With 41% of UK SMEs reporting financial losses due to fraud, with an average loss of £4,000 per incident, the need for robust cyber security measures has never been more critical. What might be the impact if your business were hacked? How would you cope if you lost all of your data or access to key systems?
Strengthening cyber security measures is vital for small and medium-sized businesses in every industry. Read about the essential tools and insights that support the protection of digital assets.
Understanding the Cyber Threat Landscape
Common threats include hacking (exploiting known vulnerabilities in internet-connected devices), phishing (tricking users into installing malicious applications) and password guessing.
Over 43% of businesses – which equates to approximately 612,000 organisations – have faced a cyber security breach in the last 12 months, with 42% of small businesses affected by phishing attacks, according to the government’s 2025 Cyber Security Breaches Survey.
In recent years, cyber attacks have become increasingly common and sophisticated, posing a significant threat to UK businesses. For example, in May 2024, The Billericay School in Essex suffered a major cyber attack that compromised sensitive student and parent data and forced a temporary school closure.
Cyber threats can:
- Infect systems with malware to damage, disrupt, and gain unauthorised access.
- Overload a website with DDoS (Denial of Service) to flood and target the bandwidth and resources of an organisation’s systems.
- Manipulate employees into divulging confidential information for fraudulent purposes.
- Exploit weaknesses in an organisation’s systems.
As businesses continue to experience thousands of cyber attacks a day, it’s clear that cyber security must be a priority for every business owner. Regardless of how complex these attacks might be, they can have considerable negative and reputational implications for the organisation involved.
Read about the latest cyber attacks in the UK.
The Ultimate SME Cyber Security Checklist
One of the biggest mistakes smaller organisations can make is to assume that because their turnover is modest or their operation is small, cyber criminals will go elsewhere. However, ransomware attackers are just as interested in SMEs as larger companies.
Ransomware always targets backups, and penetration tests can be a good way to look for weaknesses in this layer of defence. To minimise the chances of becoming a cyber crime statistic, organisations could consider the following:
|
Action |
Importance and impact |
|---|---|
|
Start with employees |
An organisation’s first line of vulnerability and defence is its employees. One of the most common ways malware gets a foothold is when someone opens an infected document or clicks on a link. The conventional solution is cyber security training to recognise and avoid phishing emails. Having a designated cyber security officer (CSO) can also be hugely beneficial. |
|
Have secure Wi-Fi networks |
One thing businesses can do is to create secure Wi-Fi networks. Never have an internet connection that’s open to the public. |
|
Turn on firewalls and have a robust antivirus |
Firewalls are like the gatekeepers for network’s traffic, both in and out. Organisations should keep on top of firewall and antivirus updates. |
|
Use good password practices |
Strong passwords and separate accounts on personal devices are key safeguards against security risks. Non-dictionary words are the strongest. If possible, enable multi factor authentication (MFA). |
|
Always back up your data |
Ransomware does exactly what you think it does: it holds data hostage. Recovery typically relies on wiping affected systems and restoring from backups. |
|
Detect attacks |
Most SMEs rely on an endpoint security product or antivirus to pick up an issue. However, even the best antivirus can’t detect all attacks, or at least detect them before damage is done. For that reason, organisations might explore endpoint security that employs some form of application micro-isolation to prevent the spread of infections. |
|
Managed detection and response (MDR) |
Even when attacks are detected, it’s often difficult to respond to them before the problem has spread. This is basically threat detection integrated with rapid response, remediation, and, if necessary, forensic incident investigation. |
|
Test defences, including backup |
By far, the biggest problem in SME cyber security is that companies don’t know their vulnerabilities and weaknesses because they’ve never looked for them. A second approach is to carry out a basic penetration test (a simulated attack to find vulnerabilities). |
|
Turn on multi-factor authentication |
Password attacks mean that no password is reliable without an additional factor such as an app-generated passcode, push authentication, or a hardware token. |
|
Implement strong email security practices |
Email is not the only security vulnerability facing SMEs due to threats like phishing and malware. Using robust spam filters and encryption, and regularly updating email security protocols can protect sensitive information. Additionally, buying email security as a specific service means a service provider takes care of the complex aspects of keeping emails secure. |
|
Secure privileged servers |
The phrase’ attack surface’ is frequently used in the current cyber security discussion. Anything requiring an external login should be considered risky. |
|
Segment the network |
If attackers get inside the network, the first thing they look to do is move sideways to access other devices, systems, or sensitive areas within the network. By creating separate segments, if an attacker gains access to one part of the network, their movement is restricted. |
|
Patch vulnerabilities |
Patch management has been best practice for years, but it’s not always as simple as it looks. SMEs have two options, the most expensive of which is to ask a managed security service provider (MSSP) to carry out this service. |
|
Dispose of old equipment |
Small businesses are often told to update old equipment and software because they can be security risks. However, it’s not always easy to know which things are considered outdated. |
These practical steps can help to protect a business from common threats and align closely with the standards set by the Cyber Essentials scheme, which provides a structured approach to implementing these essential security measures.
Read more about how ISO 27001 could support your business.
Why SMEs Should Implement Cyber Essentials
Cyber Essentials is a government-backed initiative launched by the Department for Business, Innovation, and Skills in 2014. It was developed with the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME), and the British Standards Institution (BSI) to provide organisations – especially SMEs – with a set of controls to help guard against prevalent cyber threats by pinpointing vulnerabilities and reducing the chances of cyber attacks.
Cyber Essentials guides businesses through assessing and improving their cyber security measures. Certification requires the implementation of essential security controls, including boundary firewalls, secure configurations, access control, malware protection, and patch management.
It is particularly appropriate for SMEs thanks to the following:
- Affordability: It offers a cost-effective way to implement essential cyber security measures and avoid the costly repercussions of cyber attacks without the need for large-scale investments. Achieving Cyber Essentials certification can often lead to reduced premiums on cyber insurance, providing both financial savings and better security coverage.
- Simplicity: Cyber Essentials is straightforward, making it accessible for businesses that may not have extensive in-house IT expertise.
- Relevance: Cyber criminals often target SMES due to perceived weaker defences, and Cyber Essentials helps address this vulnerability. It also supports data protection obligations under the UK and EU GDPR frameworks.
- Efficiency: As Cyber Essentials certification helps to protect an organisation against 80% of the most common types of cyberattacks, it also helps you reduce the risk of business disruption due to downtime.
- Business opportunities: Achieving certification can lead to new business opportunities as it demonstrates that an organisation works in a safe and secure digital environment. It can also open doors to government contracts and partnerships that require a demonstrated commitment to cyber security. For instance, Cyber Essentials certification is specifically required by the Ministry of Defence and many local authorities.
Read more about Cyber Essentials.
Plus, find out more about ISO 27001 certification for your business.
Which Types of SMEs Can Benefit from Cyber Essentials?
Cyber Essentials provides essential cyber security measures that can significantly enhance the security of small and medium-sized businesses, including the following:
- Professional Services: Protect sensitive client information in law, accounting, and consulting firms, maintaining confidentiality and compliance.
- Healthcare Providers: Safeguard patient records, ensuring compliance with data protection regulations and maintaining patient trust.
- Tech Startups: Secure digital assets and intellectual property, building credibility and trust with partners and investors.
- Retailers: Secure customer data and payment systems, enhancing trust and protecting against breaches.
- Nonprofits: Protect donor information and enhance cybersecurity on a tight budget, maintaining operational integrity.
Get Cyber Essentials Certification for Your SME
Get started on your journey to Cyber Essentials and Cyber Essentials Plus certification for your business with British Assessment Bureau.
Also consider ISO 27001 certification to support your business in establishing an efficient Information Security Management System (ISMS).
Request a quote today or contact our team to discuss your needs.
