Highlights
This blog was created from an event we hosted in partnership with Wavenet and SE LABS at Vorboss HQ earlier this year. As your SME grows, cybersecurity becomes a critical part of doing business - especially when handling sensitive data or working with larger clients. This guide covers simple, high-impact actions like securing suppliers, training your team, and focusing on essentials like passwords and patching. The goal isn’t perfection, but building practical resilience against everyday threats.
Gone are the days when SME businesses could view cybersecurity mostly as a concern for big corporations with global exposure and dedicated IT resource. Today, cybercrime is a multi-billion pound ‘industry’, with small and mid-sized businesses most often in its sights.
And the risks are very real. In the past year alone, brands including M&S, Co-op, Harrods, and even major railway stations have made headlines due to cybersecurity incidents. These high-profile cases show that no organisation, regardless of size or sector, is immune. They also serve as reminders of how disruptive and damaging an attack can be.
So, who is it that poses the threat? The answer is highly organised criminal groups, generally based overseas, running lucrative cybercrime business models, all on their own. With ransomware now a billion-pound industry, these groups buy and sell stolen data, lease out attack tools, and target companies whose stolen data indicates their capacity to pay.
According to HMRC, 70% of UK SMEs were hit by cyberattacks last year. Yet half of all UK and US businesses, mostly smaller firms, still don’t have a response plan in place.
So let’s look at why SMEs are at such risk, what today’s most common threats look like, and the practical and affordable steps you can take to protect yourself if you run a business.
These insights emerged from a fascinating recent panel discussion which our very own Aaron Rice, CIO, hosted at Vorboss HQ, featuring leaders from cybersecurity firms Wavenet and SE LABS. If you’re running an SME and don’t yet have a clear cybersecurity plan, this is the place to start.
.jpg)
Not ‘if’, but when. The case for ‘resilience’
Cybersecurity used to be about trying to build an impenetrable wall around your systems, but as the threat landscape has changed, so has the mindset. Today, it’s less about preventing every attack and more about being ready to respond when something does get through.
This concept - resilience - came up repeatedly as Wavenet’s CISO, Paul Colwell, and SE LABS’ CEO, Simon Edwards, shared their views. Their message for SMEs was clear. It’s not a question of if you’ll be attacked, it’s a matter of when. How well you bounce back may be the difference between a brief disruption and a long-term crisis.
Perhaps the first question to ask in any cyber incident is “Do we have backups?”. If your systems are compromised or locked down, having secure, up-to-date backups can be the difference between getting back to work or being forced to pay a ransom to regain access. Backups don’t stop an attack, but they’ll make recovery easier.
A cyberattack doesn’t just target your systems, it puts your entire business at risk. Downtime, financial loss, and damaged customer trust are all on the table.
The good news is that becoming resilient doesn’t involve making huge investment into high-end technology. With a little planning, it’s entirely possible to build a strong line of defence, and a solid plan for recovery, without excessive cost. In fact, with fewer systems, simpler structures, and the ability to act quickly, smaller businesses often have an advantage over large enterprises when it comes to putting effective measures in place.
The most common cyber threats to SMEs
.png)
As most SMEs don’t have the time or budget to keep up with every new cybercrime threat, they make attractive targets for hackers, and though cyberattacks come in all shapes and sizes, certain threats show up again and again.
So, what are the most common cyber threats facing SMEs?
Phishing and identity theft
This is where it usually starts. A staff member receives what looks like a legitimate message, usually impersonating a colleague, a supplier, or even a client. It might ask them to click a link, update some details, or approve a payment.
If they take the bait, attackers can obtain access to login credentials, email accounts, or sensitive data, all without needing to “break in”. In the words of SE LABS’ Simon Edwards, “Hackers don’t break in. They log in.”
Ransomware
Ransomware is a frighteningly effective criminal business model, whose use against SMEs has escalated dramatically. Attackers encrypt your data, lock your systems, and demand payment (usually in Bitcoin) to let you back in. In 2023 alone, ransomware was already estimated to be worth over £1bn a year.
While paying the ransom may seem to be the quickest way out, it can open your business up to serious legal and ethical risks, especially if you have no visibility on where the money you’re paying over is going to.
Business email compromise (BEC)
BEC attacks are clever, patient and, again, highly lucrative. Hackers gain access to an internal email account and often set up automatic forwarding to an external address, allowing them to silently monitor conversations over time. They gather intel, study genuine correspondence, and then strike, perhaps by sending a fake invoice or redirecting a payment. It’s why fake emails are so convincing: these criminals aren’t guessing, they know exactly what you’re expecting and exploit timing and trust with precision.
Cyber hygiene. Arranging simple, powerful protection
Cybersecurity doesn’t have to start with technology. It starts with behaviour; simple, everyday habits that make it harder for attackers to get in.
Unlike big organisations with complex systems, SME management teams are usually free to set rules, enforce good habits, and make changes without needing to go through layers of approval.
The number one non-technical thing an SME can do to protect itself? Simon Edwards didn’t hesitate: “Easy. Cyber hygiene and the Cyber Essentials programme.”
So, what does good, basic cyber hygiene look like? A good way to think about it is via ‘The 3 Ps’, as the industry refers to them.
Passwords
Make sure everyone in your business is using strong, unique passwords, and that these aren’t shared or reused across different systems.
A strong password should:
• Be at least 12 characters long
• Use a mix of uppercase and lowercase letters, numbers, and symbols
• Avoid personal details or common words
Next, enforce multi-factor authentication (MFA) wherever possible. It’s one of the simplest and most effective ways to stop unauthorised access.
Phishing
Your team is your first line of defence. Train your people to recognise suspicious emails, double-check unusual requests, and report anything that doesn’t feel right. Most phishing attacks rely on urgency or familiarity to bypass common sense, so encouraging people to pause and consult with managers or appropriate colleagues before taking any action in response to a suspect email can make all the difference.
Patching
Every piece of software has flaws, and cybercriminals are quick to exploit these. Keep all your systems up to date. That includes operating systems, email tools, cloud platforms, routers, and printers. When a zero-day vulnerability is announced, fast patching is critical. It could be the difference between staying secure or becoming one of the first victims.
None of these steps requires major investment. All that’s needed is a clear policy, regular reminders, and a commitment to taking security seriously.
Certifications that help protect and reassure
Even when you recognise the danger of cyberattacks and have measures like these in place to reduce your exposure, how can you evidence this to clients and customers, as well as your employees?
It doesn’t have to be complex - there are certification schemes built specifically for SMEs.
At a basic level, they help you cover the fundamentals. But they also send a clear signal to clients, partners, insurers, and suppliers that you’re serious about reducing risk.
The three most widely recognised certifications are:
Cyber Essentials
The entry point for most UK organisations, and a great starting place for SMEs. Cyber Essentials is a government-backed scheme that covers the basics: secure configuration, access controls, software updates, and protection against common threats. It’s a self-assessed process and, once certified, you’ll receive a badge that shows you’ve met the standard. Clients like it. Insurers like it. And it’s easier to attain than you think.
Cyber Essentials Plus
This is the next step up. It includes everything in the basic Cyber Essentials scheme but adds an independent audit and technical testing. If your business handles sensitive data, works with regulated industries, or simply wants more assurance, then this is worth considering.
ISO 27001
Recognised internationally, this is the gold standard for information security management. It’s more involved and more expensive than Cyber Essentials, but if your business is growing fast or you’re working with enterprise clients, it can be a significant asset.
Whatever level of certification you feel is appropriate for your business, try not to treat it as a one-off box-ticking exercise. It’s a chance to improve your practices, strengthen your culture, and set a clear security baseline that will protect you as you grow.
What to do if you’re attacked
No matter how well prepared you are, things can still go wrong.
The key is to stay calm and act quickly, following a pre-prepared response plan. A good response plan doesn’t just help you recover faster. It can also limit the damage, protect your customers, and stop the same thing happening again.
If you find yourself under attack, here’s what to do:
1. Find the way in
Your first priority is to understand how the attacker got access. Was it a stolen password? A phishing email? A vulnerability in your software? Until you know, you won’t be able to shut the door properly, and you risk being hit again.
“Your number one priority is to understand the route of attack, and block it,” Simon Edwards advises. “If you don’t, there’s nothing to stop them coming back.”
2. Contain the damage
Isolate affected devices or systems. Lock down compromised accounts. If you work with an IT provider, contact them immediately. The faster you act, the more you can limit the spread.
3. Check your backups
If your systems have been locked by ransomware or wiped by an attacker, check whether your backups are intact and up to date. If so, you may be able to restore your data without paying a ransom and get your business back on its feet faster. Ideally, backups should be stored offline or in a secure cloud service and tested regularly to make sure they work when you need them.
4. Don’t rush to pay
If it’s a ransomware attack, you’ll be asked to pay - usually in Bitcoin. But paying the ransom doesn’t guarantee you’ll get your data back, and it could even put you in legal trouble if the money later turns up in a sanctioned country. Always get expert advice, ideally from a law firm with a cybersecurity team, before taking any action.
5. Inform the right people
Depending on the nature of the breach, you may need to notify regulators, clients, suppliers, or insurers. Transparency is important, and delay can make things worse. If you hold personal data, you may also have a legal duty to report the incident to the Information Commissioner’s Office (ICO).
6. Learn from it
An attack is painful, but it’s also an opportunity. Once you’ve recovered, take time to understand what went wrong and how to prevent it in future. Were there warning signs? Was it something that could have been stopped? Use the experience to build better defences.
Penetration testing. Something to know as you grow
As your business grows or handles sensitive data, you’ll likely hear about penetration testing. Pen testing involves hiring ethical hackers to find weak spots in your systems before attackers can exploit them.
For many SMEs, especially early on, this might be overkill. But as your business scales, or you pursue larger clients, ‘pen testing’ can become a requirement. Insurers may also ask about it if you’re looking for more comprehensive cyber cover.
Don’t forget your suppliers
Many SMEs rely on third-party suppliers like cloud software and service providers to handle everything from email and invoicing to customer data and collaboration tools. But if one of those providers gets hacked, your business could be affected.
Don’t hold back. Ask the companies whose systems you engage with a few simple questions:
• "What security measures do you have in place?"
• "Are you certified under schemes like Cyber Essentials or ISO 27001?"
• "If something goes wrong at your end, who’s responsible, and how will we be informed?"
It doesn’t need to be a formal audit. Just showing that you’re aware of the risk and asking for basic reassurances can go a long way. And if a supplier is vague or dismissive about security, treat that as a red flag. In the end, your own cybersecurity is only as strong as the people you trust to help run your business.
Take action today
You don’t need to overhaul your entire business to make meaningful progress on cybersecurity. A few well-chosen actions will dramatically reduce your risk, and set a solid foundation for whatever may happen:
A final thought: resilience beats perfection
Cybersecurity can feel like a complex topic, especially when you’re running a growing business and perhaps no dedicated IT team. But protecting your company doesn’t mean spending a fortune on tech.
It means being prepared. Putting sensible safeguards in place. Creating a culture of awareness. And knowing how you’ll respond if, or when, something goes wrong.
That’s resilience, and it’s well within reach for every SME.
Cybersecurity terms explained
Phishing – Tricks staff into clicking fake links or sharing login details, often via email or messaging.
Ransomware – Malware that locks your files or systems and demands payment, usually in cryptocurrency.
BEC (Business Email Compromise) – Hackers access a genuine email account to send fake but convincing payment or invoice requests.
MFA (Multi-Factor Authentication) – Adds an extra step to login beyond a password, like a code sent to a phone.
Patching – Updating software to fix security flaws and prevent attacks.
Cyber hygiene – Everyday habits and rules that make it harder for attackers to get in.
SLA (Service Level Agreement) – A guarantee from a provider about uptime, support, or speed.
ISO 27001 / Cyber Essentials – Certifications that show your business takes information security seriously.
Penetration testing (Pen testing) – Ethical hacking to find vulnerabilities before attackers do.
Tell us about yourself so we can serve you best.
Got a question?
More articles
.png)
Internet connectivity is the lifeblood of modern businesses, powering operations, communication, and growth. But not all “fibre” connections are created equal.
All connections use fibre at some level, but performance, reliability, and guarantees vary depending on the underlying network. Choosing the right type of connection now can save downtime, frustration, and cost in the future.
In this guide, we'll explore key factors when selecting the ideal business internet provider to keep you connected and thriving.
Understand the connection types
Here’s a quick comparison of the three main fibre-based connections available to businesses:
FTTC and FTTP may work for small teams or low-risk work, but DIA is the only connection built for business-critical reliability, speed, and consistent performance.
Ask yourself these questions
Before comparing providers, clarify your internal needs:
- How critical is uptime for your business operations?
- Which teams rely heavily on cloud apps, video conferencing, or large file transfers?
- How much bandwidth do we need now, and how much will we need in 2–5 years?
- Are upload speeds as important as download speeds for our workflows?
- Would temporary downtime cause financial or reputational damage?
This self-assessment helps you match connection types to your business requirements.
.jpg)
Generative Pre-trained Transformers (GPTs) like OpenAI's ChatGPT are revolutionising industries across the board. From writing emails to creating educational content, they're powerful tools built to understand and generate human-like text. But the same tech that makes GPTs useful also makes them risky, particularly for cybersecurity.
In February 2024, Microsoft and OpenAI spotted several state-backed hacking groups from Russia, North Korea, Iran, and China using GPTs to improve their exploitation tactics. The Strontium group, linked to Russian military intelligence, has been found using large language models (LLM’s) to understand satellite communication protocols, radar imaging technologies, and other sensitive miliatry information.
But GPTs can also be misused in everyday cybercrime and by employees or contractors who have access to sensitive data.
How GPTs can be weaponised in everyday cybercrime
- Phishing: GPTs can generate convincing phishing emails that mimic real writing styles, making it more difficult to spot and harder for filters to block.
- Social engineering: these models can be used in live chats, like customer support, to trick people into giving up sensitive information. Connected to text-to-speech tools, they could also be used in voice scams.
- Malware code generation: even with filters in place, attackers can trick GPTs into writing malicious code.
- Data leakage: when employees input sensitive company information into these models, that data gets stored and could be leaked back to others.
- Misinformation: GPT’s can 'hallucinate', which means they present false information portrayed as fact. When spread, this can lead to real-world consequences such as political confusion or interference during a crisis.
.jpg)
.jpg)
