SMEs across the UK are losing an estimated £3.4 billion every year to cyberattacks, and experts say smaller, local firms are now the most frequent targets.
Far from being too small to matter, these law firms, logistics companies, tradespeople, and independent shops are seen by cybercriminals as easy wins.
Unlike large corporations such as Tesco or CityBank, smaller businesses operate with weaker cyberdefences, minimal technical support, and no clear recovery plan if systems go down.
That last point is critical because without a backup or plan, businesses breached by malware are left with little choice but to pay a ransom to get their systems back up.
The government’s Cyber Security Breaches Survey 2024 paints a bleak picture with 70 per cent of SMEs experiencing a cyber breach in 2024.
From these, the majority are due to social engineering, starting with phishing emails like a fake invoice, an impersonated CEO, or a message that appeared to be from a supplier.
These scams work because defenses are so weak. Many SMEs still share passwords between teams and neglect two-factor authentication to protect their accounts.
Equally concerning, only 13 per cent of SMEs provide cybersecurity training to staff, despite the fact that human error remains the number one way hackers gain access.
Realising this, specialised hacking groups are now using SMEs as means to launch more impactful attacks on a bigger scale.
Earlier this year, several small yet key food suppliers were compromised in what became a major supermarket supply chain attack.
Ordering systems were shut down, deliveries missed, and shelves left empty in stores like M&S, costing the industry hundreds of millions. A few weak links at SME level were all it took to create chaos on a national scale.
Businesses often fail to grasp that cybercriminals are no longer lone hackers in basements targeting one target at a time.
Many operate like scalable businesses themselves, selling malware kits, ransomware-as-a-service, and stolen data to the highest bidder.
For them, launching attacks on the 5.5 million undefended SMEs in the UK, is much more lucrative than targeting a single well protected corporation.
Especially those who think they’re “too small to be a target,” are becoming top of their list.
The good news is experts say most of this is preventable. Cybersecurity doesn’t have to mean huge budgets or complex systems, simply a well-informed and disciplined security system that covers the basics.
Simple steps like enabling two-factor authentication (2FA) on every account, backing up files to the cloud, using cybersecurity software, and keeping systems updated can block the vast majority of threats.
“The impact of simple yet disciplined cybersecurity is best explained through cyberattack scenarios.” explains cybersecurity expert at Business Broadband Hub.
“When ransomware strikes a system overnight and encrypts all files, daily cloud backups allow any business to restore the system and get back online within hours, without paying ransom.”
“When a phishing email tricks a staff member into entering their password on a fake interface, 2FA denies hackers access without the second verification device.”
“When clicking a dodgy link installs malware on your laptop, up-to-date antivirus software flags it immediately and locks down the device before the infection spreads.”
“When an AI-generated phone call impersonates the likes of the CEO and demands an urgent bank transfer, simply follow the company’s procedure and refuse to act without written confirmation prevents any losses”
“The bottom line is that these aren’t high-end defenses, simply standard practices for any SME that wants to stay in business.”
Government initiatives like Cyber Essentials and Cyber Resilience Centres exist to help businesses get the basics right.
They offer free or low-cost guidance on how to set up firewalls, protect accounts, back up data, and train staff without needing an in-house IT department.
The National Cyber Security Centre has also published specific advice for micro-businesses, including which platforms to use, what settings to change, and how to create a cybersecurity-aware culture.
Cybersecurity professionals agree the most important thing is mindset. Businesses should treat every unexpected message, call, or login attempt as potentially malicious. “When in doubt, don’t trust, verify.”
And with phishing now more sophisticated than ever, using AI to write convincing messages or mimic voices, it’s not always obvious when something’s fake.
“Businesses need to understand that a single cyberattack can mean days of downtime, cost thousands of pounds, and incur heavy reputational damage and legal costs. For some small firms, it’s enough to close the doors for good”.
If your business handles customer data, relies on digital systems, or simply couldn’t function offline for a day, then you’re already a target. The only question is when attackers will try, and how much damage they’ll do if you’re not prepared.
Written by Christian Maskrey
