Discover 8 of the Major Cyber Security Risks for Businesses in 2025

A 2025 government survey has revealed that just over 4 in 10 businesses experienced a cyber security breach in the past 12 months. In this article, we review eight major cyber security risks for small and medium-sized enterprises (SMEs) and suggest ways that you can defend against them.

The terms ‘threat’ and ‘risk’ are often used synonymously, but from a cyber security perspective, it’s best to think of them as distinct issues. A threat is something that might attack you; a risk is a vulnerability within your cyber security approach that could be exploited. For example, ransomware is a direct threat, but the unpatched software (patching is the process aimed at fixing issues with processes, systems or software) or weak security policy that it exploited would be the risk. Risks can also be more general, like the cost of remediating a successful attack, which reduces a business’s profitability or hurts its reputation. In no particular order, here are the 8 major risks faced by businesses.

Surveys show cyber crime against UK businesses has been steadily increasing every year for 20 years or more, a sobering trend that shows no signs of slowing. The Government’s Cyber Security Breaches survey from April 2025 found that while 43% of all businesses reported experiencing a cyber breach in the previous year, this figure rose to 67% for medium-sized businesses and 74% for large organisations. It’s possible some of the differences between small and large business isn’t attack frequency so much as better attack detection, as small business often don’t have the resources to recognise and report a breach.

Solution: Compromise is inevitable; incident response is plan B. Organisations can consider achieving accreditations such as Cyber Essentials Plus, the certification that helps companies implement fundamental and effective cyber security measures, or ISO 27001 – the standard for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS).

The frequency of cyber attacks is a concern, as is the growing expense of fixing the damage they cause. High-impact incidents in the UK have been reported by businesses to cost on average £10,000 for those incurring losses due to cyber-facilitated fraud.

Globally, IBM’s 2024 Cost of a Data Breach report found the average breach cost surged to $4.88 million, with financial sector incidents averaging $6.08 million. The takeaway here is not simply the obvious point that cyber attacks cost money, but that these costs can vary unpredictably from modest to crippling.

Solution: The prepared SME is the one that will write the smallest cheques, and who have the necessary protections in place to minimise ransomware attacks.

One misconception is that data breaches/leaks are always caused solely by criminals. However, in reality, many occur because criminals discover and exploit an existing vulnerability. This isn’t splitting hairs; failing to secure data is often what makes breaches possible in the first place.

Sometimes, this is a straightforward error during which data is left unprotected, such as during application development. In other cases, the root cause is more complex. An example of the latter is the failure to properly anonymise data, that is removing personally identifiable information (PII) that would allow it to be associated with a real person.

An example of the former occurred in September 2024, when Transport for London (TfL) suffered a significant data breach that exposed the personal details of thousands of customers and staff. This was not the result of a sophisticated cyber attack, but stemmed from a vulnerability in TfL’s systems, which allowed unauthorised access to names, contact information, home addresses, and, for some customers, bank details. According to TfL, the cost of this was ‘several million pounds’.

Solution: Minimising internal mistakes is a priority. Staff training in cyber security best practices is a key defence.

In April 2025, approximately 14% of workers in Great Britain worked from home exclusively, while ONS data from late 2024 confirms that 28% of working adults were hybrid working, splitting time between home and the workplace. This ongoing enthusiasm for remote and hybrid work is evident across organisations of all sizes, with many businesses also embracing long-term flexible arrangements. What’s harder to consider is how this affects cyber security, known as “the remote insider” threat.

The home and the office are different environments: the security of the home broadband network is uncertain, and work computers must share this with numerous other untrusted devices. Mistakes that might be easily reported in an office – such as opening an infected attachment – can remain invisible for far longer in a home setting. Some home workers also get into the habit of sharing work devices with family members, a clear data security risk.

Solution: Organisations can isolate work devices from personal use, limit access based on roles, and use strong authentication to control access.

The 2024 ransomware attack on Synnovis, a pathology services provider for the NHS in London, has been a big wake-up event for the cyber security industry. In this incident, attackers targeted a key supplier, causing widespread disruption to hospital operations, including blood tests and transfusions across multiple NHS trusts.

The supply chain poses 2 main risks to SMEs:

1. Although attacks often target large organisations and critical infrastructure, the Synnovis breach demonstrated how vulnerabilities can cascade down from a single supplier. This includes smaller businesses, in this case in the healthcare industry, where attackers have resource to look for weaknesses they can exploit for profit.

2. Across certain sectors, SMEs may be part of enterprise supply chains, or at the least depend on them. Incidents like this should prompt renewed scrutiny of vendor security procedures to highlight the risks inherent in interconnected supply chains.

Solution: Organisations can consider achieving certifications such as Cyber Essentials Plus and ISO 27001 to strengthen cyber security position in their supply chain.

Patching – or failing to patch – is a known risk. But what if a vulnerability exists that is not only not patched, but also invisible? A good example of this is firmware vulnerabilities, a layer not monitored for threats or exploits by the majority of endpoint security systems. To date, attacks targeting firmware have either been conducted by researchers or, less frequently, nation-states. These were planned and controlled attacks for research purposes. However, in 2024, the National Cyber Security Centre (NCSC) issued a warning after several UK organisations were targeted by ransomware exploiting vulnerabilities in out-of-date server firmware. This marked a shift from theoretical to active exploitation, with attackers leveraging unmonitored firmware weaknesses to bypass traditional security controls. Thankfully, vulnerabilities in Intel’s Management Engine (ME) – present in virtually all PCs from the last decade – are regularly patched for security vulnerabilities but remain a persistent risk.

Solution: Resilient organisations choose equipment with patchable firmware and maintain continual monitoring of their systems.

Examine most organisations’ networks and you’ll find layers of legacy equipment, including servers, applications and network equipment and devices, which have their life extended for financial reasons. The simplest definition of legacy equipment is one that no longer receives security updates, although a more realistic approach is to compare the security design and features of a given product with its up-to-date equivalent. By that measure, for example, versions of Windows and Windows Server released before Windows 10 and Windows Server 2016 are all considered risky. Microsoft has ended support for Windows 7, 8.1, and Server 2012, and Windows 10 will reach end of support in October 2025. While extended security updates are available for some versions at a significant cost, these older systems are not as resilient as more recent releases.

Solution: Upgrade as soon as possible and isolate or restrict the use of other legacy products or systems.

Many SMEs are moving away from on-premises systems and consolidating their tools using cloud platforms like Microsoft 365 or other software-as-a-service (SaaS) solutions. These platforms often come with strong built-in security, which makes them appealing. While in principle, this reduces an organisation’s attack surface (applications running on fewer services), it does not necessarily reduce the protect surface (that is, the vulnerability of data and users within that). An organisation’s data still exists somewhere, and in the cloud, the risk of a misconfiguration that leads to a data leak remains high. In fact, cloud configuration errors have become a leading cause of data breaches in 2025. This raises the issue of compliance, and where blame might lie if a breach occurs.

Solution: Cloud penetration testing is one place to start, to identify vulnerabilities that can be improved.

Cyber Security certifications are one way to help protect your business. We can help with many options available including ISO 27001 and Cyber Essentials Certification at British Assessment Bureau.

Request a no-obligation quote for your business today or contact our team to discuss your needs.