There's a dangerous myth in small business: "We're too small to be targeted." Attackers don't see a small business as beneath them. They see it as an opportunity — fewer defences, less monitoring, easier entry points, and often access to larger supply chains or customer data they can monetise.

The threat landscape has shifted, and ignoring cybersecurity is no longer a risk you can take.

The Threat Landscape Today

Cyber attacks aren't targeted anymore — they're automated, widespread, and indiscriminate. Attackers use tools that scan networks continuously, looking for vulnerabilities. When they find a way in, they exploit it. Size doesn't protect you; obscurity doesn't either.

Small and medium-sized businesses represent about 43% of all cyber attack targets. The NCSC's annual review consistently highlights UK SMBs as a growing focus for attackers. You're not being singled out personally — you're being caught in a wide net. But you're being caught nonetheless.

Common Attack Vectors

Phishing and Social Engineering

Most breaches start with an email. A convincing phishing attack tricks someone into revealing credentials, clicking a malicious link, or opening an infected attachment. It requires no sophisticated technology — just psychology. And it works often enough to be one of attackers' favourite methods.

Ransomware

Ransomware locks your files and demands payment to unlock them. Without a solid backup strategy, you either pay or lose your data. Ransomware attacks against small businesses often yield payments because the victims feel they have no choice.

Credential Theft

Your team's passwords are traded on dark web marketplaces. An attacker uses them to log in to your systems as if they belong there. Multi-factor authentication stops most of these attacks — our guide on passwords, MFA, and passkeys covers what's changed and what you should be doing now. Without it, you're exposed.

Unpatched Systems

Vulnerabilities in Windows, Office, browsers, and plugins are exploited within days of being disclosed publicly. Systems that aren't patched regularly are actively targeted. It's that simple.

The Real Cost of a Breach

When people talk about breach costs, they often list the obvious: ransom payments, data recovery, legal fees. But the real cost is far broader:

  • Business interruption: You can't operate while systems are compromised or being recovered
  • Notification costs: You're legally required to notify the ICO and affected parties if personal data was breached
  • Regulatory fines: GDPR and other regulations carry penalties for breaches
  • Remediation: Fixing compromised systems, rebuilding infrastructure, replacing hardware
  • Incident response: Forensics, investigation, legal counsel — it adds up quickly
  • Reputation damage: Customers lose trust. Business doesn't recover quickly
  • Insurance: If you weren't insured, you pay everything yourself. If you were, premiums skyrocket

A typical breach for a small business costs £100,000 to £500,000+. For many, that's existential.

The Cost of Prevention

By comparison, the cost of basic cybersecurity:

  • Multi-factor authentication on key accounts: included with most cloud services
  • Regular security awareness training: £500-£2,000 annually
  • Automated patch management: built into modern IT systems
  • Backup and recovery systems: £200-£500/month depending on data volume
  • Endpoint protection: £50-£200 per device annually
  • Security monitoring: £300-£1,000/month depending on complexity

Total for a basic but solid cybersecurity program: roughly £5,000-£15,000 annually for a typical SMB. That's the cost of preventing something that could cost you 10-100 times that amount.

What Good Cybersecurity Actually Looks Like

You don't need military-grade security. You need practical, consistent protection:

  • Strong authentication: MFA on all critical accounts, strong password policies, password managers
  • Backup strategy: Encrypted, tested, recovery-ready, kept off-site
  • Patch management: Automated where possible, scheduled where necessary
  • Endpoint protection: Modern antivirus and endpoint detection on all devices
  • Network monitoring: Visibility into what's happening, alerting on suspicious activity
  • Security awareness: Regular training and simulated phishing tests for your team
  • Incident response plan: Written procedures so you don't panic if something goes wrong

This isn't exotic. It's standard practice for any organisation serious about protecting itself.

Cyber Insurance: Worth It, But Not a Substitute

More businesses are getting cyber insurance each year, and some clients are now requiring their suppliers to have it in place. It's become a standard business expectation — much like public liability insurance. There's good reason for that: a serious breach can cost more than most small businesses have in reserves, and insurance helps bridge that gap.

But here's what people often miss: cyber insurers no longer just hand out policies to anyone. Most insurers now require you to have basic security controls in place before they'll even offer you coverage — and they're typically looking for the same things this article has outlined. MFA on critical accounts, patched systems, backup strategies, endpoint protection. If you can't demonstrate you have these basics, you won't get insured. And if you do get a policy but you're breached because you ignored basic security, the insurer may deny your claim or drastically increase your premiums after.

Cyber insurance is valuable, but it's important to understand what it actually covers and what it doesn't. It typically helps with financial recovery — notifying affected parties, forensic investigation, business interruption, ransom payments if applicable, and legal costs. What it doesn't cover is the operational chaos of a breach, the reputational damage that takes months or years to recover from, the customer relationships you'll lose, or the disruption to your business while you're recovering. Some claims are also denied outright if the breach happened because you failed to implement basic security controls. Think of insurance as a financial safety net, not a substitute for actually protecting yourself in the first place.

The Question Isn't If, It's When

Cyber attacks are inevitable. The question is whether you'll be ready when one happens to you. Most aren't.

When a breach does occur, the businesses that recover fastest aren't always the ones with the biggest budgets — they're the ones that had a tested plan in place and knew exactly what to do. They'd already documented their incident response procedures, identified who needs to be contacted first, tested their backups to make sure recovery actually works, and rehearsed their response so there's no panic or chaos when reality hits. That preparation often makes the difference between a business that recovers in weeks and one that takes months or never fully recovers. It's why business continuity planning matters just as much as the technical security controls — because even the best security doesn't guarantee you won't be breached, but good planning almost guarantees you'll survive it.

If your cybersecurity hasn't been reviewed or upgraded recently, or if you're relying on basic protections and hoping nothing happens, that's the conversation to have right now. And if you're worried about how to afford better protection, our article on building IT resilience without overspending shows it doesn't have to cost a fortune.

Strong cybersecurity protects your business, your team, and your customers. It's not optional anymore.