The Hiscox Cyber Readiness Report 2025

SMEs play an important role in the global economy, driving innovation, creating jobs, and supporting local communities. Their resilience against cyber threats is not only a business priority but also underpins wider economic stability. 

Our ninth annual Hiscox Cyber Readiness Report finds SMEs taking proactive measures against evolving cyber threats, with most planning increased cyber security and data protection investment.

The findings in our 2025 report show both progress and ongoing risks. Attack rates have declined, but threats are becoming more advanced, especially with the growing use of artificial intelligence (AI) in business operations. 

Using survey responses from 5,750 businesses, this year’s report explores the state of commercial cyber security across seven markets: the United Kingdom (UK), the United States (US), France, Germany, Spain, Ireland, and Portugal. We look at how SMEs are responding to current and emerging challenges. 

The Hiscox Cyber Readiness Survey was conducted by Wakefield Research (external link).

International data reveals a decline in cyber attacks 

Cyber attack rates fell to 59% in 2025, a decrease from the previous year.¹ Key findings include: 

• Cyber attacks vary by country. Ireland recorded the lowest attack rate (42%), while Germany (67%) reported the highest.
• Countries view AI differently. 86% of Portuguese firms see AI as a security asset, compared to 58% in the US.
• Ransomware recovery success varies. 27% of those who experienced a cyber attack in the last 12 months faced ransomware as an outcome. US victims who paid ransoms achieved a 74% recovery rate for at least some of their data, compared to 53% in Ireland.
• Confidence in meeting regulations differs. Confidence in adapting to regulations is highest in Portugal (86%) and Ireland (85%), while the US trails at 76%.
• Views on payment disclosure are mixed. 80% of US companies support mandatory disclosure of ransomware payments, while Spain (62%), Germany (65%), and Portugal (65%) are more hesitant.

UK businesses are among the most likely to face cyber attacks

In 2025, 65% of UK firms reported at least one attack in the past year – behind only Germany at 67%. 

State of attacks 

Targeted businesses were more likely to experience multiple incidents. Companies are also facing more sophisticated digital risks and struggling with the aftermath of ransomware attacks. 

Who is being targeted? 

The frequency of attacks depends on a business’s size and revenue: 

• The greater the revenue, the greater the risk. For those that have been attacked, companies with revenues of $10 million (around £7 million) or more reported an average of six incidents, compared to four among those earning less than $1 million (around £745,000).
• Larger businesses are more vulnerable. Among those that have been attacked, businesses with 50-249 employees experienced an average of seven incidents, compared to about five for those with 11-49 staff and four for those with 1-10 staff. 

Consequences for businesses 

Recovering from cyber attacks can place immediate and long-term strain on finances and operations, threatening business continuity and stability. 

One third (33%) of affected firms faced regulatory fines that impacted their financial health. Many also reported lower business performance indicators (30%), higher costs to notify customers (29%), and greater difficulty attracting new customers (29%). 

Additional outcomes include: 

• Financial loss from payment diversion fraud (44%).
• Distributed denial of service (42%).
• IT resource misuse (42%). 

Ransomware attacks 

Ransomware continues to affect SMEs. Many organisations do what they can to recover lost data, including paying a ransom. For those who paid: 

• 60% recovered some or all data.
• 41% received a recovery key but still had to rebuild systems.
• 31% still faced additional monetary demands.
• 27% suffered repeat attacks. 

Attackers are exploiting vulnerabilities 

Companies are facing attacks that exploit weak points in their technologies and in the suppliers they rely on. Common entry points include: 

• Internet of Things devices, which are smart devices that connect to the internet and can send or receive data (33%).
• Supply chain weaknesses (28%).
• Cloud-based corporate servers (27%).
• AI tools and software (15%). 

Effects on employees 

Beyond financial and operational disruption, cyber incidents can also affect employee well-being. Among businesses that experienced a cyber attack: 

• 39% reported high stress.
• 32% experienced burnout.
• 31% took more sick leave. 

“The human impact of a cyber attack should never be underestimated. Employees face immense stress, which can lead to increased absence or even burnout. Supporting staff through the aftermath isn’t just the right thing to do; it helps the business recover and builds greater resilience for the future.” – Mike Maletsky, VP, Practice Leader, Technology and Cyber, Hiscox USA

Taking action 

SMEs are responding to evolving threats with substantial investment, with 94% planning to increase cyber security and data protection spending over the next year. Portugal (45%) and Spain (40%) are the countries where investment is expected to grow the most. 

Industry trends place the automotive sector at the forefront, with 54% planning major investments – ahead of government at 49%, telecommunications at 47%, and chemicals at 45%. 

Cyber security compliance is also a growing priority. About four in five (81%) are actively aiming to meet regulatory requirements. Those who experienced a cyber attack in the past year are more likely (87%) to report adapting to regulations than those who didn’t experience an attack (72%). Improving remote work security is another key focus, with 79% investing in additional cyber security training for staff to help prevent attacks. 

Improving cyber resilience 

Most SMEs (83%) report stronger resilience over the past year, achieved primarily through staffing, training, and software investments. 

91% of businesses now conduct internal cyber vulnerability checks at least once a quarter. 88% also assess the risk levels of their suppliers and partners at least quarterly. Many businesses are taking steps to invest in: 

• Hiring additional staff to boost their cyber resilience (60%).
• Updating cyber security training for employees (70%).
• Software to help manage and identify threats (54%). 

Despite improved resilience, security experts are cautious about emerging threats, particularly AI-driven attacks.

AI and future threats 

AI is reshaping the cyber security landscape, presenting both opportunities and risks. Many SME security professionals view AI as a valuable tool, but attitudes vary by region. 

In Portugal, 86% see AI as an asset when it comes to their organisation’s cybersecurity, compared to 59% in the UK and 58% in the US. Overall, 65% believe the benefits outweigh the risks. 

At the same time, concern is growing around how AI could be exploited. Businesses perceive the following to emerge as the top AI-driven threats in the next five years: 

• Social engineering attacks (60%).
• AI malware and phishing (60%).
• AI systems taking control of company data (60%). 

Businesses also identified concerns around the most likely breach points: 

• 22% point to employees.
• 22% identify facilities.
• 20% cite software and systems.
• 20% highlight third-party suppliers. 

Experience shapes attitudes around preparedness. Among those that have suffered a cyber attack, 96% believe more awareness or understanding of attacks is key to better response times for future breaches. 

Mandatory ransomware disclosures 

Governments are also shaping the conversation around cyber security. 

In Australia, landmark legislation (external link) requires companies to report ransom payments to authorities within 72 hours.

While overall support for mandatory disclosure stands at 71%, views differ by role and experience: 

• Owners, Chief Information Officers, Chief Information Security Officers, and Directors or Vice Presidents of Information Technology are more likely to agree with mandatory disclosure requirements (71%-77%).
• Directors or Vice Presidents of Security are less likely to agree (50%).
• Companies that have not experienced a cyber attack in the past year are more likely to agree (85%), while those that have are less likely to agree (61%). 

Respondents gave several reasons for supporting mandatory disclosure: 

• 54% believe it helps stakeholders and customers assess financial health.
• 52% say transparency improves responses from relevant authorities.
• Most SMEs in Portugal (52%) and Spain (52%) view disclosure as a way to remove the stigma of paying to secure data. 

Concerns around disclosure are just as strong: 

• 53% argue that private companies should not be required to disclose financial information.
• 49% fear disclosure can encourage cyber criminals to engage in ransomware schemes. 

"The introduction of mandatory reporting will inevitably be met with some resistance, but the need to dismantle the cyber criminal business model is universally recognised. As the UK moves ahead with bold measures aimed at tackling ransomware and bolstering national security, the need for small businesses to take ownership of their cyber security and keep investing in their people and defences remains." – Alana Muir, Head of Cyber, Hiscox UK 

Cyber security tips for small businesses 

Small businesses can take practical steps to help protect themselves against cyber attacks: 

• Use a password manager and robust authentication. A password manager can create and store secure passwords to help minimise risk, while multi-factor authentication and biometrics can add extra protection.
• Install a reputable software security package. Using advanced security software (antivirus, firewall, password manager, back-up tools) can support the detection, blocking, and removal of threats like ransomware.
• Keep your systems and software up to date. Regular updates can fix security vulnerabilities and improve performance. Automating updates can help ensure critical updates are applied quickly and from verified vendors.
• Backup company data securely and test those processes regularly. Frequent and secure backups can help recover data after a breach or ransomware attacks.
• Be selective about who can access data. Limiting access to only those who need it, reviewing permissions regularly, and managing AI or system access carefully may reduce the risk of accidental leaks. 

The value of learning lessons 

The 2025 Hiscox Cyber Readiness Report paints a mixed picture. While attack frequencies have decreased, the sophistication and impact of incidents remain high. 

Experience drives change. Victims of attacks tend to invest more in compliance, staff training, and risk assessments. While costly, these experiences often catalyse improvements that build long-term resilience.

Encouragingly, most SMEs are not waiting for incidents before acting. Rising budgets, proactive training, and comprehensive assessments are becoming the norm. With appropriate insurance coverage, businesses can be better placed to navigate complex cyber threats. 

Disclaimer:

The Hiscox Cyber Readiness Report shares insights into today’s cyber security landscape for SMEs. It should not be taken as professional advice. For guidance specific to your business, please seek independent professional support.