For many small and medium-sized businesses (SMBs), cybersecurity might seem like a problem for larger organisations like banks, tech giants, and government bodies etc. It’s tempting to believe that your company, with its modest size and local footprint, could fly under the radar of cyber threat actors.
According to last year’s Cyber Security Breaches Survey (UK Government), half of all UK businesses (50%) and around a third of charities (32%) report experiencing a cybersecurity breach or attack in the past 12 months. For medium sized businesses, the figure is even higher: 70% reportedly fell victim.
The message could not be clearer, cybersecurity is no longer optional for SMBs. It is a fundamental part of doing business today.
The Current Landscape: Breaches Are the Rule, Not the Exception
A summary of the 2024 findings are
- 50% of businesses and 32% of charities suffered a breach in the past year.
- For medium-sized businesses, the breach rate climbs to 70%.
- Large businesses (74%) and high-income charities (£500,000+ annual income, 66%) are similarly affected.
Cybersecurity breaches have become so commonplace that any business assuming “it won’t happen to us” is operating on dangerously outdated thinking. While we don’t believe in spreading the “it’s a matter of when not if” FUD circling the internet, the fact is that unless steps are taken, the likelihood of a cyber incident is at least far higher than most orgs would be comfortable accepting.
Size offers no immunity. In fact, SMBs are often seen as easier targets precisely because they tend to have fewer resources dedicated to cybersecurity compared to large corporations.
Take steps to reduce both the likelihood of an attack, and the potential cost / operational impact of any successful attack.
Why Cybercriminals Target Small and Medium Businesses
It’s a myth that cyber attackers are only interested in “big fish.” Today’s threat actors increasingly focus on SMBs for several reasons:
Lower Defences
SMBs often lack the sophisticated defences of larger firms: no dedicated cybersecurity staff, weaker firewalls, poorly configured systems, and minimal monitoring. Attackers know they stand a better chance of succeeding with minimal effort.
Valuable Data
Even small businesses store sensitive information: customer records, payment details, intellectual property, and employee data. All of this can be stolen, sold, or held hostage for ransom.
Supply Chain Leverage
SMBs often supply goods and services to larger organisations. Compromising an SMB can be a stepping stone to reaching a bigger target, a tactic known as supply chain attacks.
Financial Impact
A cyberattack on an SMB can cripple operations, damage reputations, and lead to insolvency. Attackers know that SMBs are more likely to pay ransoms quickly just to survive.
In short, SMBs represent high reward, low risk opportunities for cybercriminals.
Most Common Attacks Against SMBs
The 2024 Cyber Security Breaches Survey reveals the attack types businesses are facing, and phishing stands out by a wide margin.
Phishing (84% of Businesses)
Phishing remains the most common method of attack, affecting 84% of businesses and 83% of charities that experienced a breach.
These attacks trick employees into clicking malicious links, entering credentials into fake login pages, or downloading malware disguised as legitimate files.
Why it works: Phishing exploits human psychology, trust, urgency, fear, rather than technological weaknesses. Without proper training and email filtering, even vigilant staff can fall victim.
Impersonation Attacks (35% of Businesses)
Attackers also engage in impersonation tactics, such as spoofing emails or websites to appear as trusted partners, suppliers, or internal executives.
This includes tactics like:
- Business Email Compromise (BEC) scams
- Fake invoice submissions
- CEO fraud (where attackers impersonate senior executives requesting urgent payments)
Why it works: Staff are accustomed to responding promptly to senior leadership or vendors, especially in fast-paced environments.
Viruses and Malware (17% of Businesses)
Malware attacks, including ransomware, trojans, and spyware, account for a smaller but still significant share of incidents.
Often delivered through phishing emails or compromised websites, malware can:
- Encrypt data (ransomware)
- Steal login credentials (keyloggers)
- Spy on communications (remote access trojans)
Why it works: Many SMBs lack advanced endpoint protection, network segmentation, and proactive monitoring.
The Hidden Costs of a Cyber Attack on an SMB
When an SMB falls victim to a breach or attack, the financial impact can be devastating. But the true cost goes far beyond the initial ransom or downtime.
Consider these factors:
- Business interruption: Lost sales, production delays, missed opportunities
- Recovery costs: IT forensics, system rebuilds, software replacements
- Reputational damage: Loss of customer trust, negative media coverage
- Legal and regulatory penalties: Particularly under GDPR and other data protection laws
- Insurance premiums: Post-breach, cyber insurance becomes more expensive — or even inaccessible
- Emotional toll: Stress on leadership teams and employees
Studies show that 60% of SMBs that suffer a major cyber attack go out of business within six months. This is not just an IT problem, it’s an existential business risk.
Practical Steps SMBs Should Take Today
Cybersecurity doesn’t have to be overwhelming or prohibitively expensive. The NCSC, as well as vendor advised best practices, suggest a number of attainable actions that SMBs can take.
1. Strengthen Email Security
- Implement advanced spam and phishing filters
- Use email authentication protocols like SPF, DKIM, and DMARC
- Train employees to spot phishing emails
2. Provide Cyber Awareness Training
- Regular, engaging training for all staff
- Simulated phishing campaigns to test readiness
- Empower employees to report suspicious activity
3. Implement Multi-Factor Authentication (MFA)
- Require MFA on all business, critical applications, and remote access systems
- Protects accounts even if credentials are compromised
4. Keep Systems and Software Updated
- Apply security patches promptly
- Replace or securely retire unsupported systems
5. Back Up Critical Data
- Regular, automated backups following the NCSC’s 3-2-1 rule
- Offline (air-gapped) backups where possible
- Test backups to ensure they are functional
6. Develop an Incident Response Plan
- Know what to do if you are attacked
- Define roles, communication channels, and recovery steps
- Practice and update the plan regularly
7. Monitor and Detect
- Deploy antivirus and endpoint detection and response (EDR) solutions
- Monitor logs for suspicious activity
- Use a Managed Security Service Provider (MSSP) for around-the-clock monitoring
Comments are closed