
Highlights
This blog was created from an event we hosted in partnership with Wavenet and SE LABS at Vorboss HQ earlier this year. As your SME grows, cybersecurity becomes a critical part of doing business - especially when handling sensitive data or working with larger clients. This guide covers simple, high-impact actions like securing suppliers, training your team, and focusing on essentials like passwords and patching. The goal isn’t perfection, but building practical resilience against everyday threats.

Gone are the days when SME businesses could view cybersecurity mostly as a concern for big corporations with global exposure and dedicated IT resource. Today, cybercrime is a multi-billion pound ‘industry’, with small and mid-sized businesses most often in its sights.
And the risks are very real. In the past year alone, brands including M&S, Co-op, Harrods, and even major railway stations have made headlines due to cybersecurity incidents. These high-profile cases show that no organisation, regardless of size or sector, is immune. They also serve as reminders of how disruptive and damaging an attack can be.
So, who is it that poses the threat? The answer is highly organised criminal groups, generally based overseas, running lucrative cybercrime business models, all on their own. With ransomware now a billion-pound industry, these groups buy and sell stolen data, lease out attack tools, and target companies whose stolen data indicates their capacity to pay.
According to HMRC, 70% of UK SMEs were hit by cyberattacks last year. Yet half of all UK and US businesses, mostly smaller firms, still don’t have a response plan in place.
So let’s look at why SMEs are at such risk, what today’s most common threats look like, and the practical and affordable steps you can take to protect yourself if you run a business.
These insights emerged from a fascinating recent panel discussion which our very own Aaron Rice, CIO, hosted at Vorboss HQ, featuring leaders from cybersecurity firms Wavenet and SE LABS. If you’re running an SME and don’t yet have a clear cybersecurity plan, this is the place to start.
.jpg)
Not ‘if’, but when. The case for ‘resilience’
Cybersecurity used to be about trying to build an impenetrable wall around your systems, but as the threat landscape has changed, so has the mindset. Today, it’s less about preventing every attack and more about being ready to respond when something does get through.
This concept - resilience - came up repeatedly as Wavenet’s CISO, Paul Colwell, and SE LABS’ CEO, Simon Edwards, shared their views. Their message for SMEs was clear. It’s not a question of if you’ll be attacked, it’s a matter of when. How well you bounce back may be the difference between a brief disruption and a long-term crisis.
Perhaps the first question to ask in any cyber incident is “Do we have backups?”. If your systems are compromised or locked down, having secure, up-to-date backups can be the difference between getting back to work or being forced to pay a ransom to regain access. Backups don’t stop an attack, but they’ll make recovery easier.
A cyberattack doesn’t just target your systems, it puts your entire business at risk. Downtime, financial loss, and damaged customer trust are all on the table.
The good news is that becoming resilient doesn’t involve making huge investment into high-end technology. With a little planning, it’s entirely possible to build a strong line of defence, and a solid plan for recovery, without excessive cost. In fact, with fewer systems, simpler structures, and the ability to act quickly, smaller businesses often have an advantage over large enterprises when it comes to putting effective measures in place.
The most common cyber threats to SMEs
.png)
As most SMEs don’t have the time or budget to keep up with every new cybercrime threat, they make attractive targets for hackers, and though cyberattacks come in all shapes and sizes, certain threats show up again and again.
So, what are the most common cyber threats facing SMEs?
Phishing and identity theft
This is where it usually starts. A staff member receives what looks like a legitimate message, usually impersonating a colleague, a supplier, or even a client. It might ask them to click a link, update some details, or approve a payment.
If they take the bait, attackers can obtain access to login credentials, email accounts, or sensitive data, all without needing to “break in”. In the words of SE LABS’ Simon Edwards, “Hackers don’t break in. They log in.”
Ransomware
Ransomware is a frighteningly effective criminal business model, whose use against SMEs has escalated dramatically. Attackers encrypt your data, lock your systems, and demand payment (usually in Bitcoin) to let you back in. In 2023 alone, ransomware was already estimated to be worth over £1bn a year.
While paying the ransom may seem to be the quickest way out, it can open your business up to serious legal and ethical risks, especially if you have no visibility on where the money you’re paying over is going to.
Business email compromise (BEC)
BEC attacks are clever, patient and, again, highly lucrative. Hackers gain access to an internal email account and often set up automatic forwarding to an external address, allowing them to silently monitor conversations over time. They gather intel, study genuine correspondence, and then strike, perhaps by sending a fake invoice or redirecting a payment. It’s why fake emails are so convincing: these criminals aren’t guessing, they know exactly what you’re expecting and exploit timing and trust with precision.
Cyber hygiene. Arranging simple, powerful protection
Cybersecurity doesn’t have to start with technology. It starts with behaviour; simple, everyday habits that make it harder for attackers to get in.
Unlike big organisations with complex systems, SME management teams are usually free to set rules, enforce good habits, and make changes without needing to go through layers of approval.
The number one non-technical thing an SME can do to protect itself? Simon Edwards didn’t hesitate: “Easy. Cyber hygiene and the Cyber Essentials programme.”
So, what does good, basic cyber hygiene look like? A good way to think about it is via ‘The 3 Ps’, as the industry refers to them.
Passwords
Make sure everyone in your business is using strong, unique passwords, and that these aren’t shared or reused across different systems.
A strong password should:
• Be at least 12 characters long
• Use a mix of uppercase and lowercase letters, numbers, and symbols
• Avoid personal details or common words
Next, enforce multi-factor authentication (MFA) wherever possible. It’s one of the simplest and most effective ways to stop unauthorised access.
Phishing
Your team is your first line of defence. Train your people to recognise suspicious emails, double-check unusual requests, and report anything that doesn’t feel right. Most phishing attacks rely on urgency or familiarity to bypass common sense, so encouraging people to pause and consult with managers or appropriate colleagues before taking any action in response to a suspect email can make all the difference.

Patching
Every piece of software has flaws, and cybercriminals are quick to exploit these. Keep all your systems up to date. That includes operating systems, email tools, cloud platforms, routers, and printers. When a zero-day vulnerability is announced, fast patching is critical. It could be the difference between staying secure or becoming one of the first victims.
None of these steps requires major investment. All that’s needed is a clear policy, regular reminders, and a commitment to taking security seriously.
Certifications that help protect and reassure
Even when you recognise the danger of cyberattacks and have measures like these in place to reduce your exposure, how can you evidence this to clients and customers, as well as your employees?
It doesn’t have to be complex - there are certification schemes built specifically for SMEs.
At a basic level, they help you cover the fundamentals. But they also send a clear signal to clients, partners, insurers, and suppliers that you’re serious about reducing risk.
The three most widely recognised certifications are:
Cyber Essentials
The entry point for most UK organisations, and a great starting place for SMEs. Cyber Essentials is a government-backed scheme that covers the basics: secure configuration, access controls, software updates, and protection against common threats. It’s a self-assessed process and, once certified, you’ll receive a badge that shows you’ve met the standard. Clients like it. Insurers like it. And it’s easier to attain than you think.
Cyber Essentials Plus
This is the next step up. It includes everything in the basic Cyber Essentials scheme but adds an independent audit and technical testing. If your business handles sensitive data, works with regulated industries, or simply wants more assurance, then this is worth considering.
ISO 27001
Recognised internationally, this is the gold standard for information security management. It’s more involved and more expensive than Cyber Essentials, but if your business is growing fast or you’re working with enterprise clients, it can be a significant asset.
Whatever level of certification you feel is appropriate for your business, try not to treat it as a one-off box-ticking exercise. It’s a chance to improve your practices, strengthen your culture, and set a clear security baseline that will protect you as you grow.
What to do if you’re attacked
No matter how well prepared you are, things can still go wrong.
The key is to stay calm and act quickly, following a pre-prepared response plan. A good response plan doesn’t just help you recover faster. It can also limit the damage, protect your customers, and stop the same thing happening again.
If you find yourself under attack, here’s what to do:
1. Find the way in
Your first priority is to understand how the attacker got access. Was it a stolen password? A phishing email? A vulnerability in your software? Until you know, you won’t be able to shut the door properly, and you risk being hit again.
“Your number one priority is to understand the route of attack, and block it,” Simon Edwards advises. “If you don’t, there’s nothing to stop them coming back.”
2. Contain the damage
Isolate affected devices or systems. Lock down compromised accounts. If you work with an IT provider, contact them immediately. The faster you act, the more you can limit the spread.
3. Check your backups
If your systems have been locked by ransomware or wiped by an attacker, check whether your backups are intact and up to date. If so, you may be able to restore your data without paying a ransom and get your business back on its feet faster. Ideally, backups should be stored offline or in a secure cloud service and tested regularly to make sure they work when you need them.
4. Don’t rush to pay
If it’s a ransomware attack, you’ll be asked to pay - usually in Bitcoin. But paying the ransom doesn’t guarantee you’ll get your data back, and it could even put you in legal trouble if the money later turns up in a sanctioned country. Always get expert advice, ideally from a law firm with a cybersecurity team, before taking any action.
5. Inform the right people
Depending on the nature of the breach, you may need to notify regulators, clients, suppliers, or insurers. Transparency is important, and delay can make things worse. If you hold personal data, you may also have a legal duty to report the incident to the Information Commissioner’s Office (ICO).
6. Learn from it
An attack is painful, but it’s also an opportunity. Once you’ve recovered, take time to understand what went wrong and how to prevent it in future. Were there warning signs? Was it something that could have been stopped? Use the experience to build better defences.
Penetration testing. Something to know as you grow
As your business grows or handles sensitive data, you’ll likely hear about penetration testing. Pen testing involves hiring ethical hackers to find weak spots in your systems before attackers can exploit them.
For many SMEs, especially early on, this might be overkill. But as your business scales, or you pursue larger clients, ‘pen testing’ can become a requirement. Insurers may also ask about it if you’re looking for more comprehensive cyber cover.
Don’t forget your suppliers
Many SMEs rely on third-party suppliers like cloud software and service providers to handle everything from email and invoicing to customer data and collaboration tools. But if one of those providers gets hacked, your business could be affected.
Don’t hold back. Ask the companies whose systems you engage with a few simple questions:
• "What security measures do you have in place?"
• "Are you certified under schemes like Cyber Essentials or ISO 27001?"
• "If something goes wrong at your end, who’s responsible, and how will we be informed?"
It doesn’t need to be a formal audit. Just showing that you’re aware of the risk and asking for basic reassurances can go a long way. And if a supplier is vague or dismissive about security, treat that as a red flag. In the end, your own cybersecurity is only as strong as the people you trust to help run your business.
Take action today
You don’t need to overhaul your entire business to make meaningful progress on cybersecurity. A few well-chosen actions will dramatically reduce your risk, and set a solid foundation for whatever may happen:

A final thought: resilience beats perfection
Cybersecurity can feel like a complex topic, especially when you’re running a growing business and perhaps no dedicated IT team. But protecting your company doesn’t mean spending a fortune on tech.
It means being prepared. Putting sensible safeguards in place. Creating a culture of awareness. And knowing how you’ll respond if, or when, something goes wrong.
That’s resilience, and it’s well within reach for every SME.
Cybersecurity terms explained
Phishing – Tricks staff into clicking fake links or sharing login details, often via email or messaging.
Ransomware – Malware that locks your files or systems and demands payment, usually in cryptocurrency.
BEC (Business Email Compromise) – Hackers access a genuine email account to send fake but convincing payment or invoice requests.
MFA (Multi-Factor Authentication) – Adds an extra step to login beyond a password, like a code sent to a phone.
Patching – Updating software to fix security flaws and prevent attacks.
Cyber hygiene – Everyday habits and rules that make it harder for attackers to get in.
SLA (Service Level Agreement) – A guarantee from a provider about uptime, support, or speed.
ISO 27001 / Cyber Essentials – Certifications that show your business takes information security seriously.
Penetration testing (Pen testing) – Ethical hacking to find vulnerabilities before attackers do.
Tell us about yourself so we can serve you best.
Got a question?
More articles

At this year’s PropTech Connect conference in London, one message stood out. Landlords and property managers want technology that is practical and helps them stay competitive in a changing market.

Here are three trends we found most interesting:
1. Flexible, modular solutions beat one-size-fits-all platforms
Tenants today expect more from their offices, move-in ready spaces, the freedom to choose their providers, and contracts that fit their lease terms. That means landlords can’t rely on rigid, all-in-one platforms that don’t adapt as requirements evolve.
This is why landlords and operators are looking for specialist partners who provide modular solutions that integrate smoothly with other building systems. This gives landlords the flexibility to upgrade or switch partners without overhauling everything, and ensures tenants get the experience they expect.
2. Landlords need building tech designed around real users
A recurring frustration across the sector is that technology is often designed by consultants and delivered by contractors, yet it rarely aligns with the practical needs of those managing the building. Too often, property teams are left with systems that look impressive on paper but don’t work in practice. They need partners to understand the operational needs of their buildings in practice, not just on paper.
For landlords, investing in solutions that match day-to-day building operations not only improves usability but can also save money. Technology partners who understand what property managers and operators actually need (not just what looks good in a spec sheet) are essential for avoiding costly inefficiencies
3. Smarter use of existing infrastructure can cut costs and increase efficiency
Not every operational improvement requires new hardware. Many buildings already have the tools in place to generate useful data. Wi-Fi access points are a good example. These can be used to anonymously track space utilisation, footfall, and occupancy trends.
This data can help landlords and operators:
- Allocate bandwidth to the busiest areas.
- Adjust heating, lighting, and cleaning schedules based on actual usage.
- Optimise leasing strategies by understanding how tenants really use the space.
Are you looking for commercial technology solutions?
Vorboss can support your entire digital infrastructure: connectivity, pre-fibering, managed IT, and cybersecurity, all from a single provider. Through our acquisition of Layer8, we can help you automate building management and make day-to-day operations easier and more efficient.
.png)
Internet connectivity is the lifeblood of modern businesses, powering operations, communication, and growth. But not all “fibre” connections are created equal.
All connections use fibre at some level, but performance, reliability, and guarantees vary depending on the underlying network. Choosing the right type of connection now can save downtime, frustration, and cost in the future.
In this guide, we'll explore key factors when selecting the ideal business internet provider to keep you connected and thriving.

Understand the connection types
Here’s a quick comparison of the three main fibre-based connections available to businesses:
FTTC and FTTP may work for small teams or low-risk work, but DIA is the only connection built for business-critical reliability, speed, and consistent performance.
Ask yourself these questions
Before comparing providers, clarify your internal needs:
- How critical is uptime for your business operations?
- Which teams rely heavily on cloud apps, video conferencing, or large file transfers?
- How much bandwidth do we need now, and how much will we need in 2–5 years?
- Are upload speeds as important as download speeds for our workflows?
- Would temporary downtime cause financial or reputational damage?
This self-assessment helps you match connection types to your business requirements.