Welsh Businesses Underprepared for Cyber Security Threats, New Research Reveals
Welsh Firms Ill-Prepared for Cyber Threats

Welsh Businesses Underprepared for Cyber Security Threats, New Research Reveals

New research from managed services provider CSG has exposed a significant readiness gap among Welsh businesses facing growing cyber security threats. The comprehensive study reveals that many organisations across Wales are underestimating both the likelihood of attacks and their potential financial and operational impacts.

Widespread Incidents and Inadequate Preparation

The research, conducted by Bridgend-based CSG, examined firms across multiple sectors including construction, manufacturing, professional services, retail, public services and tourism. Alarmingly, the data shows that two-thirds of Welsh businesses (66%) have already experienced a cyber security incident, with common threats including malware, ransomware and service disruption.

Despite this high incidence rate, preparation levels remain worryingly low. The research found that 41% of organisations admit they lack a formal strategy to deal with cyber incidents, while almost half (47%) provide no regular cyber awareness training to staff. This lack of preparation is particularly acute among micro-businesses with nine or fewer employees, where 58% operate without a response plan and only 25% provide regular training.

Sector Variations and Size Considerations

Cyber preparedness varies significantly across different sectors. While nearly 80% of professional services and construction firms report having formal cyber response plans, more than half of manufacturing businesses and almost two-thirds of organisations in other sectors operate without any structured approach.

The research also reveals that micro-businesses are almost as vulnerable as larger organisations, with 66.7% of small firms experiencing attacks compared to 75% of businesses employing 10-249 people. This challenges the common misconception that smaller enterprises might pass "under the radar" of cyber criminals.

Underestimated Impacts and Financial Consequences

Perhaps most concerning is the widespread underestimation of potential disruption and costs. Overall, 65% of respondents expect disruption to last no longer than a week, suggesting many organisations may be significantly underestimating the true operational impact. Expectations increase sharply with organisation size, with around 40% of businesses employing 10-249 people anticipating disruption lasting weeks or longer.

Financial expectations vary dramatically across the business community:

  • 45% of respondents believe an attack could cost upwards of £25,000
  • One in five predict costs exceeding £100,000
  • 10.8% expect impacts greater than £250,000
  • 20.3% believe costs would be no more than £10,000

Uncertainty about financial impacts is particularly acute among smaller Welsh organisations, with more than a third of businesses employing 10-49 people unable to estimate potential costs at all.

Expert Commentary and Future Outlook

According to CSG director Matthew Bater, the findings highlight a concerning resilience gap for Welsh organisations, particularly the small and medium-sized enterprises that form the backbone of the Welsh economy. "Cyber incidents are no longer a question of 'if' but 'when'," he emphasised.

Mr Bater added: "The survey reveals that while many Welsh organisations recognise the risk, too many are still relying on hope rather than preparation. There seems to be a prevailing – and dangerously incorrect – opinion that somehow smaller businesses will pass 'under the radar' but as the distribution of reported attacks shows, micro-businesses and smaller enterprises are almost as likely to face an incident as larger organisations."

Despite the acknowledged threats and relatively low preparedness levels, more than half of respondents (56.8%) express confidence in their ability to respond to a cyber incident, with only one in five (20.3%) reporting low confidence.

Mr Bater concluded with a stark warning: "Organisations need to remain aware of the growing risks of cyber threats. When cyber attacks happen they can impact fast so it's important that employees know what to do and organisations have tested strategies to manage the incident. Without basic plans, training and tested recovery processes, even a short disruption could have serious consequences and it is essential that thinking switches to resilience and recovery, not just prevention. Doing nothing is no longer a reasonable choice."

The research serves as a crucial wake-up call for Welsh businesses, highlighting the urgent need for improved cyber security measures across all sectors and organisation sizes.