The big cyber security risk for small businesses
Author: Joe Ashley | Date published: July, 8, 2025, UK | Read est: 5 min read
As a small business, you may think that you won’t be subject to cybercrime. In fact, SMEs can be attractive targets, and this is typically down to having weaker security defences, limited cyber security budgets and less technical expertise to detect and respond to attacks.
In this article, we explore why SMEs are increasingly targeted, debunk common myths about cyber attacks and cyber security, and offer practical guidance to help growing businesses build robust defences without breaking the budget.
Cybercrime: It’s not just for big businesses
While many of the big headline news stories about cyber attacks focus on larger organisations and global businesses, it’s crucial that SMEs aren’t complacent to the risks. A staggering 50% of UK businesses were targeted in 2024, including 18% of micro businesses, 25% of small businesses and 43% of medium businesses. While the total number has since fallen slightly to 43%, it still represents 612,000 UK businesses.Despite these alarming figures, many SMEs continue to operate under the dangerous misconception that their size makes them invisible to cybercriminals.
Why are cybercriminals targeting smaller businesses?
Rather than facing the potentially sophisticated and complex security posture of a large enterprise, cybercriminals are targeting SMEs as they can offer easier access with potentially significant rewards and lower risk of detection.
- Less sophisticated security infrastructure: Large enterprises have bigger budgets to invest in cyber security per employee annually. Only a third of UK businesses have formal cyber security policies, but the overwhelming majority are from large (85%) and medium (77%) sized businesses.
- Limited dedicated IT security staff: SMEs typically lack specialised cyber security personnel, instead relying on general IT support, which can create gaps in threat detection and response capabilities.
- Higher success rates for phishing: Phishing attacks succeed against 85% of UK businesses – the most prevalent and disruptive type of breach or attack. Despite this, it’s also one of the most preventable types of cybercrime, but relies on effective training and staff knowledge. For SMEs, humans are still the weakest link in their cyber security, with only 34% of small businesses providing training or awareness-raising sessions on cyber security in the last 12 months.
Andy Hanson, Head of Cyber Security at Focus Group, explains: "Small businesses often think they're too insignificant for cybercriminals to notice, but that's exactly what makes them attractive targets. Attackers know SMEs typically have weaker defences but still hold valuable data and financial access that can be monetised quickly."
What’s the impact of a cyber attack on a small business?
- Financial cost: The statistics paint a stark picture. SMEs with inadequate cyber security are losing £3.4 billion a year. The average attack costs reach £3,398 for small businesses and £5,001 for those with 50+ employees.
- Operational downtime: Business interruption typically lasts 3-7 days for small attacks, but can extend to weeks for ransomware incidents.
- Reputational damage: 61% of organisations believe reputational damage from a cyber attack would significantly damage their business, while 43% of businesses lose customers after cyber attacks.
How can small businesses strengthen their security?
SMEs need a layered security approach including endpoint protection, employee training, backup systems and incident response planning, not enterprise-level complexity.
An essential security stack could include:
- Multi-factor authentication
- Regular security awareness training
- Automated back-up systems
- Network monitoring
- Incident response plan
Security awareness training is one of the quickest and most impactful steps an SME can take to strengthen its defences. Your employees are at the heart of your business, driving the day-to-day operations that underpin your success. But they’re also your most frequent point of vulnerability and a prime target for cybercriminals.
By helping your people understand today’s evolving cyber threats, equipping them to recognise and respond to risks, and fostering a culture of ongoing vigilance, you lay the foundation for a strong security posture. This not only reduces the likelihood of data breaches, financial loss or operational disruption, but also helps protect your reputation and build long-term resilience.
Supporting the cyber security of small businesses
Encouragingly, UK small businesses are showing improvement in several cyber hygiene practices, so the future is looking brighter.
The experts at Focus Group are here to ensure your emails, browsing, cloud networks and hardware will be protected against cyber attacks. From security training and testing, phishing prevention and anti-virus software to, email security to multi-factor authentication, our cyber security solutions can help you to prevent unauthorised access and keep your business protected. If you’d like to find out more, get in touch.
Joe Ashley
Cloud & Cyber Services Director
Joe, with over 25 years of experience in IT, cloud and cybersecurity across both the public and private sector, has led major transformation projects and multi-disciplinary teams. Joe is passionate about delivering cloud-native, secure IT solutions that help customers run, secure and grow their businesses.
