Why SMEs are in the sights of cyber criminals (and what you can do)

02/09/2025

M&S, Jaguar Land Rover, Co-op and other big names have hit the headlines recently, for all the wrong reasons. Think your business is too small to interest cyber criminals? Think again. The latest data reveals a sobering truth that doesn't hit the headlines but every SME owner needs to understand.

A cautionary tale

A business I know well, with around 200 staff, recently lost £85,000 in an afternoon. A highly-credible email from a scammer posing as a key supplier requested urgent payment by email. Despite reservations, a director approved the payment, and by the time the ruse was discovered, it was too late. This is just one example of the types of cyber attack faced by SMEs, in this case a targeted phishing email, known in the trade as "spear phishing".

2025 research by Vodafone found that 35% of UK SMEs were targeted in 2024 alone, collectively losing £3.4 billion to cyber attacks.

SMEs are targeted because they present valuable assets and weaker defences. Of the SMEs targeted in 2024, 28% faced between one and five incidents, while 6% reported up to 10 attacks in a single year. It's not a matter of "if" but "when" your business will face a cyber threat. Yet research shows 55% of small business owners believe cybersecurity is too expensive, creating a dangerous blind spot.

What are the unique challenges for SMEs?

  • Resource constraints Limited budgets and resources make it hard to maintain robust security. Yet the average cost for SMEs to remedy a cyber attack is £21,000 and reputational damage can cost far more.
  • Divided attention Business owners juggle multiple priorities, often pushing cyber security down the list.
  • Knowledge gaps Only 22% of UK businesses have a formal cybersecurity incident management plan. This lack of preparedness makes recovery slower and more costly.
  • Misplaced trust in technology Many assume modern technology and cloud services automatically make them secure, which is not always the case.

What do do, where to start?

If you're not sure where to start, here are my top tips for reducing risk.

  1. Staff awareness training One in every 323 emails sent to small businesses is malicious. Regular, practical training helps staff recognize phishing emails and suspicious links.
  2. Limit access Restrict admin-level access to critical accounts to reduce potential damage. Implement the principle of "least privilege" and regularly review access.
  3. Know your critical assets and assess risks Create an inventory of your most important data and systems and assess risks. Focus security efforts on protecting high-value assets.
  4. Multi-factor authentication (MFA) Enable it on all business-critical systems. Modern MFA using apps like Microsoft Authenticator is user-friendly and effective.
  5. Anti-malware and security patching Keep systems updated and run reputable anti-malware software.
  6. Immutable Backups Ensure backups can't be encrypted or deleted by ransomware.
  7. Third-party Risk Management Review the security practices of suppliers and partners.

The bottom line

SMEs are frequent victims of cyber attack because business owners focus on running their business rather than defending it. With the right approach, you can significantly reduce your risk without breaking the bank.

Ready to assess your business's cyber security risks?

Our CyberSolver Risk Assessment provides a comprehensive review of your vulnerabilities and risks with practical, prioritised recommendations. Contact us for a free consultation.