Small and medium-sized businesses (SMBs) across the UK are struggling to turn cybersecurity plans into practice, according to new research from Kaspersky. The findings reveal that 67% of UK SMBs lack fully actionable cybersecurity strategies, with many acknowledging a gap between their theoretical plans and real-world implementation. This shortfall leaves a majority of businesses vulnerable to an increasingly sophisticated cyber threat landscape.
The research also highlights a disconnect between executives and IT leaders on the importance of cybersecurity. Nearly a quarter (22%) of IT leaders say that C-level executives in their organizations do not fully understand the strategic value of cybersecurity, slowing progress towards effective, organisation-wide protection.
Despite these obstacles, many SMBs recognize the need for outside expertise. More than a third (38%)are now seekingexternal cybersecurity partners who can help build long-term, sustainable protection strategies. Rather than relying on ad hoc solutions, SMBs increasingly want trusted partners who can provide continuous awareness training, immediate incident response and transparent advice.
“Cybersecurity can’t remain a theoretical exercise,” said Oscar Suela, General Manager, Iberia, UK & Ireland at Kaspersky. “Our findings show that while many SMBs have well-intentioned strategies, these often stay on paper. To close the gap, organisations must turn plans into action, embed security into everyday operations, and ensure leadership and IT are fully aligned in their approach.”
To help businesses strengthen their cyber resilience, Kaspersky recommends:
- Turning plans into action: Implement practical, measurable security measures that are fully integrated into daily operations.
- Investing in awareness and education: Empower employees through ongoing cybersecurity training to reduce human error and insider risk.
- Embedding cybersecurity into business culture:Treat security as a fundamental part of operations, not just an IT responsibility.
Kaspersky offers dedicated solutions to support SMBs in building stronger defences. For instance, for very small businesses that do not have an IT administrator, Kaspersky Small Office Security offers hands-off protection through its “install and forget” setup, whereas Kaspersky Next combines strong endpoint protection with EDR and XDR capabilities, giving businesses of any size and industry the tools to detect, investigate and respond to threats in real time.
For this survey Kaspersky commissioned Arlington Research to carry out an online self-complete survey with decision makers whose role involves cybersecurity in a significant way, working for organisations with less than 500 employees in Europe and Africa in August and September 2025. Arlington conducted a total of 820 interviews with this audience (Europe: 600; Africa: 280; 60 interviews each: Germany, Austria, Switzerland, UK, France, Italy, Spain, Greece, Romania, Serbia, Morocco, Algeria, Tunisia, and Cameroon; 20 interviews each: Senegal and Ivory Coast).
