For too long, smaller businesses have been the poor relation of crime victims in England and Wales. Yet the amount of crime perpetrated against smaller businesses is quite simply staggering. And the cost of crime to small businesses and to the wider UK economy draws into sharp relief the need for urgent action. FSB research shows that traditional crime, such as robbery and criminal damage, is just as prevalent as cybercrime. In fact, the average cost of traditional crime to a small business is double that of cybercrime. Theft, burglary and cybercrime are the most frequently reported crimes for small businesses.
Rather than being passive victims, many smaller firms recognise that they have agency. FSB research shows that the vast majority of smaller businesses have taken at least one ‘deterrent’ measure to protect themselves against traditional and/or cybercrime. But they cannot achieve success on their own.
They urgently need the Government to ensure sufficient funding and resources to improve police capability and capacity. The recent Government announcement of an extra 20,000 police officers is a welcome step in the right direction. However, this does not bring England and Wales up to the European average number of police per 100,000 people. Significant extra funding would be needed to achieve that.
For too long, smaller businesses have been the poor relation of crime victims in England and Wales.
Improved data collection on business crime is the essential building block for the design of better policy interventions. This would require a simplified and consistent definition of business crime, a single online reporting hub for all non-emergency crime (building on lessons learned from Action Fraud which is widely recognised as ineffective) and a commitment to a regular, comprehensive business crime survey, following the approach of the Crime Survey for England and Wales.
Police and Crime Commissioners have not been game changers in terms of law enforcement doing more to tackle crime threats to local business communities. That is why we are calling on Government to introduce a code of practice which sets out a performance framework for PCCs. This could include good practice benchmarks on engagement with the local business community.
Last, but by no means least, we are calling for a comprehensive review of the division of responsibilities between different levels of policing in England and Wales. Local forces (with appropriate improvements), overseen by local representatives like a PCC, remain central to ensuring accountability over the majority of policing and ensure that local differences and interests are reflected in policing priorities. But it is clear that cybercrime and fraud require a critical-mass of resources, expertise and coordination that a mosaic of local forces are unable to provide.
The Government’s laser focus on crime is welcome. Now is the time to buck the trend and make sure that small businesses share the benefits of tackling crime in all its forms.
On average, traditional crime has affected businesses by over £14,000 over two years.
...of traditional business crime.
50% of small firms have been a victim of crime
3.9 million - annual cost to small businesses of cyber crime
£12.9 billion - annual cost to small businesses of traditional crime
Most frequently reported
Smaller businesses across the UK are particularly vulnerable to business crime, which has often been considered the poor relation to other forms of crime. This report demonstrates the extent of small business crime, the type of crimes they experience, the average costs to individual businesses owners and the wider economic impact.
Within the report we share insights gathered through in-depth survey work and qualitative evidence collected from interviews with FSB members and local business representatives. This report is split into five parts. The first part focuses on the extent of crime experienced by smaller businesses. The second part focuses on ‘traditional crime’. Examples of traditional crime include: burglary or robbery, theft by a third party, criminal damage to property and in-person processing of fraudulent payments. The third section of this report explores the impact of cybercrime, including phishing, malware and online processing of fraudulent payments. The fourth part looks at the impact of crime on individual businesses, with particular regard to those crimes that small firms say caused the most disruption. This section shows how infrequently such crimes are reported and to whom, and explores the response of the police. The final section of this report assesses how much priority is given to business crime by Police and Crime Commissioners and local constabularies.
- 49% of smaller businesses in England and Wales – about 2.54 million firms – have experienced at least one business crime in the previous two years
- 34% of smaller businesses in England and Wales – about 1.79 million firms - have experienced at least one ‘traditional’ business crime in the previous two years
- 20% of smaller businesses in England and Wales – about 1.06 million firms – have experienced at least one cybercrime in the previous two years
- Only 5% of smaller businesses have experienced both traditional crime and cybercrime in the previous two years
- 3.8 million incidents of traditional business crime
- 3.9 million incidents of cybercrime
- Of those smaller businesses that experienced ‘traditional’ crime in the previous two years, the most frequently-reported types are:
- Robbery and Burglary (42%)
- Theft (38%)
- Criminal Damage (36%)
- 83% of all traditional business crime comprised of robbery and burglary, third party theft and criminal damage to property
- Of those smaller businesses that experienced cybercrime in the previous two years, the most frequently-reported types are:
- Phishing – including spear phishing (51%)
- Malware (36%)
- Processing fraudulent payment online (29%)
- The experience of business crime in the regions of England and Wales is varied.
- In Wales 40% of smaller businesses were hit by crime over a two-year-period but the figure was higher in five English regions, with more than half of firms saying they had experienced crime over the same period
- In all regions of England, small businesses were significantly more likely to experience traditional crime than cybercrime, with the largest differential being found in the East Midlands with a difference of 51% and the lowest differential being identified in the South West and the South East with a difference of 19%
- In all sectors but two the proportion of small businesses impacted by traditional crime is higher than for cybercrime
- In the Information and Communications sector and the Professional, Scientific and Technical sector, the proportion of small businesses impacted by cybercrime is higher than that for traditional crime. For all other sectors the proportion of businesses experiencing business crime is greater than that of businesses experiencing cyber crime
- For the Wholesale and Retail sector (where the incidence of traditional crime is higher than that of cybercrime) there is a 55 percentage point difference in the proportion of smaller businesses impacted by traditional crime as opposed to cybercrime, while for the Accommodation sector there is a 51 percentage point differential
- For traditional crime:
- The average cost per affected business was £14,360 over two years
- The average cost per crime is £3,340
- The per annum aggregate direct cost of traditional crime in England and Wales is £12.9 billion
- For cybercrime:
- The average cost per over two years business was £7,093 over two years
- The average cost per crime is £972
- The per annum, aggregate direct cost of cybercrime in England and Wales is £3.75 billion
- Nearly three-quarters (71%) of smaller businesses have taken at least one ‘defensive’ measure against traditional business crime
- The most frequent security measures taken by smaller businesses are:
- Installed or upgraded physical security, e.g. locks, alarms and CCTV (46%)
- Improved insurance cover (12%)
- Introduced anti-fraud measures (12%)
- Some of the least frequent security measures taken by smaller businesses include:
- Seeking advice from the police about crime prevention (9%)
- Joining a Business Watch, Business Crime Partnership or Community Safety Partnership
- 90% of smaller businesses in England and Wales have invested in at least one cyber-resilience measure to protect their business
- The average number of cyber resiliencemeasures undertaken by smaller businesses is around five
- Some of the most common deterrence measures undertaken include: security software installed (65%), regular software updates on IT systems (60%) and regularly backing up data and IT systems (59%)
- Some of the least common deterrence measures undertaken include: sourcing advice from the police (4%), sourcing advice from Government’s National Cyber Security Centre (4%), sourcing advice from Government’s Cyber Aware or Get Safe Online initiatives, specific measures to reduce the risk exposure to bribery (4%) and application of a recognised security standard or Cyber Essentials (2%)
- The most impactful crimes are those which create the most cost and disruption to smaller businesses. The top three are:
- Theft (23%)
- Burglary (20%)
- Cybercrime (20%)
- Of those smaller businesses who suffered from at least one disruptive crimein the previous two years:
- Just over a fifth (21%) did not report the crime to any authorities
- 52% reported the crime to the police
- 7% reported the crime to Action Fraud
- The most common reasons given for not reporting an disruptive crime to police include:
- No confidence in police response (38%)
- No plans to make an insurance claim (38%)
- Too busy (32%)
- In around one in ten instances (11%) the police did not attend the scene or provide a crime number
- In 13% of cases police attended at least 24 hours after the crime was reported to them
- In 15% of cases the police attended within one hour of the crime being reported to them
- In 45% of cases, the police took no further action
- In a further 44% of cases, the police either did not identify the perpetrators or they did identify them but failed to make any arrests
- Only in around one in ten cases (11%) did the police investigate and arrest the perpetrators
Summary of recommendations
The recommendations within this report fall into three categories:
1. Improving information and transparency
In order to better tackle crime against small businesses, both policymakers and law enforcement need a clearer idea of its scale, scope and nature. Currently, the available data on the criminality suffered by smaller businesses is partial. It is not comprehensive enough to be useable by policymakers and the police for planning the distribution of law enforcement resources. Nor is it robust enough for smaller businesses and their representatives to use to hold the authorities accountable for their performance.
2. Improving police capacity and capability
A step change in police resourcing is needed if the police are to properly tackle crimes against business, in addition to other demands on their existing resources. Many crimes, such as cybercrime, are inherently difficult to police and require additional capacity and capability. And in the rapidly-changing crime environment, the law needs to keep up to date with developments and provide law enforcement with ample legal authority and contemporary tools to tackle crime.
3. Improving organisation, governance and accountability
The introduction of Police and Crime Commissioners (PCCs) has not brought about the hopedfor shift towards law enforcement doing more to tackle the crime threats to local business communities. Improvements to the current governance structures around policing to improve accountability are needed. Changes to the organisation of policing would help relieve some of the rapidly changing and expanding demands on local constabularies. This would release more resources at the local level for local priorities such as ‘traditional’ crimes perpetrated against the small business community. An effective way of improving the accountability of policing to the local business community is through strengthening the relationship between local business communities and the relevant PCC. Additionally, bolstering the authority of the PCCs over local policing priorities is key.
Download the full report