A study by BT in partnership with Be the Business reveals that two in five (39%) SMEs, equivalent to two million businesses, have not arranged cyber security training for their teams1 – despite four in ten (42%) small businesses having experienced a cyber attack in the last 12 months, increasing to two in three (67%) for medium-sized companies2.
The impact can be severe too, costing companies considerable time and money to recover from an attack. Micro and small businesses have to pay £7,960 on average to cope with their most disruptive breach when it resulted in damage, according to the latest Government survey.
The most common attack SMEs face is phishing, with email scams targeting 85% of UK businesses. Damaging ransomware incidents, meanwhile, have more than doubled in the last 12 months, rising from affecting less than 1 in 200 businesses last year to 1 in 100 in 2025. A separate report by BT has revealed large businesses which are more proactive with their cyber security are more likely to grow than those who aren’t. It showed that these “cyber agile” companies have a 20% higher growth rate on average3.
In response, BT is bolstering its suite of security products with the launch of dedicated security training, to help SMEs understand the practical steps they can take to protect themselves against cyber attacks and potential breaches. The training, unveiled today at an event for SMEs featuring cyber security experts from BT, educates small businesses about next-generation threats, including the role of AI and quantum computing. It also highlights the rise of attacks, including account takeovers, where stolen customer credentials are used to breach systems, as well as QR code scams – or “quishing” attacks – which have surged by 1,400% in the past five years.
Tris Morgan, Managing Director for Security at BT, comments: “At BT, our mission is to enable UK businesses to grow and prosper, and we know the challenges SMEs face protecting themselves from growing cyber threats. These often include budget constraints and the lack of a dedicated cyber team, but for SMEs a cyber attack isn’t just an inconvenience; it poses an existential threat.
“The good news is that effective cyber security doesn’t require corporate-grade resources. With the right training, basic security measures, and awareness, SMEs can dramatically reduce their risk profile. The key is recognising that, in today’s digital landscape, cyber security is not a luxury but a foundation that enables companies to face forwards confidently, rather than forever looking over their shoulder.”
Further research findings:
- 18% of UK SMEs say their biggest cyber concern is the threats posed by AI. Seven in ten business leaders (69%), however, are considering using AI tools to protect themselves.
- About half (46%) of business leaders turn to industry experts for cyber security advice, more than any other source.