Only 10% of UK small businesses give staff AI security training, survey finds
TL;DR:
- A MoneySuperMarket survey of 250 UK sole traders and SMBs (1-49 employees) finds only 10% currently provide staff with AI security training.
- 44% of small business owners worry that using AI without proper safeguards exposes them to cyber threats; one in five say they would feel unprepared if targeted by a cyber-attack.
- Scotland leads regional AI adoption interest at 50%, ahead of the South East (48%) and South West (43%); Wales and Yorkshire lag at 20%.
The data quantifies a gap UK enterprise readers have suspected: SMBs are interested in AI but lacking the operational maturity to deploy it safely. Just 15% currently use AI for administrative work; 19% have deployed it for marketing. But 36% want to automate admin, reporting and research with AI — a gulf between intent and capability.
Context
The survey lands alongside two other UK signals in the same beat. Earlier today, Edinburgh-Strathclyde-Cambridge researchers reported that AI is not (yet) democratising offensive cybercrime capability, but warned the larger near-term risk is poorly secured AI deployments by legitimate organisations. The NCSC separately advised UK organisations to prepare for an AI-driven vulnerability “patch wave” — guidance written for organisations with mature patch-management processes that most small businesses do not have.
For SMBs the strategic question is operational: which controls matter most when training is impractical? Default-on automatic updates, sensible least-privilege defaults on cloud SaaS subscriptions, and basic Cyber Essentials certification cover most of the realistic threat model without requiring formal AI security curricula. Insurers writing cyber cover for SMBs are increasingly making Cyber Essentials a precondition; this MoneySuperMarket survey suggests few SMBs currently meet that threshold.
The Scotland-leads-adoption finding deserves attention. Scotland also ranks highly in cybersecurity concern (60% worried about AI-related risks) — suggesting Scottish SMBs are paying more attention to both sides of the AI deployment trade-off. The recent University of Aberdeen and Edinburgh research activity on AI security adds context to that pattern.
Looking forward
For UK SaaS vendors selling into the SMB market, the survey is a clear procurement signal: built-in compliance and security defaults matter more than configurable controls. For the National Cyber Security Centre and CyberFirst, the gap between SMB AI adoption interest (36%) and SMB AI security training provision (10%) is exactly the kind of measurable gap that targeted interventions — published baseline guidance, free Cyber Essentials Plus uplift, simplified training resources — can close in months rather than years.