A recent study from Markel Direct reveals that nearly one in four (23%) small and medium-sized enterprises (SMEs) in the UK are increasingly concerned about securing remote working environments for employees.
The survey, which gathered insights from 500 SME owners, highlights how remote work has intensified the need for robust cybersecurity measures. Securing remote access to company data emerged as a top priority, second only to concerns over the growing sophistication of cyber threats, which was reported by 62 percent of respondents as a major challenge.
The concern is not unfounded. According to the 2024 cybersecurity breaches survey, half of businesses and around a third of charities reported having experienced some form of cybersecurity breach or attack in the 12 months prior. This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%) – but smaller businesses are not necessarily safe.
As remote work becomes the norm, SMEs are exploring ways to protect sensitive business information when employees are working off-site. Among those with remote workers, just over half (52%) ensure data security by using virtual private networks (VPNs), only 48 percent provide training on secure remote work practices, and just 46 percent have established remote access policies and controls.
Preparedness Remains Low in the Event of Cyber Attacks
Despite these efforts, the survey highlights a significant gap in cybersecurity preparedness, with 49 percent of SMEs acknowledging that they lack a clear response plan in the event of a cyber attack. Moreover, nearly seven in ten SMEs (69%) admitted they have yet to implement a formal cybersecurity policy, underscoring a potential vulnerability among small businesses in managing cyber incidents.
While formal policies may be lacking, the survey shows that UK SMEs are actively implementing some protective measures to guard against cyber attacks. Antivirus and anti-malware software, in particular, is widely used, with 72 percent of respondents investing in this essential defence. A significant number of SMEs are also keeping system software up-to-date, with 69 percent reporting regular updates. Multi-factor authentication, designed to add an extra layer of security, is in place at 52 percent of SMEs.
Venky Sundar, Founder and President of application security SaaS company Indusface, said, “Remote working means people are working in less secure environments and their devices are more exposed to data breaches both digitally and physically. Many remote workers are using the same device for professional and personal use, or even accessing company data on devices shared with other household members.
“Employers should ensure strong password management, including using automatic password generators that create extra secure passwords, and never duplicate these across accounts. Multi-factor authentication also provides a secure method of verifying your identity, making it harder for hackers to breach any accounts. Limiting what could be accessed on official devices is also important in thwarting attacks.
“That said, installing an endpoint security software like antivirus, keeping it updated should be able to protect most computers, unless you fall victim to an advanced phishing attack.”
Cybersecurity Measures Commonly in Place Among UK SMEs
While SMEs are adopting various security measures, there is still much room for improvement to address emerging cyber threats. Just over half (53%) of SMEs maintain up-to-date IT systems, and 49 percent use email filtering to mitigate spam and phishing risks. Additionally, nearly half of SMEs report providing staff training (49%) on identifying cyber threats, while 47 percent use firewalls, and 46 percent ensure Wi-Fi networks are secure. Data protection practices such as conducting regular data backups (46%) and data encryption (44%) are also widely adopted.
However, gaps remain, with 43 percent of SME owners stating that their employees are not trained on best cybersecurity practices and potential threats. More than half (53%) have not yet secured cyber insurance, which can help mitigate the financial impact of a breach. As cyber threats evolve, SMEs may need to consider enhancing their cybersecurity strategies to better protect business operations and data.
Rob Rees, Divisional Director of Markel Direct, said, “Staying ahead of cyber threats is crucial for small business owners, especially as AI-driven attacks continue to evolve. Having a robust cyber security policy in place can help create a framework to safeguard against ongoing threats, whilst cyber insurance can help to protect your business in the event of a targeted attack.
“Almost half of SMEs reported not knowing what to do in the event of a cyber-attack – something that can be key to mitigating its impact. This is why we provide Markel Direct cyber insurance policyholders with access to a cyber response helpline; so that expert guidance is on hand to help small business owners should they experience a cyber security incident.”
The Human Factor
“According to data by Indusface, 98% of all cyber attacks rely on human error or a form of social engineering,” said Venky Sundar. “Social engineering breaches leverage human error, emotions and mistakes rather than exploiting technical vulnerabilities. Hackers often use psychological manipulation, which may involve coaxing employees to reveal sensitive information, download malicious software or unknowingly clicking on harmful links. Unlike traditional cyberattacks that rely on brute force, social engineering requires direct interaction between attacker and victim.
“Given that human error can be a major weak link in cyber security, the best way to prevent these attacks is to put in place education and training on the types of attacks to expect and how to avoid these. That said, implementing a zero-trust architecture, where request for every resource is vetted against an access policy will be paramount to stopping attacks from spreading even when a human error results in a breach. Also, make sure that the applications are pen tested for business logic and privilege escalation vulnerabilities so that the damage is minimised.
“Basics such as standard best practices across the board, secure communications, knowing which emails to open, when to raise red flags and exercising extreme caution when accepting offers will go a long way in preventing human errors that lead to breaches.”
