UK SMEs fear cyber attacks most, Hiscox survey finds

Cyber attacks are the top concern for UK SMEs, according to Hiscox. Its survey found that 38% of respondents ranked cyber attacks or data breaches as the risk most likely to keep them awake at night.

The findings are based on a study of 1,000 UK small and medium-sized enterprises and form part of a wider survey of 6,250 small business owners across six countries.

The research also highlights wider pressure on smaller companies, with owners facing rising costs, staff issues and legal risks. Overall, 92% of UK business owners said worries about risks to their business were affecting their sleep.

Inflation or rising costs came a close second among UK concerns at 37%, followed by workplace accidents or employee injuries at 35%. Economic downturn and theft or property damage each scored 33%. Natural disasters such as floods or fires were cited by 29%, lawsuits or legal claims by 28%, and staff shortages by 27%.

The data also points to a gap between awareness of threats and understanding of insurance cover. Among UK SMEs, 77% said they did not understand cyber insurance, while 80% said they did not understand professional indemnity cover.

That lack of confidence comes despite cyber risk topping the list of concerns and legal claims troubling more than a quarter of businesses. Globally, only 20% of SMEs correctly identified what professional indemnity insurance covers, the report found.

Hiscox said 55% of UK SMEs have a protection gap, suggesting that concern about risk does not always translate into a clear understanding of what insurance would respond to in practice.

Alana Muir, Head of Cyber at Hiscox, said the findings showed a widening disconnect between anxiety about threats and preparedness for their financial and operational consequences.

"Small businesses today are navigating a more complex risk environment than ever before: evolving cyber threats, changing workforces, rising legal costs, and the weight of knowing these risks exist without always knowing how to manage them. But awareness alone doesn't equal protection. What the Global Protection Gap Report shows is the growing gap between businesses that know something could go wrong and those that truly understand whether they'd be covered if it did.

"Unsurprisingly, the areas where SMEs are most exposed are often the ones they feel least confident about. Cyber is a prime example. It tops the list of concerns, yet 77% of small business owners admit they don't fully understand what a cyber policy covers. The same is true of professional indemnity, where eight in ten (80%) SMEs say they don't understand the cover, despite legal claims keeping more than a quarter of them awake at night.

"The reality is that misunderstanding your cover can be almost as costly as having none at all. A business that believes it's protected, but isn't, may be less likely to seek advice or review its policies, which can leave gaps in cover," Muir said.

Cyber cover

Muir also warned smaller firms against assuming they are too small to attract cyber criminals, noting that the practical impact of an incident can extend well beyond any immediate financial loss.

"It's easy to assume your business may not be a primary target for cybercriminals. However, cyber attacks are not limited by business size, and SMEs are increasingly part of the threat landscape.

"Make sure your policy covers the full fallout of an incident, including data recovery, business interruption and customer notification costs, not just the immediate financial impact," Muir said.

The insurer also highlighted other areas where cover may no longer match how a business operates. Employers' liability insurance is usually a legal requirement for businesses with staff, including temporary or seasonal workers, and some micro-business owners remain unaware of that obligation.

On property insurance, the report noted that policies taken out when a company was smaller may no longer reflect the value of current stock, equipment or premises. Businesses operating from more than one site should also check whether cover applies across all locations where stock or equipment is stored or used.

Leadership strain

The research was accompanied by commentary from CAPE People Development, a consultancy that works with founders and small business leaders. Its co-founders and directors said risk often remains concentrated in the hands of owners even as companies grow more complex.

"In our work with small business owners, we consistently see that they are incredibly capable and committed. But those strengths can disguise the build-up of pressure. It becomes one more decision, one more approval and one more thing that only they can sign off.

"When you're deeply invested, financially, emotionally and reputationally, it's easy to blur the line between 'I care about this' and 'I must personally hold this'. As businesses grow, complexity and risk increase, yet many continue holding the same level of personal responsibility, only now the exposure is greater," said Naomi Regan, Co-Founder and Director at CAPE People Development.

Lynsey Kitching, Co-Founder and Director at CAPE People Development, said owners often delay reviewing governance and risk because immediate work takes priority.

"The mistake many small business owners make is waiting for things to 'calm down' before reviewing governance, cover or strategic risk. In reality, things rarely calm down. Urgent work will always feel more compelling than important work.

"Risk isn't reduced when it's held in one person's hands, it's reduced when responsibility sits in the right place and is clearly owned. If responsibility isn't clearly named, it will drift back to the small business owner.

"Build a regular rhythm into the calendar and treat it as non-negotiable. If it isn't protected properly, it will be squeezed out. We often use the 'glass jar' model to illustrate this. If you fill your time with 'sand' (the reactive, day-to-day demands), there isn't enough room for the 'rocks' (the strategic priorities, risk reviews and governance tasks). They need space allocated before reactive tasks fill the day. Protecting your energy is part of protecting your business," Kitching said.