A new poll of SMEs and micro businesses shows more than half are confused by or even unaware of the rules around GDPR, while more than eight in 10 don’t see cyber attacks or data loss as a significant risk for their business.

The poll comes on the back of a survey earlier this year from the National Cyber Security Programme that revealed nearly half of UK businesses experienced at least one cyber security breach or attack in 2017, and 66 per cent of SMEs and 45 per cent of micro businesses were shown to have been victims.

EU rules known as GDPR, which came into force in the UK in May, drastically increased potential penalties on companies found to have misused or mismanaged clients' personal data.

Yet SMEs are sanguine about the changes, with one in five saying they have no plans to invest in it in the coming year, says Chris Mallett, Broking Manager for Aon who commissioned the poll.

According to Dr Emma Philpott from the UK Cyber Security Forum, GDPR has caused companies to focus on this issue briefly, but the effect hasn't lasted.

Dr Philpott is also CEO of the IASME Consortium, an accreditation body for assessing and certifying against the Government's Cyber Essentials Scheme. “As soon as the deadline for GDPR passed too many thought that was job done and that's where their responsibility ended," she said.

"The big data breaches in the Press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming,” said Philpott.

"There is a lot of misunderstanding of risks, and still a worry among SMEs that it must be complicated. It is not always about high end security. It's about having the basics in place to protect you from indiscriminate attacks. Educating staff takes time but doesn’t cost anything at all.”