AI threats top concern for UK SMEs' cybersecurity in 2025

A new independent study by Six Degrees, a secure, integrated cloud services provider, reveals that AI-generated attacks are the foremost cybersecurity concern for UK Small and Medium Enterprises (SMEs) for the year 2025.

Findings from the report "Mapping the UK SME Cyber Security Landscape in 2025" show that over a third of SMEs, or 35%, are primarily worried about AI-related threats. This surpasses concerns about malware, scams and fraud, phishing, and ransomware, which each were cited by around 25% of respondents. This revelation raises questions about whether the prominence of AI threats has been overstated or if they represent a significant reality in the evolving cyber threat landscape.

Other cyber threats, such as insider threats, zero-day vulnerabilities, and denial-of-service attacks, although not among the top five concerns, still pose a considerable danger to SMEs. Vince DeLuca, Chief Executive Officer at Six Degrees, commented on the findings: "SMEs should definitely be concerned about AI-generated cyber-attacks, but that concern needs to be proportionate. For now, AI is an enabler for existing threats rather than a facilitator of new kinds of attacks." He emphasised the importance of remaining vigilant against conventional cybercriminal tactics, such as phishing, which AI could amplify in efficacy and sophistication.

DeLuca also highlighted the broader risks SMEs face, "However, that doesn't mean lower-ranking threats are less dangerous. The real danger is a lack of in-house skills and resources within SMEs to address all current cybersecurity threats and spot new attack variants in the future."

The survey indicated that many SMEs are aware of their limitations and are opting for third-party support through managed cybersecurity solutions. According to the report, this strategy seems to be yielding positive results.

Respondents are optimistic about AI's role in cybersecurity. 44% believe IT teams will benefit more from AI in 2025, compared to 15% who believe cybercriminals will gain the upper hand. Commenting on this perspective, DeLuca said, "It's still quicker and easier for security teams with the right tooling and expertise to analyse system vulnerabilities than for bad actors to identify them from scratch."

Reportedly, nearly 90% of SMEs feel their cybersecurity position has improved, though DeLuca advises caution, highlighting that mere adoption of cybersecurity tools does not equate to comprehensive security improvement. He recommends that SMEs engage in regular assessments, red teaming exercises, and penetration testing to ensure their security enhancements are effective.

DeLuca elaborated, "These solutions require the backing of an actively engaged IT or cybersecurity team to ensure they are utilised to their full potential. The cybersecurity tool or service purchase—and its ongoing management—has to form part of a broader strategy that informs business change in every single context."

He concluded by recognising the challenges faced by IT and cybersecurity professionals in SMEs: "This is a big ask for IT and cybersecurity professionals within SMEs, especially as our data suggests they are working hard to protect their organisations from increased cybercriminal activity against a backdrop of skills and resource shortages."