Highlights
This blog was created from an event we hosted in partnership with Wavenet and SE LABS at Vorboss HQ earlier this year. As your SME grows, cybersecurity becomes a critical part of doing business - especially when handling sensitive data or working with larger clients. This guide covers simple, high-impact actions like securing suppliers, training your team, and focusing on essentials like passwords and patching. The goal isn’t perfection, but building practical resilience against everyday threats.
Gone are the days when SME businesses could view cybersecurity mostly as a concern for big corporations with global exposure and dedicated IT resource. Today, cybercrime is a multi-billion pound ‘industry’, with small and mid-sized businesses most often in its sights.
And the risks are very real. In the past year alone, brands including M&S, Co-op, Harrods, and even major railway stations have made headlines due to cybersecurity incidents. These high-profile cases show that no organisation, regardless of size or sector, is immune. They also serve as reminders of how disruptive and damaging an attack can be.
So, who is it that poses the threat? The answer is highly organised criminal groups, generally based overseas, running lucrative cybercrime business models, all on their own. With ransomware now a billion-pound industry, these groups buy and sell stolen data, lease out attack tools, and target companies whose stolen data indicates their capacity to pay.
According to HMRC, 70% of UK SMEs were hit by cyberattacks last year. Yet half of all UK and US businesses, mostly smaller firms, still don’t have a response plan in place.
So let’s look at why SMEs are at such risk, what today’s most common threats look like, and the practical and affordable steps you can take to protect yourself if you run a business.
These insights emerged from a fascinating recent panel discussion which our very own Aaron Rice, CIO, hosted at Vorboss HQ, featuring leaders from cybersecurity firms Wavenet and SE LABS. If you’re running an SME and don’t yet have a clear cybersecurity plan, this is the place to start.
.jpg)
Not ‘if’, but when. The case for ‘resilience’
Cybersecurity used to be about trying to build an impenetrable wall around your systems, but as the threat landscape has changed, so has the mindset. Today, it’s less about preventing every attack and more about being ready to respond when something does get through.
This concept - resilience - came up repeatedly as Wavenet’s CISO, Paul Colwell, and SE LABS’ CEO, Simon Edwards, shared their views. Their message for SMEs was clear. It’s not a question of if you’ll be attacked, it’s a matter of when. How well you bounce back may be the difference between a brief disruption and a long-term crisis.
Perhaps the first question to ask in any cyber incident is “Do we have backups?”. If your systems are compromised or locked down, having secure, up-to-date backups can be the difference between getting back to work or being forced to pay a ransom to regain access. Backups don’t stop an attack, but they’ll make recovery easier.
A cyberattack doesn’t just target your systems, it puts your entire business at risk. Downtime, financial loss, and damaged customer trust are all on the table.
The good news is that becoming resilient doesn’t involve making huge investment into high-end technology. With a little planning, it’s entirely possible to build a strong line of defence, and a solid plan for recovery, without excessive cost. In fact, with fewer systems, simpler structures, and the ability to act quickly, smaller businesses often have an advantage over large enterprises when it comes to putting effective measures in place.
The most common cyber threats to SMEs
.png)
As most SMEs don’t have the time or budget to keep up with every new cybercrime threat, they make attractive targets for hackers, and though cyberattacks come in all shapes and sizes, certain threats show up again and again.
So, what are the most common cyber threats facing SMEs?
Phishing and identity theft
This is where it usually starts. A staff member receives what looks like a legitimate message, usually impersonating a colleague, a supplier, or even a client. It might ask them to click a link, update some details, or approve a payment.
If they take the bait, attackers can obtain access to login credentials, email accounts, or sensitive data, all without needing to “break in”. In the words of SE LABS’ Simon Edwards, “Hackers don’t break in. They log in.”
Ransomware
Ransomware is a frighteningly effective criminal business model, whose use against SMEs has escalated dramatically. Attackers encrypt your data, lock your systems, and demand payment (usually in Bitcoin) to let you back in. In 2023 alone, ransomware was already estimated to be worth over £1bn a year.
While paying the ransom may seem to be the quickest way out, it can open your business up to serious legal and ethical risks, especially if you have no visibility on where the money you’re paying over is going to.
Business email compromise (BEC)
BEC attacks are clever, patient and, again, highly lucrative. Hackers gain access to an internal email account and often set up automatic forwarding to an external address, allowing them to silently monitor conversations over time. They gather intel, study genuine correspondence, and then strike, perhaps by sending a fake invoice or redirecting a payment. It’s why fake emails are so convincing: these criminals aren’t guessing, they know exactly what you’re expecting and exploit timing and trust with precision.
Cyber hygiene. Arranging simple, powerful protection
Cybersecurity doesn’t have to start with technology. It starts with behaviour; simple, everyday habits that make it harder for attackers to get in.
Unlike big organisations with complex systems, SME management teams are usually free to set rules, enforce good habits, and make changes without needing to go through layers of approval.
The number one non-technical thing an SME can do to protect itself? Simon Edwards didn’t hesitate: “Easy. Cyber hygiene and the Cyber Essentials programme.”
So, what does good, basic cyber hygiene look like? A good way to think about it is via ‘The 3 Ps’, as the industry refers to them.
Passwords
Make sure everyone in your business is using strong, unique passwords, and that these aren’t shared or reused across different systems.
A strong password should:
• Be at least 12 characters long
• Use a mix of uppercase and lowercase letters, numbers, and symbols
• Avoid personal details or common words
Next, enforce multi-factor authentication (MFA) wherever possible. It’s one of the simplest and most effective ways to stop unauthorised access.
Phishing
Your team is your first line of defence. Train your people to recognise suspicious emails, double-check unusual requests, and report anything that doesn’t feel right. Most phishing attacks rely on urgency or familiarity to bypass common sense, so encouraging people to pause and consult with managers or appropriate colleagues before taking any action in response to a suspect email can make all the difference.
Patching
Every piece of software has flaws, and cybercriminals are quick to exploit these. Keep all your systems up to date. That includes operating systems, email tools, cloud platforms, routers, and printers. When a zero-day vulnerability is announced, fast patching is critical. It could be the difference between staying secure or becoming one of the first victims.
None of these steps requires major investment. All that’s needed is a clear policy, regular reminders, and a commitment to taking security seriously.
Certifications that help protect and reassure
Even when you recognise the danger of cyberattacks and have measures like these in place to reduce your exposure, how can you evidence this to clients and customers, as well as your employees?
It doesn’t have to be complex - there are certification schemes built specifically for SMEs.
At a basic level, they help you cover the fundamentals. But they also send a clear signal to clients, partners, insurers, and suppliers that you’re serious about reducing risk.
The three most widely recognised certifications are:
Cyber Essentials
The entry point for most UK organisations, and a great starting place for SMEs. Cyber Essentials is a government-backed scheme that covers the basics: secure configuration, access controls, software updates, and protection against common threats. It’s a self-assessed process and, once certified, you’ll receive a badge that shows you’ve met the standard. Clients like it. Insurers like it. And it’s easier to attain than you think.
Cyber Essentials Plus
This is the next step up. It includes everything in the basic Cyber Essentials scheme but adds an independent audit and technical testing. If your business handles sensitive data, works with regulated industries, or simply wants more assurance, then this is worth considering.
ISO 27001
Recognised internationally, this is the gold standard for information security management. It’s more involved and more expensive than Cyber Essentials, but if your business is growing fast or you’re working with enterprise clients, it can be a significant asset.
Whatever level of certification you feel is appropriate for your business, try not to treat it as a one-off box-ticking exercise. It’s a chance to improve your practices, strengthen your culture, and set a clear security baseline that will protect you as you grow.
What to do if you’re attacked
No matter how well prepared you are, things can still go wrong.
The key is to stay calm and act quickly, following a pre-prepared response plan. A good response plan doesn’t just help you recover faster. It can also limit the damage, protect your customers, and stop the same thing happening again.
If you find yourself under attack, here’s what to do:
1. Find the way in
Your first priority is to understand how the attacker got access. Was it a stolen password? A phishing email? A vulnerability in your software? Until you know, you won’t be able to shut the door properly, and you risk being hit again.
“Your number one priority is to understand the route of attack, and block it,” Simon Edwards advises. “If you don’t, there’s nothing to stop them coming back.”
2. Contain the damage
Isolate affected devices or systems. Lock down compromised accounts. If you work with an IT provider, contact them immediately. The faster you act, the more you can limit the spread.
3. Check your backups
If your systems have been locked by ransomware or wiped by an attacker, check whether your backups are intact and up to date. If so, you may be able to restore your data without paying a ransom and get your business back on its feet faster. Ideally, backups should be stored offline or in a secure cloud service and tested regularly to make sure they work when you need them.
4. Don’t rush to pay
If it’s a ransomware attack, you’ll be asked to pay - usually in Bitcoin. But paying the ransom doesn’t guarantee you’ll get your data back, and it could even put you in legal trouble if the money later turns up in a sanctioned country. Always get expert advice, ideally from a law firm with a cybersecurity team, before taking any action.
5. Inform the right people
Depending on the nature of the breach, you may need to notify regulators, clients, suppliers, or insurers. Transparency is important, and delay can make things worse. If you hold personal data, you may also have a legal duty to report the incident to the Information Commissioner’s Office (ICO).
6. Learn from it
An attack is painful, but it’s also an opportunity. Once you’ve recovered, take time to understand what went wrong and how to prevent it in future. Were there warning signs? Was it something that could have been stopped? Use the experience to build better defences.
Penetration testing. Something to know as you grow
As your business grows or handles sensitive data, you’ll likely hear about penetration testing. Pen testing involves hiring ethical hackers to find weak spots in your systems before attackers can exploit them.
For many SMEs, especially early on, this might be overkill. But as your business scales, or you pursue larger clients, ‘pen testing’ can become a requirement. Insurers may also ask about it if you’re looking for more comprehensive cyber cover.
Don’t forget your suppliers
Many SMEs rely on third-party suppliers like cloud software and service providers to handle everything from email and invoicing to customer data and collaboration tools. But if one of those providers gets hacked, your business could be affected.
Don’t hold back. Ask the companies whose systems you engage with a few simple questions:
• "What security measures do you have in place?"
• "Are you certified under schemes like Cyber Essentials or ISO 27001?"
• "If something goes wrong at your end, who’s responsible, and how will we be informed?"
It doesn’t need to be a formal audit. Just showing that you’re aware of the risk and asking for basic reassurances can go a long way. And if a supplier is vague or dismissive about security, treat that as a red flag. In the end, your own cybersecurity is only as strong as the people you trust to help run your business.
Take action today
You don’t need to overhaul your entire business to make meaningful progress on cybersecurity. A few well-chosen actions will dramatically reduce your risk, and set a solid foundation for whatever may happen:
A final thought: resilience beats perfection
Cybersecurity can feel like a complex topic, especially when you’re running a growing business and perhaps no dedicated IT team. But protecting your company doesn’t mean spending a fortune on tech.
It means being prepared. Putting sensible safeguards in place. Creating a culture of awareness. And knowing how you’ll respond if, or when, something goes wrong.
That’s resilience, and it’s well within reach for every SME.
Get in touch
If you'd like to discuss building resilience, or how your connectivity can strengthen your security strategy, speak to one of our experts today.
We’ll connect you directly with SE LABS or Wavenet if we believe it’s the right fit for your needs.
Tell us about yourself so we can serve you best.
Got a question?
More articles
The problem with ‘business broadband’
Most people search for ‘business broadband’ when they’re looking for internet for their office. Fair enough, it’s the term that’s been marketed to death. But here’s the thing: business broadband isn’t the only option, and most of the time, it won't meet the needs of a modern business. If you need a connection that actually keeps up, a leased line is the answer; reliable, secure, and built for multiple users.
In this blog we explain the differences between the two connections.
Broadband vs leased line explained
- Broadband: A standard, shared internet connection typically designed for home use, but sometimes used in small offices. Speeds can vary, especially during busy times, and upload speeds are often much lower than downloads – which can limit performance for modern business applications.
- Leased line: A private, dedicated connection between your premises and your provider. Symmetrical speeds, guaranteed performance, and no sharing with neighbours - specifically designed to meet the demands of modern business connectivity.
Business broadband: a closer look
Most of the time, business broadband is the same product that an ISP (Internet Service Provider) sells to their residential customers, but more expensive and probably bundled with a low-level cyber security product.
It has a dedicated web page, with stock photos of people doing business. And it comes with some comforting words to tell you that they know how hard business is. Excruciating.
Your traffic isn’t prioritised. Your connection isn’t dedicated. And if you have an ‘account manager’, they’re probably responsible for literally thousands of customers like you.
If you pay more, you might get a commitment to investigate faults within a given time – usually within a day.
When you’re looking for business broadband, bear these things in mind. Look at the details to see if you’re simply being sold a standard home broadband package disguised as a business solution.
What does great internet connectivity for business look like?
It’s very easy to call something business broadband. But it’s a very different thing to provide internet connectivity that’s genuinely fast and reliable enough for London business in 2025.
One of the fundamental features of an internet product for business is a dedicated connection.
‘Broadband’ or ‘FTTP’ (that’s Fibre to the Premise) means that the service you’re paying for is shared between you and typically 30 of your neighbours – whether they’re houses or other businesses.
So when you have a broadband or FTTP connection, don’t expect to get the Gbps speeds you’ve paid for at busy times (which is most of the working day). It’s cheap, and it connects. But it’s not a product that you can rely on to keep your business running.
At the busiest times, you'll have to hope that it’ll give you what you need. That might mean putting up with a poor-quality video call, a painful wait downloading a PowerPoint, or an eternity for every employee to log in to Teams at 9am.
Internet connectivity that you and your business can rely on is going to be dedicated to you, and that means taking a leased line (also known as DIA, or direct internet access).
What are the benefits of a leased line?
A dedicated connection means guaranteed bandwidth
With a leased line, you get every bit you pay for, unlike a shared ‘broadband’ connection, where you can pay for 1Gbps but it’s highly unlikely you’ll ever see that speed.
A connection you can rely on
Always the speed you’ve paid for and infrastructure that’s backed up by an SLA (Service Level Agreement) – and automatic compensation if you choose a really good ISP. And the ability to order a back-up line, to increase the resilience of your service.
Lower latency
The more direct architecture and quicker route to a data centre (where your connection hits the internet) means a leased line will almost always offer lower latency than a broadband connection.
Upload that matches download
Most broadband, FTTP and cable services advertise the download speed but keep quiet on upload – that’s because upload is significantly slower in these services, often as little as a tenth of the speed. Leased lines have ‘symmetrical’ download and upload.
Enhanced security
Security can never be taken for granted, so check on the Infosec and compliance qualifications of your provider – typically, those selling residential-grade services won’t invest in this area, but serious business providers recognise the huge benefit to their customers.
How the two really compare
Leased line:
• Dedicated to one customer – a dedicated, private cable between your office and your provider's data centre
• Symmetrical – you get the same upload speed as download speed
• Highly reliable
Broadband:
• Shared circuit by up to 32 users
• Usually asymmetrical – upload typically much slower than download
• Prone to performance issues, particularly during the working day
Feature comparison at a glance
The difference that matters: reliability
That’s the key difference between the experience of these two technologies: how much you can rely on your connection, and how that impacts your business. We see it in every customer interaction as they move from broadband to direct internet – the shackles are off.
While business broadband infrastructure is shared with the businesses and houses around you, leased line (or direct internet) infrastructure is dedicated to you – it isn’t shared with anyone.
It’s your connection, and every bit of the bandwidth you’re paying for is yours. It’s guaranteed. Always giving you the internet speed and capacity you need, no matter how busy things get.
The whole Manchester office coming down for a team day? No problem. Sending a broadcast-quality video file to a client on a deadline? Easy. Worrying about signing up to a new cloud-based software for project management? Don’t. Putting the CEO on a video call that has to be perfect? Do it.
A 10Gbps leased line ensures you always have the speed you need. It’s a service you and your business can rely on.
.jpg)
Breach breakdown
In April 2025, Marks & Spencer (M&S) was hit by a serious cyberattack, and not by amateurs. The group behind it, known as Scattered Spider (also known as UNC3944 or Octo Tempest) has a track record. They’ve already taken on major U.S. giants like Caesars Entertainment and MGM Resorts.
Our 40Fi DFND team has done a deep dive into what happened and, more importantly, how businesses like yours can stay protected.
.png)
Want practical, jargon-free cybersecurity advice tailored for your business?
Join our free workshop with the City of London Police. Register now.
How they got in
Scattered Spider used smart, targeted phishing emails and impersonated IT staff to trick people into handing over their credentials. They even used a tactic called "MFA fatigue", which consisted of spamming employees with repeated login requests until one was mistakenly approved.
Threat intelligence researcher, Lontz reported on suspected Scattered Spider infrastructure (see figure 2), involving fake domains designed to mimic legitimate login pages of well-known websites. A spoofed company login page could have been created to get access to M&S employee login details.
.png)
What happened after they got in
Initial access to M&S systems is believed to have been as early as February. Once in, the attackers used stolen administrative credentials to deploy legitimate remote administration tools (RATs). This gave them ongoing control over key systems (including employee devices), helping them stay hidden while moving through the network.
Here's what they did:
- Installed remote desktop access tools like AnyDesk and TeamViewer - the same kind real IT teams would use
- Moved around through different M&S’s internal systems to grab as much data as possible
- Targeted critical assets like password databases and user credentials
Finally, they created secret access points, hidden accounts, and scheduled tasks to make sure they could stay inside the company's network without getting noticed.
The attack
On April 24, Scattered Spider launched the DragonForce ransomware attack on M&S’ VMware ESXi servers, encrypting virtual machines that powered key systems for e-commerce, payment processing, and logistics (see figure 3).
.png)
As a result, M&S had no choice but to shut down key systems entirely (including online orders and contactless payments), and call in top cybersecurity experts from CrowdStrike, Microsoft, and Fenix24 to contain the damage and start the recovery process (see figure 4).
.png)
What this means for you
While M&S is a major player, the tactics used in this breach aren’t just for corporations, they work just as well against small businesses. Groups like Scattered Spider rely on common tools and stolen identities to gain trust and slip past normal security. The key lesson? Always verify the people and systems you rely on, whether they’re inside your team or external partners.
What you can do to improve cybersecurity for your business
5 quick wins to protect your business
- Train your team – teach employees to spot dodgy emails, spoofed links, and sketchy login pages.
- Use strong passwords – create long, complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters. Never reuse passwords across different accounts.
- Enable multi-factor authentication (MFA) – this adds an extra layer of security beyond just a password.
- Stay vigilent – do not open email attachments or click on links unless you are certain of their legitimacy. If you have any doubts, report the email to your security team immediately.
- Report suspicious activity fast – if you receive unexpected MFA prompts, suspicious login alerts, or calls requesting your credentials, report them to your security team as soon as possible.
.jpg)
.jpg)
