A majority of decision-makers involved in cybersecurity in small and medium-sized businesses (SMBs) in the United Kingdom lack preparation when safeguarding their companies. Two-thirds (67 percent) report following a solid strategy more in theory than in practice or only pursuing a number of goals. Moreover, some admit there are gaps in their knowledge of even basic aspects of cybersecurity, with 30 percent stating they should have a better understanding of how to respond to and resolve cyber incidents. This lack of actionable strategy and know-how leaves many failing to secure real-world protection – and vulnerable to cyber incidents. These are the findings of the latest Kaspersky report ‘A real talk on cybersecurity – What’s annoying, what’s missing, what’s really helping?’.
SMBs in the UK lack both the knowledge and a consistent strategy to protect themselves. Only 25 percent report having a fully implemented cybersecurity strategy in place. Meanwhile, 67 percent acknowledge that while their strategy is thought out, it is not fully in place yet. Another 5 percent state they are merely working towards a set of goals rather than pursuing an actual strategy. These findings point to a widespread disconnect between strategy development and operational implementation – a gap, that likely results in structural weaknesses in SMBs’ everyday cybersecurity operations.
SMBs under attack: Do decision-makers really know what they need?
This lack of actionable strategy is also evident in the latest analysis of attacks in Europe and Africa by Kaspersky. From January to April 2025, Austria recorded the highest share (40 percent) of attacks in Europe in which potentially unwanted applications (PUA) and malware mimicking legitimate brands targeted SMBs; followed by Italy (25 percent), Germany (11 percent), Spain (10 percent) and Portugal (6 percent).
What makes this particularly concerning is the deceptive nature of these threats, which exploit trust in familiar brands to evade detection. At the same time, many decision-makers admit to lacking confidence in their own cybersecurity knowledge and tools. In the UK, for instance, 30 percent of SMBs want to better understand how to optimize their response and resolution capabilities during a cyber incident and almost one third (27 percent) are curious to know if their endpoint protection is even strong enough to handle the range of today’s threats. They also want – or need – to better understand:
- which of the many tools available on the market they actually require (28 percent)
- how to ensure cloud visibility and vulnerability assessments (27 percent)
- the legislation and regulatory requirements that apply to their companies (22 percent)
Based on this, paired with 30 percent saying they doubt whether vendors’ risk portrayals truly reflect the reality of a company their size, the question arises whether anyone actually knows how to protect their business.
“One of the main mistakes in cybersecurity is that strategies that look good on paper often fall short in practice. Our research shows that two-thirds of decision-makers have yet to put these measures effectively into practice, leaving them exposed to attacks that increasingly target SMBs. To close this gap, organizations need to establish cybersecurity strategies that are not only well-defined, but fully embedded into day-to-day structures, responsibilities and decisions. To reduce this exposure, organizations must move from theory to action, close essential knowledge gaps, and build a coherent cybersecurity strategy that is embedded into everyday operations – not confined to isolated documents or uncoordinated measures,” says Oscar Suela, General Manager, Iberia, UK & Ireland.
To address the missing know-how and lack of strategy now and in the future, business leaders and organizations need to take the following steps:
- Turn cybersecurity plans into actionable protection: Kaspersky Next for small and medium-sized businesses integrates advanced endpoint protection with EDR and XDR – delivering real-time visibility, threat response, and the transparency needed to operationalize security strategy. For SMBs with an established IT infrastructure, Kaspersky Next XDR Optimum delivers advanced integration and visibility.
- Provide protection with limited IT resources: Even very small companies can achieve professional-grade protection. Kaspersky Small Office Security offers security that’s easy to deploy and manage, preventing financial losses, data theft and ransomware without requiring in-house expertise.
- Invest in awareness and education: Provide targeted training programs and implement security awareness initiatives at all organizational levels to minimize the risk of internal incidents. The Kaspersky Automated Security Awareness Platform supports SMBs with scalable, role-specific learning modules.
- Integrate and cultivate cyber resilience: Establish a security-first mindset across the organization by building a culture that empowers employees to effectively mitigate emerging threats in daily operations.
For this survey Kaspersky commissioned Arlington Research to carry out an online self-complete survey with decision makers whose role involves cybersecurity in a significant way, working for organisations with less than 500 employees in Europe and Africa in August and September 2025. Arlington conducted a total of 820 interviews with this audience (Europe: 600; Africa: 280; 60 interviews each: Germany, Austria, Switzerland, UK, France, Italy, Spain, Greece, Romania, Serbia, Morocco, Algeria, Tunisia and Cameroon; 20 interviews each: Senegal and Ivory Coast).
