mobile tablet screen with warning and coins in front

Survey reveals why SMEs are decreasing their investment in cyber security

With recent industry research revealing that small and medium-sized enterprises (SMEs) are decreasing their investment in cyber security, we wanted to understand why – particularly in a digital age where we are increasingly dependent on technology.

In a bid to uncover the true reasons behind this lack of investment compared to previous years, we surveyed 1,600 SME owners, using 12 carefully crafted questions to find out their reasons behind this shift, as well as their perception of cyber security and threats.

Do SMEs believe the threat of cyber attacks has decreased?

Despite the fact that SMEs have decreased their investment in cyber security, most of those surveyed still expressed concern that they remain vulnerable to cyber attacks – particularly whilst working from home.

When asked whether they believe that bigger businesses are more likely to get attacked, the vast majority (62%) of respondents said that they did not, and only 31% believed that bigger businesses are more susceptible to attacks. 6% were unsure about this claim and 1% chose not to answer.

Just over half (51%) of respondents said that they thought it would be harder for a small business to overcome an attack, compared to a large business, while 41% disagreed, 7% were not sure, and 1% chose not to answer.

SMEs continue to feel the threat of cyber attacks, since only 17% of respondents said that they believe many cyber security issues have been ironed out over the past few years and 82% of respondents said they had not.

Are SMEs sufficiently prepared for cyber attacks?

When asked if they believed that their business was adequately prepared for potential cyber attacks, 55% of respondents said that they did not, 42% expressed confidence that their preparations were adequate and the remaining 3% of those surveyed preferred not to answer.

Even more alarmingly, when asked if their small business had any formal plan or protocol in place for employees to follow in the event of a potential breach or attack, 28% said that they did, leaving almost three-quarters (71%) of respondents without a plan in the event of an attack.

You may also like: The UK business sectors lacking in cyber security training

Is cyber security no longer a priority in business spending?

Results from our survey suggest that SME investment in cyber security has decreased, yet most respondents believed that investment in cyber security remains worthwhile. When asked whether they believed it was worth spending so much on cyber security, 61% responded affirmatively, 38% responded negatively, and 1% were unsure. Likewise, when asked whether it is worth making ‘huge’ investments on cyber security, 66% of individuals said that they believed it was and 32% believed it was not.

We asked respondents whether they would be prepared to make cuts elsewhere to afford additional cyber security and 42% of respondents said yes, and the remaining 58% said no. It seems that businesses are less keen on extracting the resources from elsewhere to fit the bill of comprehensive cyber security.

It appears that a lack of funds might be a driving factor behind SME decisions to decrease cyber security investment. When asked whether they believed any business budget cuts would have an impact on how much is invested in cyber security for the overall business, 58% of respondents said yes, whilst only 32% said no. Likewise, when asked whether they believed that a decrease in business performance would lead to a decrease in how much they invest in cyber security for their business, 72% of individuals said it would, whilst only 28% said it would not.

Small businesses believe that greater investments in cyber security are worthwhile, but they are either reluctant to make these investments, or cannot afford to.

What are small businesses’ biggest fears about poor cyber security

The biggest fear about poor cyber security was reputational damage at 29%, followed by the direct impact of the crime itself (24%) and the potential financial loss (20%).

Following these concerns was the risk that company information would be exposed, with 13% of respondents citing this to be their greatest concern, the loss of data (10%), privacy breach (2%) and 2% of respondents were not sure.

To combat these fears and prevent cyber attacks, cyber security expert Darren James, recommends the following: “All companies, regardless of size, need to protect sensitive data. The ones that are most at risk are the ones that don’t prioritise cyber security. Passwords are a weak link that can be addressed by using multi-factor authentication when possible, and securing passwords when MFA is not available. The best way to secure passwords is to prevent employees from choosing weak and leaked passwords.”


Specops Software surveyed 1,600 SME owners and asked them a series of 12 questions.

(Last updated on October 30, 2023)

Back to Blog