UK SMEs focus on AI threats over traditional cyber risks

New research from Six Degrees has exposed significant cyber security concerns among UK SMEs, highlighting a prevalent focus on AI-related threats over traditional cyber threats.

The report, Mapping the UK SME Cyber Security Landscape in 2025, reveals that 35% of SMEs identified AI-related attacks as their chief worry, surpassing concerns about malware, scams and other fraud, phishing, and ransomware, which were each cited by 25% or less of respondents.

This raises questions about the potential overemphasis on AI-driven threats, potentially diverting attention from well-established cyber risks. "SMEs should definitely be concerned about AI-generated cyber-attacks, but that concern needs to be proportionate," remarked Vince DeLuca, Chief Executive Officer at Six Degrees. "For now, AI is an enabler for existing threats rather than a facilitator of new kinds of attacks." He noted that AI could enhance traditional threats, such as phishing, by crafting more sophisticated and effective spear-phishing emails.

Despite the focus on AI, DeLuca expressed caution about neglecting other cyber threats. He noted, "The real danger is a lack of in-house skills and resources within SMEs to address all current cyber security threats and spot new attack variants in the future." This concern is exacerbated by the reported exodus of in-house cyber experts among SMEs and difficulties in hiring new ones.

SMEs are increasingly turning to managed cyber security solutions to boost their defences, with some reporting significant improvements in their security posture. Of those claiming improvements, a substantial number indicated increased adoption of security tools and a shift towards hybrid or multi-cloud environments.

On the topic of AI's dual role, the research points out a prevailing optimism among respondents, with 44% believing IT teams will benefit more from AI, compared to 15% who think cybercriminals will gain the upper hand. DeLuca supports this optimism: "It's still quicker and easier for security teams with the right tooling and expertise to analyse system vulnerabilities than for bad actors to identify them from scratch." He added that this advantage must be leveraged actively by IT teams.

The report concludes by advising caution on the perceived improvements in cyber security measures. Nearly 90% of SMEs feel their cyber security stance has advanced, though purchasing tools alone isn't sufficient. Instead, ongoing practices such as regular security assessments and penetration testing are essential for true security enhancements.

"These solutions require the backing of an actively engaged IT or cyber security team to ensure they are utilised to their full potential. The cyber security tool or service purchase—and its ongoing management—has to form part of a broader strategy that informs business change in every single context," said DeLuca. He stressed that effective security necessitates organisational changes, beyond just tool deployment.

DeLuca concluded by acknowledging the pressures on SME IT and cyber security professionals to protect against increased cybercriminal activity while facing limitations in skills and resources. This often leads SMEs to seek third-party support and adopt managed security services, benefiting from the security robustness offered by cloud solutions.