesses in the EU and are considered to be the backbone of the financial system,” she said.

“Therefore, their lack of cyber resilience can have serious consequences, not only for their own organisations, but also for their supply chains.”

Claud Bilbao, regional vice-president of underwriting and distribution at Cowbell UK, agreed that many small businesses underestimate their vulnerability.

“Cyber resilience is not an add-on or a nice to have,” he said. “It needs to be a priority from day one.”

The risks are rising fast

In 2023, the average cost of a data breach for UK businesses reached £3.2 million, according to the Cost of a Data Breach Report, making the UK the sixth most expensive country in the world for breach-related losses.

The UK government’s Cybersecurity Breaches Survey 2024 also revealed that 59% of medium-sized businesses experienced a cyber breach or attack in the previous 12 months.

Florian Sättler, cyber incident management leader at Marsh Europe, said Marsh had seen a 61% rise in cyber claims notifications in 2024 compared to the previous year.

He added: “We recognise that contributing factors were on the one hand the evolving threat landscape, but also how the organisational and tech service was growing – and that was tied to the still increasing use of digital tools, systems and interconnectivity with internal systems, but also with external applications.”

Insurance markets are shifting too

Even as the threat intensifies, insurance coverage is becoming more accessible for mid-market firms.

Macarena Bandrés, cyber placement leader at Marsh Europe, noted: “From a risk environment perspective, notifications are rising and stabilising at a high level. Aggregation exposure and supply chain risk remains a top concern, with insurance products effectively addressing these issues.

“Cyber extortion is still significant, with business interruption being the main impact of ransomware attacks.”

She also highlighted that market conditions are evolving in favour of SMEs.

“Pricing and purchasing in the mid-market are becoming more competitive due to the increased capacity and lower penetration rates in this segment. Capacity per layer is still growing into 2025,” she said.

What SMEs should do next

For SMEs without a dedicated risk team, building cyber resilience may feel like a daunting task – but there are practical steps that even the smallest businesses can take to reduce exposure.

Key actions include:

• Get the basics right: Patch software regularly, require strong passwords, and enable multi-factor authentication.
• Train employees: Human error is the most common cause of breaches. Regular training can help staff spot phishing attempts and suspicious behaviour.
• Back up critical data: Ensure backups are performed regularly, stored securely, and tested – especially for data critical to operations or compliance.
• Map your supply chain: Ask vendors and partners about their cyber practices. Weak links can be exploited to access your systems.
• Review your insurance: Cyber cover is becoming more affordable for smaller firms. Work with a broker to understand what protection is available and what incident response support it includes.
• Prepare for the worst: Even a simple incident response plan can make a difference. Know who to contact, what systems to isolate, and how to communicate with customers and partners in a crisis.

Cyber attacks may be growing more sophisticated, but resilience doesn’t require enterprise-level resources. By embedding cyber hygiene into daily operations and leaning on expert support, SMEs can turn vulnerability into vigilance.