Small and medium businesses (SMBs) play a massive role in the economy and, in the UK private sector alone, account for three-fifths of employment and around half of turnover, according to the Federation of Small Businesses. As such, they are also a major target for cybercriminals, with 58% of small and 70% of medium businesses having identified breaches or attacks in the previous 12 months, according to a 2024 UK government study.
This represents a challenging set of circumstances with SMB cybersecurity limited by a range of factors. From a shortage of in-house skills and experience to a lack of awareness of the issues caused by outdated technology, they face a substantial list of problems and competing priorities.
But, looking at the year ahead, where do the main dangers lie and how serious are the cybersecurity risks faced by the SMB community?
By their nature, SMBs are not in a position to allocate resources to every operational priority, cybersecurity included. The problem this creates, however, is that businesses fall into the trap of only addressing security properly when an incident comes to light, by which time serious damage could already have been done. While it’s easy for experts and advisors to urge SMB leaders to do more, even limited levels of proactivity can help address many of the major vulnerabilities.
An ideal starting point is to conduct a risk impact assessment so the business can understand where to allocate resources and budget, even if they can’t cover everything. With that foundation in place, SMBs have the basis for building an effective security strategy that is fit for purpose and can grow in sophistication over time.
Generally speaking, businesses that take a reactive stance on cybersecurity are also less likely to take compliance seriously. If it is addressed at all, compliance is often little more than a box-ticking exercise designed to meet minimum commercial or regulatory requirements, often not going far enough to avoid the prospect of breaches and the associated penalties.
Effective compliance, however, is key to ensuring SMBs can protect customer, employee and business data from threat actors. It also plays an important role in building trust and credibility among stakeholder groups at a time when the reputational damage associated with a breach can be devastating.
As the first line of defence against cybersecurity risks, employees play a pivotal role in whether many cybersecurity attacks succeed or fail. SMBs face an uphill task, with one recent piece of industry research revealing that over two-thirds (68%) of 2023 data breaches involved a human element.
Worrying as this is, it’s arguably less surprising when placed in the context of 2024 UK government figures showing that only 30% of small and 52% of medium businesses carried out training or awareness-raising sessions on cyber security in the previous 12 months. Without significant improvement in employee awareness, the risks are unlikely to diminish.
Driven by factors such as globalisation, the continuing growth of e-commerce and deepening technology integration, many SMBs are working as part of increasingly complex supply chains. Given this situation, it can be easy to become too insular about cybersecurity risks and vulnerabilities and, as a result, the risks associated with third-party cybersecurity get overlooked.
For instance, according to UK government figures, only 26% of small and 43% of medium businesses have carried out work to formally review the potential cyber security risks presented by their immediate suppliers or wider supply chain. In each case, therefore, the majority are more susceptible to the risks of supply chain attacks – a worrying situation given the prediction that by this year, 45% of organisations worldwide “will have experienced attacks on their software supply chains, a three-fold increase from 2021.”
Cybersecurity resilience isn’t just about preventing attacks – it’s also about how well organisations can recover from them. The challenge for the UK SMB ecosystem is that only 22% of all businesses have a formal incident response plan in place. The rest are unprepared, and therefore in the unfortunate position of having to cope on an ad hoc basis when they are breached.
Currently, most small and medium businesses don’t have any cyber insurance coverage. With annual cyber insurance premiums likely to increase by 15% to 20% per year by the end of 2026, according to a report by S&P Global, the prospects for significantly improving the levels of coverage seem unlikely. This is despite the fact that many policies remain affordable and can provide SMBs with the support they need to recover should an attack be successful.
Before jumping on the AI bandwagon, SMBs should establish if a proposed AI implementation is the only and best way to resolve an identified business challenge and fully evaluate the potential security consequences involved. Those who don’t, risk introducing new and potentially significant security problems into their existing IT infrastructure.
With 2025 set to be a year where SMB budgets and profit margins remain under pressure, many will prioritise small, incremental improvements in IT security over transformative changes. However, by focusing primarily on ‘quick fix’ solutions, organisations risk compromising meaningful progress in protecting their systems and data, both in the short and long term.
