- 59% of SMEs said they experienced a cyber-attack in the last 12 months.
- A third (33%) were hit with a substantial fine following an attack.
- 27% experienced a ransomware attack and almost three-quarters (71%) believe companies should be required to disclose if they pay a ransom, and how much they paid.
- Over half (57%) said they had experienced a cyber-attack due to Artificial Intelligence (AI) vulnerabilities.
- Despite this, two-thirds (65%) still view AI more as an opportunity than a threat to their business.
London, UK (30 September 2025): Hiscox today launched its ninth annual Hiscox Cyber Readiness Report, lifting the lid on the level of cyber risk facing SMEs – with more than half of respondents (59%) saying they had experienced a cyber-attack in the last 12 months. A third of those (33%) faced a substantial fine in the aftermath of a data breach – significant enough to impact the financial health of their business.
The ripple effect of a cyber-attack is significant: 30% of respondents reported a reduction in business performance indicators, such as share price; 29% incurred increased costs associated with notifying affected customers; and 29% found it hard to attract new business following an attack. The fall-out doesn’t end there: 44% were out of pocket as a result of payment diversion fraud, and 32% said employees had struggled with burnout following an attack.
Eddie Lamb, Global Head of Cyber at Hiscox, commented: “No business, however small, can afford to underestimate the devastating impact a cyber-attack can have. Cyber-attacks don’t just disrupt day-to-day operations; they can threaten the very survival of a business. The financial fall-out, from crippling fines to lost customers or soaring costs, can push even the most resilient business to the brink. On top of this, the stress and long hours required to recover can impact staff morale and even lead to burnout.”
Responding to ransomware
Ransomware remains a major threat, with 27% of businesses surveyed reporting an attack in the past year. Of those affected, 80% - which includes both insured and uninsured businesses – paid a ransom in an attempt to recover or protect critical data. However, only 60% successfully recovered all or part of their data as a result, and for almost a third (31%) of those who paid a ransom, the attackers demanded more money.
As a number of governments continue to consider legal changes or reporting requirements to the payment of ransoms for cyber-attacks**, 71% of those surveyed believe companies should be required to disclose ransom payments in the fight against cyber-crime.
Eddie commented: “There’s no doubt that ransomware tactics are shifting and for uninsured businesses without the expertise of a cyber insurer this leaves them significantly exposed. Cyber criminals are now much more focused on stealing sensitive business data – things like contracts, executive emails, financials, and intellectual property – because it’s easier to monetise than personal information. Once stolen, they demand payment to avoid public exposure, pricing threats based on reputational damage. This change has exposed gaps in some companies’ data loss prevention controls, which attackers are readily exploiting.”
AI and future threats
While nearly two-thirds (65%) of respondents felt AI was more of an asset than a vulnerability, over half (57%) admitted to having been hit by at least one attack as a result of an AI-related vulnerability. Emerging AI-driven threats include AI social engineering attacks, the use of deepfakes, vulnerabilities in third party AI tools, and AI breaking access controls to company data leading to unintended disclosure.
In response, SMEs are stepping up their cyber defences, with 94% planning to boost their investment in cyber security over the next 12 months, 70% extending the cyber training they provide to employees, and 60% hiring additional staff to increase cyber resilience.
Eddie continued: “Having previously built and grown my own small business, I recognise first-hand the crucial role SMEs play in the global economy, driving innovation, growth, and employment in local communities. By taking active steps to safeguard their operations, small business owners can not only protect themselves but also contribute to the resilience of the broader business community. We hope this report empowers SMEs to better understand the risks they face and to take meaningful steps to protect themselves, so they can stay secure and pursue further growth.”
Cyber security top tips
- Install a reputable software security package. Probably one of the most effective ways to mitigate the latest cyber threats is to install security software on all your devices. These combine multiple tools and features that can help to automatically identify and block suspicious activity, then take proactive steps to remove the cause of the threat. The latest generation of security software is powered by AI and often combines crucial features such as antivirus, network firewall, password managers and data back-up to offer a holistic set of complementary controls to protect against threats such as ransomware.
- Use a password manager and robust authentication. Weak or reused passwords are prime targets for hackers seeking unauthorised access to business systems. A good password manager can help you to create complex passwords and store these securely. Many can now also monitor for password breaches and notify you of the need to make changes. When combined with the use of biometrics and Multi Factor Authentication (MFA), they provide enhanced layers of security for your digital identities. Not only can a password manager help reduce cyber risks, but they are also more convenient for users and improve the overall digital experience.
- Keep your systems and software up-to-date. Outdated operating systems and applications often contain security vulnerabilities that cyber attackers can exploit. Develop a routine for regularly installing updates across all your company devices and software platforms. Consider enabling automated software updates for ease of security patching, as this can help ensure critical updates are applied quickly and only from the verified vendor. Not only are routine updates great for security; they will also help ensure your devices and software are working at peak performance with all the latest features.
- Back-up company data securely and test those processes regularly. Even with robust defences, there is always a risk of data loss or ransomware attacks. Frequent, secure back-ups – stored either offline or in the cloud – ensure that businesses can recover quickly if the worst happens. Today, data back-ups can often be automated through the use of software to ensure they are seamlessly captured and stored securely, but it is always worth testing your back-ups regularly to confirm that the data can be restored effectively and minimise costly downtime.
- Be selective with access to data. Not every employee needs access to all company data. By restricting permissions so that individuals have access only to the information and systems necessary for their specific roles, you reduce the risk of internal threats and accidental data leaks. Regularly review and update these permissions, especially after role changes or staff departures, to maintain your security position. If you are using AI, then it is equally important to manage access permissions associated with AI agents and applications. If configured incorrectly, these can often highlight unintentional weaknesses in data access controls and lead to accidental data disclosure.
ENDS
For further information please contact:
Carmel McCarthy, Global Media Relations Lead: [email protected] +44 (0)7769 280903
Lucy Hensher, Head of External Communications: [email protected] +44 (0)7824 996 370
Notes to editors
** In Australia, the Cyber Security Act 2024 came into force in June 2025, introducing mandatory ransomware and cyber extortion reporting obligations. In the UK, the government completed a public consultation in January 2025 to explore a new ‘ransomware payment prevention programme’ to include a new mandatory reporting regime.
Methodology
The findings of the Hiscox Cyber Readiness Report are based on research conducted by Wakefield Research with 5,750 businesses, where the individual’s responsible for their organisation’s cybersecurity strategy were interviewed. This means the Principal or Partner for those companies with less than 50 employees, and either the CIO, CISO, Director of Security or IT Director for those companies with 50-249 employees. The research was conducted between 29 July and 8 August 2025, using an email invitation and an online survey, and respondents can be broken down by geography as follows: 1,000 respondents in the USA, UK, France, Germany and Spain respectively, 500 respondents in Ireland and 250 in Portugal.
About The Hiscox Group
Hiscox is a global specialist insurer, headquartered in Bermuda and listed on the London Stock Exchange (LSE:HSX). Our ambition is to continue to be a respected specialist insurer with a diverse portfolio by product and geography. We believe that building balance between catastrophe-exposed business and less volatile local specialty business gives us opportunities for profitable growth throughout the insurance cycle.
The Hiscox Group employs over 3,000 people in 13 countries and has customers worldwide. Through the retail businesses in the USA, UK and Europe, we offer a range of specialist insurance products in commercial and personal lines. Internationally traded, bigger ticket business and reinsurance is underwritten through Hiscox London Market and Hiscox Re & ILS.
With 20+ years’ experience in privacy and cyber insurance, Hiscox currently serves more than 80,000 cyber insurance customers worldwide, helping businesses to recover from incidents, strengthen their defences, and build long-term resilience. One of the ways we do this is by offering free employee training to all our small- and mid-sized business insurance customers. We have also developed a free-to-all tool to help companies understand their cyber security strengths and weaknesses – the Hiscox cyber maturity model – and compare their performance to thousands of other businesses.
Our values define our business, with a focus on people, courage, ownership and integrity. We pride ourselves on being true to our word and our award-winning claims service is testament to that. For more information, visit www.hiscoxgroup.com.
All press releases
