Businesses across Wales are being encouraged to review and strengthen their cyber security measures after new research suggested many organisations remain insufficiently prepared to deal with digital threats.
A study conducted by Bridgend-based technology and managed services provider CSG indicates that while awareness of cyber risk is increasing, many Welsh businesses have yet to implement the robust systems, processes and training required to effectively prevent or respond to an incident.
The research revealed that around two-thirds (66%) of Welsh firms surveyed have experienced some form of cyber security incident, including malware infections, ransomware attacks and service disruptions. The findings highlight that cyber crime is no longer confined to large enterprises, with organisations of all sizes increasingly exposed to threats.
Smaller businesses appear particularly vulnerable. The data suggests that micro-businesses and small enterprises are almost as likely to face a cyber incident as larger companies, despite often having fewer resources and less formalised security procedures in place.
Respondents also acknowledged that the likelihood of cyber attacks is rising. More than a third of those surveyed believe their organisation will experience a cyber incident within the next year. Among larger organisations, concerns about financial impact were especially pronounced, with some businesses estimating that a serious cyber attack could cost them more than £100,000 in losses and disruption.
Beyond the immediate financial impact, cyber incidents can also lead to operational downtime, reputational damage and potential regulatory consequences if sensitive data is compromised. For many businesses, even a short disruption to digital systems can interrupt customer services, halt internal operations and create lasting damage to trust with clients and partners.
CSG director Matthew Bater said the findings demonstrate that organisations must take a more proactive approach to cyber resilience.
“Cyber incidents are no longer a question of ‘if’ but ‘when’.”
He added that the results point to a common misconception among some smaller organisations that they are unlikely to be targeted.
“There seems to be a prevailing – and dangerously incorrect – opinion that somehow smaller businesses will pass ‘under the radar’ but as the distribution of reported attacks shows, micro-businesses and smaller enterprises are almost as likely to face an incident as larger organisations.”
Despite the growing risks, the research found varying levels of confidence among companies in their ability to manage a cyber attack. While more than half of respondents said they believed they could respond effectively to a cyber incident, roughly one in five admitted they had low confidence in their preparedness.
The survey also highlighted that many organisations have yet to fully embed cyber awareness and cyber risk management into their workforce training.
Employees are often the first line of defence against threats such as phishing emails, fraudulent links and compromised attachments. Without proper training and clear procedures, even relatively simple cyber attacks can gain access to systems and cause significant disruption.
Bater said organisations should focus not only on preventing attacks but also on ensuring they have clear plans in place to respond quickly and recover operations if an incident occurs.
“Organisations need to remain aware of the growing risks of cyber threats.
“When cyber attacks happen they can impact fast so it’s important that employees know what to do and organisations have tested strategies to manage the incident.
“Without basic plans, training and tested recovery processes, even a short disruption could have serious consequences and it is essential that thinking switches to resilience and recovery, not just prevention. Doing nothing is no longer a reasonable choice.”
The findings reinforce the importance of proactive cyber planning as digital transformation continues to accelerate across Welsh industries. As businesses increasingly rely on online platforms, cloud systems and digital infrastructure, the potential consequences of cyber attacks continue to grow.
Industry experts say that improving resilience does not always require large investments. Steps such as regular security updates, employee awareness training, secure data backups and clearly defined incident response procedures can significantly reduce risk and help organisations recover quickly if an attack occurs.
With cyber threats continuing to evolve, Welsh businesses are being encouraged to review their current security posture and ensure that cyber resilience remains a priority for leadership teams across all sectors.
