A new survey of organisations across Wales has revealed a widespread lack of readiness to meet cyber security threats and frequent underestimation of their potential costs.
Conducted by managed services provider,South Wales-based CSG through December 2025/January 2026, the research was carried out among businesses and organisations operating across construction, manufacturing, professional services, retail, public services and tourism.
The research revealed that two-thirds of organisations (66%) have already experienced a cyber security incident. Typically, these have included hostile software (malware and ransomware) and service disruption.
The data also shows that micro-businesses with nine or fewer employees are almost as likely (66.7%) as organisations employing between 10 and 249 people (75%) to have faced a cyber attack.
Additionally, more than one in three respondents (33.8%) believes it to be highly likely they will face a cyber security incident over the next 12 months. Expanding the responses to reflect those who believe the threat is at least moderately likely increases the total to 93.3%.
Yet even in the face of this risk, 41% of organisations admit that they do not have a formal strategy to deal with an incident and almost half (47%) provide no regular cyber awareness training to staff to help combat the threat.
Among micro-businesses, the lack of preparation is even more acute with 58% lacking a plan and only 25% providing regular training.
Cyber preparedness varies sharply by sector. While nearly 80% of professional services and construction firms report having a formal cyber response plan, more than half of manufacturing businesses and almost two-thirds of organisations in ‘other’ sectors operate without one.
There is also evidence that the disruption to operations and the potential financial impact are being underestimated. Overall, 65% expect disruption to last for no longer than a week, suggesting many organisations may be underestimating the true operational impact. The remainder believe consequences could be much more severe, anticipating disruption of several weeks or even months.
Expectations of cyber disruption increase sharply with organisation size. While most micro-businesses believe they would recover within a week, around 40% of organisations employing 10–249 people expect disruption lasting weeks or longer, highlighting significant operational risk across Welsh SMEs.
Opinions of the potential cost of an attack also vary significantly. While 45% of respondents said it could cost upwards of £25,000, one in five predicted a much higher figure of more than £100,000, and 10.8% expected an impact greater than £250,000.
At the other extreme, 20.3% played down the likely impact of an incident – believing it would attract costs of no more than £10,000.
Uncertainty about the financial impact of a cyber incident is most acute among smaller Welsh organisations, with more than a third of businesses employing 10 – 49 people unable to estimate potential costs at all. Medium-sized organisations show significantly higher cost awareness, with nearly four in ten expecting losses above £100,000.
According to CSG Director Matthew Bater, the findings underline a concerning resilience gap for Welsh organisations, particularly the SMEs that form the backbone of the Welsh economy.
“Cyber incidents are no longer a question of ‘if’ but ‘when’,” he said. The survey reveals that while many Welsh organisations recognise the risk, too many are still relying on hope rather than preparation.
“There seems to be a prevailing – and dangerously incorrect – opinion that somehow smaller businesses will pass ‘under the radar’ but as the distribution of reported attacks shows, micro-businesses and smaller enterprises are almost as likely to face an incident as larger organisations.”
Despite the acknowledged level of threat, and relatively low levels of preparedness, more than half of respondents (56.8%) are confident they could respond to a cyber incident, with only one in five (20.3%) reporting low confidence.
“Organisations need to remain aware of the growing risks of cyber threats,” said Matthew Bater. “When cyber attacks happen they can impact fast so it’s important that employees know what to do and organisations have tested strategies to manage the incident.
“Without basic plans, training and tested recovery processes, even a short disruption could have serious consequence and it is essential that thinking switches to resilience and recovery, not just prevention. Doing nothing is no longer a reasonable choice.”
