“Information technology and business are becoming inextricably interwoven. I don’t think anybody can talk meaningfully about one without talking about the other.”
Bill Gates, Founder, Microsoft
Welcome
Having enjoyed more than 20 years in business, we’ve had thousands of conversations with business owners, IT leaders and their employees about how technology can help them to perform better. Today the opportunities technology offers us are seemingly endless. From cracking the UK’s productivity problem right through to a utopia where the machines do the heavy lifting for us, it seems that technology is the answer to all the challenges we face today.
Meanwhile, as business leaders, you’ll also know that wherever there are opportunities, there will inevitably be risks. Whilst organisations are embracing opportunities presented by the likes of cloud computing and AI, they’re also being targeted by an abundance of new threats.
The UK Government’s 2024 Cyber Security Breaches Survey found that 50% of businesses and 32% of charities reported having experienced any kind of cyber security breach or attack during the year, accounting for approximately 718,000 businesses and 65,000 registered charities nationwide. These are only those that were identified and reported. Worryingly, many aren’t.
On the one hand, there’s more reward to be had than ever before. On the other, there’s greater risk. That makes decision making more difficult, which is why we reached out to hundreds of organisations across the region to give them the opportunity to share their thoughts and learn from the insights gathered in this report.
Our goal is to share this data so that you can understand the landscape, benchmark what you are doing, and plan ahead with greater confidence. As one of the leading independent IT companies in the region, we believe that if we work together, the South West’s economy as a whole will benefit.
Thank you for taking the time to contribute to this report, read it and share our findings. My team and I would love to continue the discussion with you.
Dave Smith, Managing Director and Founder of Acronyms
Executive Summary
We’re proud to present the first findings into what organisations in the region are doing, thinking and planning about IT. We hope that it will provide you with a reference point to see where you’re at, enabling you to make smart decisions this year.
Of course, launching an inaugural report, by definition, doesn’t allow us to reference last year’s data or look back over the last decade for clear trends. It does however enable us to check our understanding of the sector based on thousands of conversations with clients over many years.
The headlines make interesting reading:
56% of respondents don’t have an IT strategy in place or they aren’t aware of one
59% of local businesses don’t have KPIs in place measure their IT performance
57% plan to spend more money on IT next year
75% of organisations have never communicated their IT plans and progress with their staff
46% of local businesses have no plans to get the Cyber Essentials accreditation
There is a clear knowledge gap between investment into IT and understanding where funds are best allocated. On the flip side, there is plenty of scope for including IT in organisational strategy, improving company productivity.
We invite you to take a closer look at our regional snapshot. There are recommendations on pages 18 and 19 for you to take away so that together we can create a more informed and secure future.
Our Research
Technology is being talked about more than ever before. Of course, with lots of talk, narratives and myths can grow. What was good practice a few years ago can become ineffective in today’s world.
Our aim for our inaugural report was to cut through the noise and give you something useful. Something which can help you shine a spotlight on your organisation and assess whether your IT performance is amongst the best in the region or whether you have work to do. If you have work to do to improve, we hope this report helps you to priortise and persuade your colleagues to support you.
Introducing our experts
Dave Smith Managing Director
David Parker Technical Director
Tom Moore Business Development Director
Throughout the report, our experts will draw out insights from the data from their own specialist knowledge and provide you with tips or things to consider in the future.
We reached out to hundreds of businesses across the region through our partnerships with Devon Chamber of Commerce, Cornwall Chamber of Commerce, Digital Plymouth, Plymouth Law Society and Cornwall Law Society.
What size company are you working in?
Respondents overview
In terms of sectors, over a third came from professional services which was followed by leisure and hospitality, charities, health, construction and manufacturing.
Views were shared by a range of roles, from CEOs and Managing Directors to IT Directors and Managers, through to Quality and Operations Managers.
“We are really thankful to Acronyms for undertaking this research into the IT landscape in the region. Smart use of technology can make a real difference to our economy and this report (and future editions) can help us to grow our understanding and improve performance.”
Stuart Elford, Chief Executive,
Devon Chamber
Strategy
Surprisingly, the majority of respondents said they didn’t have or didn’t know whether they had an IT strategy.
This suggests those organisations haven’t integrated technology into their overall business strategy. Despite most businesses being reliant on IT in this modern day and age, it may imply that those companies aren’t sure about how technology can best impact the output of their business.
For those who do have a strategy, it was interesting for us to see that 44% of them used a combination of internal team members and external advisors to write their strategy. This shows a well-rounded approach, and acknowledgement that your IT strategy should be considerate of the technology, as well as those that use it.
With that being said however, 54% of those with a strategy hadn’t reviewed it in over 12 months and 75% of organisations have never communicated their IT plans and progress with their staff, suggesting that there is marked room for improvement when it comes to planning IT provisions.
Those businesses with a clear plan that integrates with the wider business strategy, whilst being reviewed regularly and discussed openly with staff, will be benefitting from a more proactive approach than many of their competitors.
“Businesses today simply cannot operate without technology, and yet from a strategic perspective, it’s not at the heart of many businesses. Given your business is reliant upon it, I’d strongly recommend any business owner dedicates some of their planning time to how the technology you use can help your businesses achieve its goals, not just today, but into the future.”
Dave Smith, Managing Director, Acronyms
Dont know 6%
Do you have key performance indicators in place to monitor IT perfomance?
Yes 27% No 59%
Dont know 14%
It was surprising to see that less than 30% of organisations have key performance indicators in place. We are seeing that most respondents don’t have a strategy and don’t know how they perform. Combined with a plan to increase spending, this is slightly worrying. However, it must be said, it isn’t difficult to rectify and and doesn’t need a huge amount of time or resource.
“It is positive to see that businesses are looking to invest in their IT. It is an opportunity to increase efficiency and drive commercial advantage. That being said, it has to be done strategically, with long-term thinking in mind. Making sure you are investing in areas that will have real business impact is going to be paramount to business success. Especially at a time when technology is becoming the great leveller. My biggest concern is for those businesses with no strategy or measurement in place.”
Gavin Jones, Head of Innovation, Elixel
“As the adage goes, what gets measured, gets done. Your IT doesn’t require overly complex KPIs but understanding your downtime in a year, the number of requests your team make to the IT technicians and what sort of issues they have, allows you to plan proactively for future years to come.”
David Parker, Technical Director, Acronyms
Budget
Do you expect your IT spend to change in the next financial year?
Stay
57% of respondents plan to invest more in their IT infrastructure in their next financial year, whilst very few are looking to decrease spending, which is consistent with the conversations we are having with our clients.
Over the last few years, we’ve typically seen more businesses move from one-off payment models, to recurring monthly fees largely through the adoption of cloud-based technology. This allows organisations to plan their expenditure better, while avoiding large capital investments and costly surprises at times when capital can be tight.
How is the budget determined?
Per employee
Percentage of revenue
Another method
Rank your IT budget in order of financial priority?
High number, higher priority
The priorities within the IT budget seem to be fairly evenly distributed across different areas. Cyber security comes out as the highest priority overall with investing in ‘IT Specific Staff’ lowest. It would be interesting to assess whether those organisations feel that they have the right team in place already or whether they are looking to divert funds to more external support.
“As a business owner myself, this data worried me. Over 50% of respondents don’t have a strategy and yet over 50% intend to spend more money! It’s unlikely you’d spend money in any other area of your business without consideration, so why not IT?
Where is this money being spent? Business can’t possibly know if it’s money well spent, without a strategy to guide it.”
Dave Smith, Managing Director, Acronyms
Internet Connectivity
Does your business have a failover internet connection?
Probably the most striking response here is that 43% of respondents don’t know whether they have failover internet connectivity or not. Whilst not critical for all businesses, not knowing could be considered worrying from a business continuity standpoint.
When asked how much money it would cost their organisation if they had no internet access for a day, the responses were wide and varied from “I don’t know” to specific values, that have clearly demonstrated calculated sums of money, representative of a business with a thought-out business continuity plan.
The expectation of over half of businesses surveyed is to lose no more than two and a half hours of down time from such an eventuality. Therefore, if your organisation is happy with being offline for a day or more, you may wish to consider how you can remedy such a situation quicker. If you don’t have contractual Service Level Agreements as standard, these are a good way to ensure that your downtime is managed, remedied or compensated in the event of a drop in service.
How much time would you tolerate without an internet connection?
It is clear that there is a lack of knowledge when it comes to connectivity. From a risk perspective, this is a weakness. However, it could be easily remedied with a business continuity plan and doing some stress testing across the organisation.
Businesses cannot operate without an internet connection. Even the most prepared of businesses will suffer financial losses from a drop in service. Sending staff home for example, even when done efficiently, takes time and organisation. For many businesses a leased line connection offers the right blend of reliability with Service Level Agreements and cost, whilst a failover connection for larger businesses is recommended to ensure key staff can remain operational in the worst of circumstances.
Tom Moore, Business Development Director, Acronyms
NMA Case Study
During 2024, long-term Acronyms customer the National Marine Aquarium lost internet service via its primary connection during a busy weekend. As a leisure facility, the weekend is crucial for the National Marine Aquarium, with its ticketing system and tills reliant on the internet to work. This fault, a problem entirely beyond their control, had minimal impact on the business.
As a result of their failover connection, that kicked in shortly after the issue was identified, the National Marine Aquarium managed to continue operating as normal, with only a small drop-in service whilst systems reacted to the change in connection.
Whilst the internet service provider spent 16 hours repairing the external connection, staff and guests of the aquarium were for the most part unaware that they were without their primary connection. Had the NMA not prepared with a failover connection, it would have been a very different story.
“Unfortunately, sometimes things go wrong that are beyond anyone’s control. Nonetheless, they can cause a big impact. A drop in internet over the weekend at the NMA could have cost them tens of thousands of pounds, not to mention the reputational damage of ruining many weekends.
A well-prepared organisation, with a plan and a simple failover connection that costs less per year than the potential damage that weekend, ensured things continued to operate as they should.”
Tom Moore, Business Development Director, Acronyms
Cyber Security
The vast majority of businesses have both antivirus and anti-spam software in place as standard. However, traditional antivirus solutions fall well behind the evolution curve of security software.
Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) are the current standard, with Extended Detection and Response (XDR) solutions becoming more commercially viable for the majority of businesses all the time.
From our experience a good number of businesses may already have these solutions in place, but don’t understand the difference between traditional antivirus and these solutions. Whilst not critical to know the nitty gritty about IT, it’s important the IT industry brings businesses on the journey with them as products develop. These new solutions sound complicated, but more often than not they just operate in the background, whilst being far more effective than traditional alternatives. To the right we’ve detailed briefly how antivirus has developed in recent years.
“Given all the talk around cyber crime and industry guidance changing from source to source it’s no wonder that this is a mixed bag. We’re typically advising businesses move away from traditional antivirus and towards next generation alternatives such as EDR and MDR. These new technologies utilise the likes of AI to detect and stop threats far more efficiently than older antivirus software.”
David Parker, Technical Director, Acronyms
Which of the following do you have in place?
Antivirus
Anti-spam / Email Filtering
Endpoint Detection and Response
Managed Detection and Response
Password Managers
Pardon the pun, but this is an area where you could get really lost in the Acronyms! The main thing to focus on here is how you use a combination of the available technology to protect your organisation.
Managed Detection and Response (MDR) - Given the increased level of data that can be presented, it is important to be able to sift through it and take action if necessary. Most organisations will use a MDR service provider to alert them to threats that need attention.
Endpoint Detection and Response (EDR) - With around 70% of all breaches starting from end points (desktops, laptops, smartphones, tablets) EDR became popular in the last decade for its ability to quickly scan against known threats and provide protection. This proactive approach continuously monitors your endpoints for threats, allowing them to be mitigated swiftly, reducing potential harm.
Extended Detection and Response (XDR) - The next generation of EDR which goes right across your IT infrastructure rather than just focusing on endpoint threats. Increasingly utilising AI to flag unusual patterns in your network and cloud. This can present you with lots of data which needs to be managed.
Multi Factor Authentication (MFA) - MFA has been around since the mid 2000s but has become widely used during and since the pandemic given that people are in different locations using different devices which increases exposure. Paid MFA solutions have become much more mainstream of late because they are an effective front line defence against password hacks. Currently less than 30% of organisations have MFA in place across all of their services. MFA is quick to implement and is one of the most cost-effective measures any organisation can make to secure their business against the threat of cyber crime.
Do you have multi-factor authentication (MFA) in place?
Across all services
Across
Security Awareness Training
Does your business conduct any cyber security training awareness?
Whilst cyber security ranked as the highest priority for respondents, it is notable that over half of them do not currently conduct security awareness training. Given the rising threat levels and increased sophistication of the tactics and technology used, this training feels like a real opportunity to de-risk.
Of those conducting training, methods range from online modules to simulating attacks. Others include cyber awareness training as part of their induction process with mandatory training for existing employees.
“As our Official IT Partner, Acronyms have played an active role in engaging our member firms in cyber awareness and training. Their approach is really collaborative and supportive and I am thankful to them for producing their inaugural report.”
Carrie Laws, President, Plymouth Law Society
Our client First Light have been reaping the rewards of KnowBe4 SAT.
First Light are a domestic abuse charity in the South West of England. The nature of their work means they handle lots of sensitive data.
KnowBe4 is a leading security awareness training platform, relied on by some of the world’s largest companies, that combines an extensive library of training content and a fully customisable phishing simulator. In 2024, KnowBe4 reported that the likelihood of an employee falling for a phishing attempt drops from 34.3% to 4.6% after 12 months of using KnowBe4 Security Awareness Training.
Facing a cybersecurity breach is simply not an option for the organisation. They would risk exposing sensitive cases whilst facing hefty fines and downtime. We deployed KnowBe4 SAT to improve the human layer in their security stack. Since deployment in 2023, First Light have seen a significant uplift in security awareness and understanding at all levels.
“KnowBe4 has been highly effective, with comprehensive modules and phishing simulations that significantly improve our staff’s ability to recognise and avoid security threats. The platform is easy to use and has some great reporting features. Our click rate on phishing simulations has drastically decreased from the first month to recent months, showing that the platform is working well. Overall, KnowBe4 has greatly enhanced our security awareness as an organisation.”
Mara Fitzgerald, Business Support Manager at First Light
“Acronyms cyber security awareness training was incredibly engaging and informative. Using LEGO to demonstrate complex concepts made the learning process fun and memorable. It was fascinating to see how problem-solving with LEGO could translate to understanding cyber security strategies. I left the event feeling more confident in my ability to recognise and respond to cyber threats.”
Pam
Dosanjh Phillips, President, Cornwall Law Society
Compliance
What accreditations do you have?
Cyber Essentials
Cyber Essentials +
ISO 9001 Quaility Management
Industry Body Specific
None of the above
Cyber Essentials leads the way as the quality standard for IT. When asked why, those who have the accreditation cited in order: best practice; industry body requirement; requirement for private sector contracts; requirement for public sector tenders; and reducing insurance premiums as their reasons for doing so.
“Cyber Essentials is moving from a ‘nice to have’ to a ‘must have’ for most organisations and is a good way of setting solid foundations for your cyber security efforts. It changes year on year, keeping pace with the development of technology and threats, making it more than just a tick box exercise and shows your clients, suppliers and employees that you’re taking their data protection seriously.”
Tom Moore, Business Development Director, Acronyms
If you do not have Cyber Essentials, are you planning to?
Yes - 0 in next 6 months
Yes - 0 in next 12 months
Yes - 0 in next 24 months
Already Cyber Essentials Accredited
There are clear commercial reasons to pursue Cyber Essentials which is why we are experiencing more demand from organisations to help them get there. Given 57% of respondents do not have any kind of IT accreditation as things stand, whilst becoming more popular this still presents itself as an opportunity for businesses to differentiate themselves against their competitors.
With that being said more organisations are planning to gain Cyber Essentials accreditation over the next two years than those who don’t have it in their plans.
Recommendations
Having considered the findings of the survey, we’ve gathered several recommendations we’d suggest businesses implement. Some of these recommendations may be suitable for your business, whilst others may not. Remember the findings are based on lots of businesses, so, you may already be doing some of this! IT can also be very specific company to company, based on what technology you have and the goals of your organisation, so be sure to check with your internal IT team or IT provider.
With that being said, we believe that by implementing the advice below it’ll ensure your business will be both more productive and secure throughout 2025. And what’s more, the advice we’ve picked will be relatively straightforward for most companies to implement.
Strategy
Set KPIs for your IT provision
Setting some simple KPIs for your IT provision within your business is the simplest way you can get control over the technology you rely on every day. This doesn’t need to be complicated. Look at metrics such as uptime (how long everything is operational) as well as the number of requests and type of requests made of your IT support desk.
Write an IT strategy that can inform your overall strategy and budget
Basic KPIs like those detailed above can form the basis on a wider IT strategy, informing you on what areas of IT need addressing for improvement. For example, if your team are frequently requesting support with a phone system, you can investigate whether investment is required in that area.
Internet
Invest in a failover internet connection
Businesses are becoming less tolerant of downtime. Whilst leased lines come with Service Level Agreements and give you more control than other internet connections, things can still go wrong. Failover connections for business-critical staff are an effective way to ensure that even in the worst scenario your business remains operational.
Security
Roll out Multi-Factor Authentication (MFA) across all your services
MFA is arguably the most cost-effective way to secure your business from malicious intent. You can turn MFA on as part of any Microsoft products for free, whilst many cloud-services also offer the same.
Implement next generation cyber security software
We think there’s a fair chance that a good number of the respondents that said they had antivirus software actually have something more sophisticated, so check! Ask your IT team or IT provider. Powerful cyber security software that utilises technology such as AI is now a lot cheaper and more accessible than people think for businesses of all sizes, and helps protect you against the latest developing threats.
Provide your staff with Security Awareness Training (SAT)
Unfortunately, whilst your staff are the best line of defence in the fight against cyber crime, poorly trained staff can be your weakest link. Provide employees with training that will give them the confidence to detect and avoid cyber attacks. Working together with your staff is the most proactive step you can take to avoid failing victim to cyber crime.
Compliance
Achieve a Cyber Essentials Accreditation
Many companies are a lot closer to Cyber Essentials accreditations than they imagine, whilst most of the advice throughout this report will get you a step closer too. Set a target to be accredited by a certain date and work towards it. Each little step you take will make your business more secure, protecting your assets and reputation.
If Cyber Essentials (or similar) becomes a requirement of businesses, it’s better to be prepared in advance, rather than rushing around to get things done.
How To Get Involved
Having been in business for over 20 years (we’re older than the iPhone!) we’re always excited by the future of technology.
More than that though, we’re passionate about what that means for businesses across the South West and we want to share that excitement with you.
The Acronyms IT Report will be back in 2026 and with a year under our belt, we’ll also be able to add comparisons to our research.
If you’d like to get involved with this report, whether it’s taking part in the survey, reading the data, attending launch events or roundtables, please make sure you sign up below. The more organisations involved, the more thorough our research can be.
We’re also keen to hear your thoughts and feedback. We want to make sure this report benefits your organisation, and with it being the inaugural report, we know there will be areas for improvement.
If you have any suggestions, please let us know at itreport@acronyms.co.uk.
- Research and content
- Branding and design
We are really grateful to respondents, advocates, and our suppliers in helping us bring together a report which we hope will increase knowledge and inform decision making for organisations here in the South West.
Those of you who took part in the survey will know that we promised to make an additional donation to Trevi, our Charity of the Year. We’re delighted to say that as a combination of your survey responses, match-funding from the Big Give and other fundraising efforts, we were able to hand Trevi a cheque for £1,012 at the IT Report launch event to support the most vulnerable women in our community.
For more information about Trevi visit trevi.org.uk
