Why cybersecurity still isn’t making the budget cut for thousands of UK firms
The budget blind spot
Nearly two out of five British companies are entering the second half of 2025 with no dedicated cybersecurity budget, or no intention of increasing one, despite a surge in high-profile breaches and an estimated £64 billion in losses over the past three years. A new report by security vendor ESET, which surveyed more than 1,200 organisations, found that 15 percent of respondents have no cybersecurity budget whatsoever, while another 23 percent say they will not boost spending this year even as attack volumes climb.
Size still matters
The funding gap is starkest in the SME sector. Only 42 percent of small businesses (under 50 staff) ring-fence money for security, compared with 96 percent of enterprises employing more than 250 people. Many smaller firms still regard cyber protection as a luxury for when there’s spare cash, yet they are now prime targets for ransomware gangs exploiting supply-chain connections to larger partners.
DIY defence—and its limits
Under-investment feeds a second risk: over-reliance on in-house teams. Almost half (45 percent) of organisations manage security internally with no third-party help, even though a third of those teams concede they “struggle to maintain adequate resources”. Only eight percent carry standalone cyber-insurance, while just over a third assume that general business cover will pick up digital losses. More than half have no insurance cover at all.
Counting the true cost
ESET’s economists estimate direct annual costs, ransom payouts, legal fees, downtime, at £37.3 billion, with indirect hits such as reputational damage and lost customers adding another £26.7 billion. Retailers feel the pain most acutely: Marks & Spencer reportedly bled £25 million a week in lost revenue after its May breach, and Co-op still faces months of post-incident remediation.
The reputational aftershock
Financial losses are only part of the equation, warns ESET global cybersecurity advisor Jake Moore. For brands without M&S-level recognition, recovery can take years. Customer churn, rising insurance premiums and stricter supplier-security clauses often dog medium-sized companies long after ransom notes are paid.
Why the disconnect persists
-
Short-termism – Boards still view security as a cost centre, not a growth enabler, despite evidence that strong cyber posture boosts revenue.
-
Perceived complexity – SMEs struggle to translate frameworks like Cyber Essentials into actionable roadmaps.
-
Insurance complacency – Firms assume generic policies cover digital incidents, only to discover exclusions after a breach.
-
Talent crunch – A UK skills gap of more than 11,000 open cyber roles keeps salaries high and internal hiring difficult.
Three steps to break the cycle
| Action | Immediate payoff | Long-term return |
|---|---|---|
| Ring-fence 5–10 % of IT spend for security | Funds baseline controls: MFA, patching, endpoint detection | Cuts incident likelihood by up to 50 % |
| Adopt a hybrid security model | Access to 24/7 monitoring and incident response without full head-count costs | Builds resilience and knowledge transfer to in-house teams |
| Buy specific cyber-insurance | Covers legal fees, PR, and ransom negotiations | Drives better security hygiene via policy-holder audits |
A call for collaboration
Moore argues that tackling the funding gap requires a coalition of regulators, insurers, vendors and industry groups. He urges mandatory breach-cost disclosure, similar to environmental reporting, to nudge lagging sectors into action. Government could further incentivise SMEs through tax credits for Cyber Essentials Plus certification, mirroring R&D relief schemes.
The bottom line
Cyberattacks have become a fixture of daily business life, yet budgeting for them remains optional in too many boardrooms. Until companies treat security spending with the same seriousness as payroll or power bills, £64 billion, and the trust of customers, will remain at risk.
Photo Credit: DepositPhotos.com