Skip to content
ADVERTISEMENT
News

Two-fifths of SME employees take on cybersecurity responsibilities beyond job description

Uswitch Business Broadband found that 37% of SME employees said cybersecurity was not part of their role when they started their job.

2 min read
Share
Cyber security, Business, technology, internet and networking, software development, digital data protection concept. Hacker hacking data on laptop computer with pop up antivirus system
ADVERTISEMENT

Almost two-fifths of small to medium-sized enterprise (SME) employees have taken on cybersecurity responsibilities that were not included in their original job description, according to research from Uswitch Business Broadband.

The survey found that 37% of SME employees said cybersecurity was not part of their role when they started their job, while a further 14% said they were unsure or could not remember.

The findings come as 43% of businesses reported a cybersecurity breach or attack in 2025, highlighting the growing pressure on SMEs to manage cyber risks with limited specialist resources.

The research also pointed to gaps in employee training and confidence. Just 39% of SME employees with cybersecurity responsibilities said they had received comprehensive cybersecurity training, while 45% had only completed basic training and 16% said they had never received any relevant training.

Confidence levels also varied.

One in five employees said they were very confident in managing cybersecurity risks, while 51% described themselves as only “somewhat confident”.

A further 21% were neutral, with 7% saying they were not very confident and 1% not confident at all.

Many employees also reported feeling underprepared when dealing with cybersecurity issues at work.

ADVERTISEMENT

More than half (52%) said they sometimes felt out of their depth, while 12% said they felt this often.

Almost a quarter (24%) said they rarely felt out of their depth and 6% said they never did.

The biggest barrier to effective cybersecurity management identified by SME employees was a lack of training, cited by 45% of respondents.

ADVERTISEMENT

This was followed by a lack of dedicated staff (31%) and limited budgets (20%).

Other challenges included too many competing responsibilities (17%), lack of awareness (17%), low prioritisation by leadership (15%) and a lack of clear ownership or responsibility (12%).

A spokesperson at Uswitch Business Broadband said: “Cybersecurity is no longer confined to IT departments, particularly within SMEs, where responsibilities are often shared across non-specialist staff.

“Our findings suggest many employees are now expected to contribute to cybersecurity-related tasks, despite varying levels of confidence and training.

“To support this shift, SMEs should ensure employees have access to regular, relevant cybersecurity training that helps build confidence in recognising and responding to potential risks.

“Clearly defining who is responsible for cybersecurity within teams can likewise help to reduce uncertainty, ensuring employees understand where accountability lies when issues arise.

“Giving cybersecurity greater visibility at the leadership level, and ensuring it is prioritised alongside other business pressures, can also help organisations embed stronger, more consistent cyber practices across the board.”

Related

ADVERTISEMENT