The level of cyber attacks on organisations has increased tremendously in recent years. When such attacks occur, organisations need to assess the damage and loss from this crime. While large organisations have the mechanisms to determine such losses, SMEs lack such capability and often ignore the need to implement effective information security measures (Kyobe, 2008; Altbeker, 2000; Upfold and Sewry, 2005). Consequently, their risk exposure to cyber threats and the losses they incur from these attacks are often high (Ngo, Zhou, Chonka and Singh, 2009). However, the current legislative requirements, costly legal liabilities for non‑compliance, and increasing pressure by stakeholders (e.g., lenders, business partners) on SMEs to comply with good practices suggest that SMEs cannot ignore security any longer. In order to ensure accountability and compliance with security requirements, it is imperative for SMEs to identify, account and report cyber incidents and losses resulting from cyber attacks. This study investigated the factors that inhibit SMEs from recognizing and measuring losses from cyber attacks in South Africa. A survey involving twenty organisations from different business sectors was conducted and the results indicate that victimisation, resulting from a lack of awareness of cyber‑crime has the greatest influence on SMEs ability to recognise and prepare losses from cyber attacks.