Cyber attacks are the top concern for UK SMEs, according to Hiscox. Its survey found that 38% of respondents ranked cyber attacks or data breaches as the risk most likely to keep them awake at night.

The findings are based on a study of 1,000 UK small and medium-sized enterprises and form part of a wider survey of 6,250 small business owners across six countries.

The research also highlights wider pressure on smaller companies, with owners facing rising costs, staff issues and legal risks. Overall, 92% of UK business owners said worries about risks to their business were affecting their sleep.

Inflation or rising costs came a close second among UK concerns at 37%, followed by workplace accidents or employee injuries at 35%. Economic downturn and theft or property damage each scored 33%. Natural disasters such as floods or fires were cited by 29%, lawsuits or legal claims by 28%, and staff shortages by 27%.

The data also points to a gap between awareness of threats and understanding of insurance cover. Among UK SMEs, 77% said they did not understand cyber insurance, while 80% said they did not understand professional indemnity cover.

That lack of confidence comes despite cyber risk topping the list of concerns and legal claims troubling more than a quarter of businesses. Globally, only 20% of SMEs correctly identified what professional indemnity insurance covers, the report found.

Hiscox said 55% of UK SMEs have a protection gap, suggesting that concern about risk does not always translate into a clear understanding of what insurance would respond to in practice.

Alana Muir, Head of Cyber at Hiscox, said the findings showed a widening disconnect between anxiety about threats and preparedness for their financial and operational consequences.

“Small businesses today are navigating a more complex risk environment than ever before: evolving cyber threats, changing workforces, rising legal costs, and the weight of knowing these risks exist without always knowing how to manage them. But awareness alone doesn’t equal protection. What the Global Protection Gap Report shows is the growing gap between businesses that know something could go wrong and those that truly understand whether they’d be covered if it did.

“Unsurprisingly, the areas where SMEs are most exposed are often the ones they feel least confident about. Cyber is a prime example. It tops the list of concerns, yet 77% of small business owners admit they don’t fully understand what a cyber policy covers. The same is true of professional indemnity, where eight in ten (80%) SMEs say they don’t understand the cover, despite legal claims keeping more than a quarter of them awake at night.

“The reality is that misunderstanding your cover can be almost as costly as having none at all. A business that believes it’s protected, but isn’t, may be less likely to seek advice or review its policies, which can leave gaps in cover,” Muir said.

Cyber cover

Muir also warned smaller firms against assuming they are too small to attract cyber criminals, noting that the practical impact of an incident can extend well beyond any immediate financial loss.

“It’s easy to assume your business may not be a primary target for cybercriminals. However, cyber attacks are not limited by business size, and SMEs are increasingly part of the threat landscape.

“Make sure your policy covers the full fallout of an incident, including data recovery, business interruption and customer notification costs, not just the immediate financial impact,” Muir said.

The insurer also highlighted other areas where cover may no longer match how a business operates. Employers’ liability insurance is usually a legal requirement for businesses with staff, including temporary or seasonal workers, and some micro-business owners remain unaware of that obligation.

On property insurance, the report noted that policies taken out when a company was smaller may no longer reflect the value of current stock, equipment or premises. Businesses operating from more than one site should also check whether cover applies across all locations where stock or equipment is stored or used.

Leadership strain

The research was accompanied by commentary from CAPE People Development, a consultancy that works with founders and small business leaders. Its co-founders and directors said risk often remains concentrated in the hands of owners even as companies grow more complex.

“In our work with small business owners, we consistently see that they are incredibly capable and committed. But those strengths can disguise the build-up of pressure. It becomes one more decision, one more approval and one more thing that only they can sign off.

“When you’re deeply invested, financially, emotionally and reputationally, it’s easy to blur the line between ‘I care about this’ and ‘I must personally hold this’. As businesses grow, complexity and risk increase, yet many continue holding the same level of personal responsibility, only now the exposure is greater,” said Naomi Regan, Co-Founder and Director at CAPE People Development.

Lynsey Kitching, Co-Founder and Director at CAPE People Development, said owners often delay reviewing governance and risk because immediate work takes priority.

“The mistake many small business owners make is waiting for things to ‘calm down’ before reviewing governance, cover or strategic risk. In reality, things rarely calm down. Urgent work will always feel more compelling than important work.

“Risk isn’t reduced when it’s held in one person’s hands, it’s reduced when responsibility sits in the right place and is clearly owned. If responsibility isn’t clearly named, it will drift back to the small business owner.

“Build a regular rhythm into the calendar and treat it as non-negotiable. If it isn’t protected properly, it will be squeezed out. We often use the ‘glass jar’ model to illustrate this. If you fill your time with ‘sand’ (the reactive, day-to-day demands), there isn’t enough room for the ‘rocks’ (the strategic priorities, risk reviews and governance tasks). They need space allocated before reactive tasks fill the day. Protecting your energy is part of protecting your business,” Kitching said.

DTP Group has published new survey findings on password reuse among UK adults, as executives from Roboshadow and Mimecast warn that attackers are increasingly exploiting human behaviour and weak cyber discipline rather than password strength alone.

The Leeds-based company found that one in eight UK adults, or 12.45 per cent of respondents, use a single password across every account. Censuswide surveyed 1,000 UK adults, and the results were extrapolated using an Office for National Statistics estimate of 54 million adults.

Applied nationally, the data suggests more than six million people in the UK could rely on a single credential across email, banking, shopping and social media. Just 19.12 per cent said they use a unique password for every account, implying that around four in five adults reuse passwords to some degree.

More than a third of respondents, 36.23 per cent, said they rely on between one and three passwords for all their online services. Nearly 60 per cent use six or fewer passwords in total, a pattern that could leave an estimated 32 million people vulnerable if one breached service exposes other accounts.

The number of digital services people manage has grown faster than the number of unique passwords they use. DTP found that 69 per cent of respondents manage between one and 20 password-protected accounts, while only a minority maintain enough distinct passwords to cover them all.

Official fraud statistics point to a related rise in account compromise. Action Fraud recorded 35,434 reports of social media and email account breaches in 2024, up from 22,500 a year earlier. Investigators and industry analysts often cite weak or reused credentials as a root cause.

Security leaders argue that the conversation around World Password Day now extends beyond password complexity rules. Roboshadow Founder and Chief Executive Terry Lewis said modern tools give organisations more visibility into attempted intrusions, but only if they are used consistently.

“World Password Day made sense when passwords were the front line of security, but in 2026, that’s no longer the case.”

“Today, most organisations already have access to enterprise-grade security by default. Multifactor authentication is widely available, passkeys are native to modern devices, and hardware-backed protections like TPM are standard. The issue isn’t technology. It’s discipline, and whether organisations use it consistently.”

“In the AI era, attackers aren’t manually guessing passwords. They’re using automation to continuously scan, probe and enumerate environments at scale. Whether it’s a weak credential, an exposed API key, or a forgotten device, anything visible will eventually be tested.”

The real shift is that enumeration is no longer silent, and organisations can detect it.

Modern security tooling, including SIEM and SOC capabilities, is now more accessible than ever. That means organisations can see when accounts are probed, when credentials are tested, and when unusual authentication patterns emerge, even in environments using MFA or passkeys. AI hasn’t broken security, but it has dramatically increased the volume and persistence of these attempts. It creates constant background noise from systems being tested, credentials being tried and access points being explored.

The organisations that win aren’t those with the most complex or longest password policies. They are the ones that can see this activity, understand it and respond quickly.

In 2026, security isn’t about better passwords. It’s about cyber discipline and the everyday operational habits that keep environments clean, visible and resilient.”

Industry attention has also shifted to how employees respond to phishing attempts and fake login prompts designed to harvest credentials. Mimecast field Chief Information Security Officer Beth Miller said the quality and timing of these lures has improved as attackers adopt generative AI.

“World Password Day is a useful moment, but the industry keeps having the wrong conversation. The question was never ‘are your passwords strong enough?’ It’s ‘why do attackers keep getting through even when they are?'” Miller said.

“AI has changed the equation. The fake login pages I’m seeing now are indistinguishable from the real thing. The lures are contextually accurate, timed well, and crafted to exploit exactly the pressure employees are already under. Credential theft isn’t a technical failure – it’s a behavioural one, and we’ve been slow to treat it that way.”

“Our State of Human Risk data exposes a three-part problem. First, 91% of organisations acknowledge obstacles to employee compliance – they know their people are a risk factor. Second, 96% recognise their protection is incomplete – they know their defences have gaps. Third, nearly three-quarters are still running fragmented defences where people-focused and technology-focused controls never talk to each other. Attackers don’t exploit what organisations fail to see. They exploit what organisations see but fail to connect. That gap – between recognition and action – is where incidents happen.”

“Passwords aren’t going away, and proper password hygiene still matters. But hygiene alone isn’t a strategy. What organisations need is the combination: identity protection at the access layer, real-time detection at the technical layer, and behavioural instrumentation at the human layer. The third is the most underinvested. It is also exactly where attackers are focused.”

Castleforge and Galaxy Data Centres have won planning consent to expand their Redhill data centre campus near London, including a new 15MW facility.

The project is part of a broader expansion at the campus, where the partners have already invested more than GBP £100 million. They now plan a further GBP £200 million investment, taking the gross project value to about GBP £500 million.

Site details

The approved scheme will add a two-storey data centre with four data halls and an office block on the existing 3.1-hectare Foxboro Business Park estate. The site sits just outside London, where operators and investors have been seeking land and power as available capacity tightens.

The development will support a local waste heat recovery initiative. Waste heat from the facility will be reused on site, and the design allows for future export to a neighbouring residential heat network.

Market pressure

The expansion comes as the London data centre market faces growing pressure on supply. London remains Europe’s largest data centre market and the world’s second largest after Northern Virginia. Vacancy has fallen sharply in recent years as demand for colocation space has risen.

Figures cited by the partners show colocation vacancy in London falling from 21.3% in the first quarter of 2021 to 7.4% by the fourth quarter of 2025. They also pointed to estimates showing 302MW of capacity in London’s pipeline, even as development constraints around the capital make new schemes harder to bring forward.

Demand for data centre space around London has been driven by growth in artificial intelligence, cloud computing and hybrid workloads. Operators have also sought sites with reliable power access and strong connectivity to established hubs such as Slough and Docklands.

The Redhill campus currently spans 11,800 square metres across three buildings and serves customers including Fortune 500 businesses in financial services, artificial intelligence and other sectors.

For Castleforge, the scheme adds to a portfolio focused on the built environment. For Galaxy, it reflects the growing role of specialist operators and advisers in a market where access to power, planning and operational expertise is becoming increasingly important. The borough council’s planning committee approved the application.

Executive view

Mike Adcock, Head of Investments, Castleforge, said the approval marked an important step for the project.

“Securing planning consent for our new development at Redhill is a major milestone in our plans to deliver high-quality, sustainable digital infrastructure to one of the world’s most important data centre markets.

Demand for capacity in and around London continues to outpace supply, and this consent enables us to bring forward the additional power and scale required to serve enterprise, hyperscale and edge customers. We are particularly proud of the project’s sustainability credentials, including the potential to export waste heat to local homes, which reflects our commitment to creating places that deliver lasting value for both customers and the surrounding community,” said Adcock.

Paul Leong, Chief Financial Officer and Partner, Galaxy Data Centres, said the approval was central to the partners’ plans for the site.

“This planning consent is a pivotal step in realising the long-term vision we set out when we acquired Redhill alongside Castleforge.

The new facility will significantly expand the capacity available to our customers and ensure Redhill is positioned to meet the evolving needs of edge, hyperscale and enterprise users. We are proud to be delivering a development that combines operational excellence with meaningful sustainability outcomes, and we look forward to bringing the project forward in close collaboration with the local community,” said Leong.

The project has been designed to achieve a BREEAM rating of Very Good and includes low- and zero-carbon technologies. Those features are likely to carry weight in a market where local authorities, communities and customers are paying closer attention to the environmental impact of data centre development.

Redhill’s appeal rests partly on its proximity to London without being in the most constrained central locations. With available land and power around core metropolitan areas under pressure, outer hubs and established campuses have become more attractive to investors looking to expand near major demand centres.

The approval gives Castleforge and Galaxy a route to increase capacity at a campus with operating buildings and existing customers, at a time when operators across Europe are competing for scarce development opportunities.