Recent cyber attacks on some of the UK’s best-known businesses including Marks & Spencer, Co-Op and Harrods have reinforced how important cyber security is. While these are large, well-resourced businesses, their experiences serve as a timely reminder that no business is immune.
SMEs may assume they are unlikely targets, but the reality is quite different. According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of businesses reported experiencing at least one cyber security breach or attack in the past 12 months. For small businesses, this figure rises to 50%, and 41% of micro businesses (1-9 employees) reported the same.
Cyber criminals are becoming more sophisticated, using automated tools and ransomware models to scale their attacks. According to government data, by far the most common type of breach or attack is phishing (84% of businesses). SMEs are frequently targeted as entry points into larger networks, where weak or inconsistent defences can allow a single compromise to escalate into wider disruption.
While no system can eliminate cyber risk entirely, there are clear steps that SMEs can take to help protect themselves. Certification to standards such as ISO 27001 and Cyber Essentials provide the structure and assurance organisations need to assess vulnerabilities, build effective controls, and demonstrate responsibility to clients, insurers, and regulators.
ISO/IEC 27001 is the international standard for information security management. It offers a risk-based framework to manage digital threats, secure information assets, and create policies that reduce exposure over time.
For businesses at the early stages in their cyber security journey, Cyber Essentials certification offers assurance to customers that your organisation is committed to protecting against common cyber threats.
Another essential area to consider is continuity planning. While ISO 27001 focuses on information security, ISO 22301 provides a structured framework to support business continuity planning and preparedness for disruptive incidents. For SMEs reliant on a small number of key people, systems, or third parties, ISO 22301 is often used to support continuity planning and recovery strategies. It enables businesses to identify their most important processes, develop recovery plans, and respond effectively when the unexpected occurs.
With phishing and human error still responsible for a significant proportion of breaches, equipping staff with basic cyber security knowledge is a commonly recommended approach supported by industry guidance. Our online Cyber Security Awareness Training Course provides a practical learning tool to help organisations raise staff awareness and support internal knowledge building.
Together, these standards and tools give SMEs a way to build stronger foundations for cyber resilience. Certification won’t stop an attack, but it helps protect your organisation by reducing risk, increasing awareness, and preparing you to respond with confidence when it matters most.
Get in touch to explore how certification can strengthen your cyber resilience.
