Cybersecurity for SMEs: what to know as you grow

Gone are the days when SME businesses could view cybersecurity mostly as a concern for big corporations with global exposure and dedicated IT resource. Today, cybercrime is a multi-billion pound ‘industry’, with small and mid-sized businesses most often in its sights.

And the risks are very real. In the past year alone, brands including M&S, Co-op, Harrods, and even major railway stations have made headlines due to cybersecurity incidents. These high-profile cases show that no organisation, regardless of size or sector, is immune. They also serve as reminders of how disruptive and damaging an attack can be.

So, who is it that poses the threat? The answer is highly organised criminal groups, generally based overseas, running lucrative cybercrime business models, all on their own. With ransomware now a billion-pound industry, these groups buy and sell stolen data, lease out attack tools, and target companies whose stolen data indicates their capacity to pay.

According to HMRC, 70% of UK SMEs were hit by cyberattacks last year. Yet half of all UK and US businesses, mostly smaller firms, still don’t have a response plan in place.

So let’s look at why SMEs are at such risk, what today’s most common threats look like, and the practical and affordable steps you can take to protect yourself if you run a business.  

These insights emerged from a fascinating recent panel discussion which our very own Aaron Rice, CIO, hosted at Vorboss HQ, featuring leaders from cybersecurity firms Wavenet and SE LABS. If you’re running an SME and don’t yet have a clear cybersecurity plan, this is the place to start.

Not ‘if’, but when. The case for ‘resilience’

Cybersecurity used to be about trying to build an impenetrable wall around your systems, but as the threat landscape has changed, so has the mindset. Today, it’s less about preventing every attack and more about being ready to respond when something does get through.

This concept - resilience - came up repeatedly as Wavenet’s CISO, Paul Colwell, and SE LABS’ CEO, Simon Edwards, shared their views. Their message for SMEs was clear. It’s not a question of if you’ll be attacked, it’s a matter of when. How well you bounce back may be the difference between a brief disruption and a long-term crisis.

Perhaps the first question to ask in any cyber incident is “Do we have backups?”. If your systems are compromised or locked down, having secure, up-to-date backups can be the difference between getting back to work or being forced to pay a ransom to regain access. Backups don’t stop an attack, but they’ll make recovery easier.

A cyberattack doesn’t just target your systems, it puts your entire business at risk. Downtime, financial loss, and damaged customer trust are all on the table.

The good news is that becoming resilient doesn’t involve making huge investment into high-end technology. With a little planning, it’s entirely possible to build a strong line of defence, and a solid plan for recovery, without excessive cost. In fact, with fewer systems, simpler structures, and the ability to act quickly, smaller businesses often have an advantage over large enterprises when it comes to putting effective measures in place.

‍

The most common cyber threats to SMEs

As most SMEs don’t have the time or budget to keep up with every new cybercrime threat, they make attractive targets for hackers, and though cyberattacks come in all shapes and sizes, certain threats show up again and again.

So, what are the most common cyber threats facing SMEs?

Phishing and identity theft

This is where it usually starts. A staff member receives what looks like a legitimate message, usually impersonating a colleague, a supplier, or even a client. It might ask them to click a link, update some details, or approve a payment.

If they take the bait, attackers can obtain access to login credentials, email accounts, or sensitive data, all without needing to “break in”. In the words of SE LABS’ Simon Edwards, “Hackers don’t break in. They log in.”

Ransomware

Ransomware is a frighteningly effective criminal business model, whose use against SMEs has escalated dramatically. Attackers encrypt your data, lock your systems, and demand payment (usually in Bitcoin) to let you back in. In 2023 alone, ransomware was already estimated to be worth over £1bn a year.  

While paying the ransom may seem to be the quickest way out, it can open your business up to serious legal and ethical risks, especially if you have no visibility on where the money you’re paying over is going to.

Business email compromise (BEC)

BEC attacks are clever, patient and, again, highly lucrative. Hackers gain access to an internal email account and often set up automatic forwarding to an external address, allowing them to silently monitor conversations over time. They gather intel, study genuine correspondence, and then strike, perhaps by sending a fake invoice or redirecting a payment. It’s why fake emails are so convincing: these criminals aren’t guessing, they know exactly what you’re expecting and exploit timing and trust with precision.

Cyber hygiene. Arranging simple, powerful protection

Cybersecurity doesn’t have to start with technology. It starts with behaviour; simple, everyday habits that make it harder for attackers to get in.

Unlike big organisations with complex systems, SME management teams are usually free to set rules, enforce good habits, and make changes without needing to go through layers of approval.

The number one non-technical thing an SME can do to protect itself? Simon Edwards didn’t hesitate: “Easy. Cyber hygiene and the Cyber Essentials programme.”

So, what does good, basic cyber hygiene look like? A good way to think about it is via ‘The 3 Ps’, as the industry refers to them.

Passwords

Make sure everyone in your business is using strong, unique passwords, and that these aren’t shared or reused across different systems.

A strong password should:

• Be at least 12 characters long

• Use a mix of uppercase and lowercase letters, numbers, and symbols

• Avoid personal details or common words

Next, enforce multi-factor authentication (MFA) wherever possible. It’s one of the simplest and most effective ways to stop unauthorised access.

Phishing

Your team is your first line of defence. Train your people to recognise suspicious emails, double-check unusual requests, and report anything that doesn’t feel right. Most phishing attacks rely on urgency or familiarity to bypass common sense, so encouraging people to pause and consult with managers or appropriate colleagues before taking any action in response to a suspect email can make all the difference.

Patching

Every piece of software has flaws, and cybercriminals are quick to exploit these. Keep all your systems up to date. That includes operating systems, email tools, cloud platforms, routers, and printers. When a zero-day vulnerability is announced, fast patching is critical. It could be the difference between staying secure or becoming one of the first victims.

None of these steps requires major investment. All that’s needed is a clear policy, regular reminders, and a commitment to taking security seriously.

‍

Certifications that help protect and reassure

Even when you recognise the danger of cyberattacks and have measures like these in place to reduce your exposure, how can you evidence this to clients and customers, as well as your employees?

It doesn’t have to be complex - there are certification schemes built specifically for SMEs.

At a basic level, they help you cover the fundamentals. But they also send a clear signal to clients, partners, insurers, and suppliers that you’re serious about reducing risk.

The three most widely recognised certifications are:

Cyber Essentials

The entry point for most UK organisations, and a great starting place for SMEs. Cyber Essentials is a government-backed scheme that covers the basics: secure configuration, access controls, software updates, and protection against common threats. It’s a self-assessed process and, once certified, you’ll receive a badge that shows you’ve met the standard. Clients like it. Insurers like it. And it’s easier to attain than you think.

Cyber Essentials Plus

This is the next step up. It includes everything in the basic Cyber Essentials scheme but adds an independent audit and technical testing. If your business handles sensitive data, works with regulated industries, or simply wants more assurance, then this is worth considering.

ISO 27001

Recognised internationally, this is the gold standard for information security management. It’s more involved and more expensive than Cyber Essentials, but if your business is growing fast or you’re working with enterprise clients, it can be a significant asset.

Whatever level of certification you feel is appropriate for your business, try not to treat it as a one-off box-ticking exercise. It’s a chance to improve your practices, strengthen your culture, and set a clear security baseline that will protect you as you grow.

What to do if you’re attacked

No matter how well prepared you are, things can still go wrong.

The key is to stay calm and act quickly, following a pre-prepared response plan. A good response plan doesn’t just help you recover faster. It can also limit the damage, protect your customers, and stop the same thing happening again.

If you find yourself under attack, here’s what to do:

1. Find the way in

Your first priority is to understand how the attacker got access. Was it a stolen password? A phishing email? A vulnerability in your software? Until you know, you won’t be able to shut the door properly, and you risk being hit again.

“Your number one priority is to understand the route of attack, and block it,” Simon Edwards advises. “If you don’t, there’s nothing to stop them coming back.”

2. Contain the damage

Isolate affected devices or systems. Lock down compromised accounts. If you work with an IT provider, contact them immediately. The faster you act, the more you can limit the spread.

3. Check your backups

If your systems have been locked by ransomware or wiped by an attacker, check whether your backups are intact and up to date. If so, you may be able to restore your data without paying a ransom and get your business back on its feet faster. Ideally, backups should be stored offline or in a secure cloud service and tested regularly to make sure they work when you need them.

4. Don’t rush to pay

If it’s a ransomware attack, you’ll be asked to pay - usually in Bitcoin. But paying the ransom doesn’t guarantee you’ll get your data back, and it could even put you in legal trouble if the money later turns up in a sanctioned country. Always get expert advice, ideally from a law firm with a cybersecurity team, before taking any action.

5. Inform the right people

Depending on the nature of the breach, you may need to notify regulators, clients, suppliers, or insurers. Transparency is important, and delay can make things worse. If you hold personal data, you may also have a legal duty to report the incident to the Information Commissioner’s Office (ICO).

6. Learn from it

An attack is painful, but it’s also an opportunity. Once you’ve recovered, take time to understand what went wrong and how to prevent it in future. Were there warning signs? Was it something that could have been stopped? Use the experience to build better defences.

Penetration testing. Something to know as you grow

As your business grows or handles sensitive data, you’ll likely hear about penetration testing. Pen testing involves hiring ethical hackers to find weak spots in your systems before attackers can exploit them.

For many SMEs, especially early on, this might be overkill. But as your business scales, or you pursue larger clients, ‘pen testing’ can become a requirement. Insurers may also ask about it if you’re looking for more comprehensive cyber cover.

Don’t forget your suppliers

Many SMEs rely on third-party suppliers like cloud software and service providers to handle everything from email and invoicing to customer data and collaboration tools. But if one of those providers gets hacked, your business could be affected.

Don’t hold back. Ask the companies whose systems you engage with a few simple questions:

• "What security measures do you have in place?"

• "Are you certified under schemes like Cyber Essentials or ISO 27001?"

• "If something goes wrong at your end, who’s responsible, and how will we be informed?"

It doesn’t need to be a formal audit. Just showing that you’re aware of the risk and asking for basic reassurances can go a long way. And if a supplier is vague or dismissive about security, treat that as a red flag. In the end, your own cybersecurity is only as strong as the people you trust to help run your business.

Take action today

You don’t need to overhaul your entire business to make meaningful progress on cybersecurity. A few well-chosen actions will dramatically reduce your risk, and set a solid foundation for whatever may happen:

A final thought: resilience beats perfection

Cybersecurity can feel like a complex topic, especially when you’re running a growing business and perhaps no dedicated IT team. But protecting your company doesn’t mean spending a fortune on tech.  

It means being prepared. Putting sensible safeguards in place. Creating a culture of awareness. And knowing how you’ll respond if, or when, something goes wrong.  

That’s resilience, and it’s well within reach for every SME.

‍

Cybersecurity terms explained

Phishing – Tricks staff into clicking fake links or sharing login details, often via email or messaging.
Ransomware – Malware that locks your files or systems and demands payment, usually in cryptocurrency.
BEC (Business Email Compromise) – Hackers access a genuine email account to send fake but convincing payment or invoice requests.
MFA (Multi-Factor Authentication) – Adds an extra step to login beyond a password, like a code sent to a phone.
Patching – Updating software to fix security flaws and prevent attacks.
Cyber hygiene – Everyday habits and rules that make it harder for attackers to get in.
SLA (Service Level Agreement) – A guarantee from a provider about uptime, support, or speed.
ISO 27001 / Cyber Essentials – Certifications that show your business takes information security seriously.
Penetration testing (Pen testing) – Ethical hacking to find vulnerabilities before attackers do.

‍