Cybercrime costing small firms millions

05 August 2019

Research from the Federation of Small Businesses (FSB) shows that small businesses are collectively subject to almost 10,000 cyber-attacks a day.


In January 2019 the FSB surveyed 1,135 businesses. Key findings include:


  • One in five (20%) small firms say a cyber-attack has been committed against their business in the two years to January 2019. More than seven million individual attacks are reported over the same period, equating to 9,741 incidents a day.
  • The annual cost of such attacks to the small business community is estimated to be £4.5 billion, with the average cost of an individual attack put at £1,300.
  • Victims are most frequently subject to phishing attempts, with 530,000 small firms suffering from such an attack over the past two years. Hundreds of thousands of businesses also report incidences of malware (374,000), fraudulent payment requests (301,000) and ransom-ware (260,000). 
  • Those based in the North West, South East and West Midlands are most likely to be the victims of cyber-attacks, with 25%, 23% and 21% of small businesses in these areas reporting cyber incidences respectively.
  • One in three small firms (35%) say they have not installed security software over the past two years. Four in ten (40%) do not regularly update software, and a similar proportion does not back up data and IT systems. Fewer than half (47%) have a strict password policy for devices.



CIPP comment

From the time lost dealing with an attack to possible reputational damage, the impact can be considerable. The government’s Cyber Aware campaign encourages individuals and small businesses to adopt simple activities that make a big difference including:


  • Always install the latest software and app updates - they contain vital security updates which help protect devices from viruses and hackers
  • Always back-up your most important data - to an external hard drive or a cloud-based storage system. If your business’ devices are infected by a virus or accessed by a hacker, your data may be damaged or deleted
  • Provide staff with cyber awareness training - simple measures like incentivising staff to report phishing emails or educating them on ‘always downloading software updates’ can go a long way. Direct staff to Cyber Aware for the latest advice
  • Report all incidents of fraud and cybercrime to Action Fraud on 0300 123 2040 or online