6 in 10 UK small businesses hit by cyber attacks - what can you do?

Six in 10 UK small businesses were hit by at least one cyber attack in the last year, leaving them at risk of “immediate and significant harm”, according to a new study by Wakefield Research for Hiscox insurance.  

As ransomware attacks on major British companies like Marks & Spencer and the Co-op make headlines, the Hiscox Cyber Readiness Report 2025 is a reminder that it isn’t just big businesses who face a growing threat. Small businesses (those with fewer than 50 employees) also frequently find themselves targeted - many of them multiple times. 

A successful attack can disrupt operations, drive up costs and expose sensitive data. Of UK small businesses who had faced cyber crime, 30% said the incident “materially threatened the solvency or viability of the company” - i.e. their ability to stay afloat.

“The rise of digital commerce has created tremendous opportunities for small businesses, empowering them to innovate, reach new markets, and play an increasingly vital role in the global economy,” says Eddie Lamb, Global Head of Cyber for Hiscox. “But these opportunities also present challenges. As businesses embrace new technologies, they must also navigate a landscape where evolving cyber threats can jeopardise their success in new ways.”

With that in mind, we asked Eddie Lamb to provide his expert advice on what every small business should be doing right now to protect themselves. These are his cyber security top tips.

1. Install a reputable software security package

“Probably one of the most effective ways to mitigate the latest cyber threats is to install security software on all your devices,” says Eddie. “These combine multiple tools and features that can help to automatically identify and block suspicious activity, then take proactive steps to remove the cause of the threat. The latest generation of security software is powered by AI (artificial intelligence) and often combines crucial features such as antivirus, network firewall, password managers and data back-up to offer a holistic set of complementary controls to protect against threats such as ransomware.”

2. Use a password manager and robust authentication

“Weak or reused passwords are prime targets for hackers seeking unauthorised access to business systems,” adds Eddie. “A good password manager can help you to create complex passwords and store these securely. Many can now also monitor for password breaches and notify you of the need to make changes. When combined with the use of biometrics and multi-factor authentication (MFA), they provide enhanced layers of security for your digital identities. Not only can a password manager help reduce cyber risks, but they are also more convenient for users and improve the overall digital experience.”

3. Keep your systems and software up to date

“Outdated operating systems and applications often contain security vulnerabilities that cyber attackers can exploit. Develop a routine for regularly installing updates across all your company devices and software platforms,” advises Eddie. “Consider enabling automated software updates for ease of security patching, as this can help ensure critical updates are applied quickly and only from the verified vendor. Not only are routine updates great for security; they will also help ensure your devices and software are working at peak performance with all the latest features.”

4. Back up company data securely… and test those processes regularly

“Even with robust defences, there is always a risk of data loss or ransomware attacks. Frequent, secure back-ups - stored either offline or in the cloud - ensure that businesses can recover quickly if the worst happens. Today, data back-ups can often be automated through the use of software to ensure they are seamlessly captured and stored securely, but it is always worth testing your back-ups regularly to confirm that the data can be restored effectively and minimise costly downtime,” says Eddie.  

5. Be selective about who can access data

“Not every employee needs access to all company data,” says Eddie. “By restricting permissions so that individuals have access only to the information and systems necessary for their specific roles, you reduce the risk of internal threats and accidental data leaks. Regularly review and update these permissions, especially after role changes or staff departures, to maintain your security position. If you are using AI, then it is equally important to manage access permissions associated with AI agents and applications. If configured incorrectly, these can often highlight unintentional weaknesses in data access controls and lead to accidental data disclosure.”

6. And… make sure you’re insured

While most UK businesses surveyed said they did have cyber insurance, those with 10 or fewer employees were less likely (69%) to have cyber insurance than those with 11-49 employees (80%), or those with 50-249 employees (78%). Insurance can protect businesses from the rising frequency and sophistication of cyber attacks by covering costs like data recovery, forensic investigation, legal fees and reputational damage. Cyber insurance can also cover potential losses from business interruption and data breaches, and help with regulatory fines and customer notification costs.

Simpler small business insurance

For those looking to explore insurance options, FreeAgent has partnered with Hiscox - one of the UK’s leading insurers for small businesses - to give our customers a 20% discount on their business insurance policy. Find out more here.