Abstract
Small and Medium Enterprises (SMEs) are increasingly exposed to cyber risks. Some of the main reasons
include budget constraints, the employees’ lack of cybersecurity awareness, cross-sectoral cyber risks, lack
of security practices at organizational level, and so on. To equip SMEs with appropriate tools and guidelines
that help mitigate their exposure to cyber risk, we must better understand the SMEs’ context and their needs.
Thus, the contribution of this paper is a survey based on responses collected from 141 SMEs based in the
UK, where the objective is to obtain information to better understand their level of cybersecurity awareness
and practices they apply to protect against cyber risks. Our results indicate that although SMEs do apply
some basic cybersecurity measures to mitigate cyber risks, there is a general lack of cybersecurity awareness
and lack of processes and tools to improve cybersecurity practices. Our findings provide to the cybersecurity
community a better understanding of the SME context in terms of cybersecurity awareness and cybersecurity
practices, and may be used as a foundation to further develop appropriate tools and processes to strengthen the
cybersecurity of SMEs.
include budget constraints, the employees’ lack of cybersecurity awareness, cross-sectoral cyber risks, lack
of security practices at organizational level, and so on. To equip SMEs with appropriate tools and guidelines
that help mitigate their exposure to cyber risk, we must better understand the SMEs’ context and their needs.
Thus, the contribution of this paper is a survey based on responses collected from 141 SMEs based in the
UK, where the objective is to obtain information to better understand their level of cybersecurity awareness
and practices they apply to protect against cyber risks. Our results indicate that although SMEs do apply
some basic cybersecurity measures to mitigate cyber risks, there is a general lack of cybersecurity awareness
and lack of processes and tools to improve cybersecurity practices. Our findings provide to the cybersecurity
community a better understanding of the SME context in terms of cybersecurity awareness and cybersecurity
practices, and may be used as a foundation to further develop appropriate tools and processes to strengthen the
cybersecurity of SMEs.