Smaller businesses exhibit widespread weaknesses in cyber hygiene, including a lack of basic email security protections, highlighting cyber exposure and a significant opportunity for insurers to support improved resilience, according to Ben Duffy, VP and Head of North America at KYND.
Cyber risk intelligence provider KYND has released research based on 7,980 small and medium-sized businesses (SMBs) across the US and Canada, and 830 UK small and medium-sized enterprises (SMEs).
The research identified weaknesses in cyber hygiene, including poor email authentication, outdated software and exposed internet-facing services commonly linked to phishing, ransomware and business email compromise attacks.
KYND found that more than half (54.9%) of SMBs in North America lack basic email security protections, compared with nearly a third (31.7%) of UK SMEs.
Meanwhile, 51% of North American SMBs and 55.1% of UK SMEs are running outdated software, increasing their exposure to cyber threats.
In addition, 10.7% of North American SMBs and 8.0% of UK SMEs have exposed file-sharing services (Server Message Block), while 9.5% and 5.8%, respectively, have exposed remote access systems (Remote Desktop Protocol).
4.3% of North American SMBs and 2.7% of UK SMEs have both remote access and file-sharing services exposed simultaneously, creating multiple potential entry points for attackers.
Duffy noted that these weaknesses are commonly exploited in real-world attacks, with ransomware and business email compromise continuing to drive a significant proportion of global cyber insurance claims.
Despite this, cyber insurance penetration among SMEs and SMBs remains relatively low — often estimated at below 10% in many segments — highlighting a substantial gap between cyber exposure and protection.
Ben Duffy, VP and Head of North America at KYND, said, “Many of these risks are externally visible and relatively easy for attackers to identify. What this research shows is that cyber exposure among SMEs and SMBs is widespread, measurable and often preventable.
“There is a clear opportunity for insurers and brokers to play a more proactive role by combining insurance cover with practical, data-led cyber risk insight. Better visibility of exposure can help improve underwriting, reduce friction across the insurance lifecycle and ultimately support stronger cyber resilience among smaller businesses.”
KYND emphasised that improved access to external cyber risk intelligence could help insurers streamline underwriting, support brokers in expanding SME cyber portfolios and deliver more proactive risk management services to clients.
The company is urging insurers to use external risk signals to improve underwriting accuracy and portfolio segmentation, support SMBs with practical insights to reduce exposure before incidents occur, simplify the process of selling and renewing cyber insurance through better data, and move towards continuous monitoring of cyber risk across insured portfolios.
Duffy added, “Cyber risk is a core business risk for smaller organisations globally. By helping businesses better understand and manage that exposure, insurers have an opportunity to create value both for their clients and their own portfolios.”
