For years, small businesses have been warned about the importance of cyber security awareness and the risk of not having sufficient protections. Weak defences have historically left these businesses as ‘easy targets’, with criminals able to exploit vulnerabilities without too much challenge.
An attitude of ‘we’re too small to be targeted’ has exacerbated the situation further, bolstered by reduced budget and resources to tackle cyber risk. However, as risk level rises in an increasingly digital, AI-first world, business can no longer avoid cyber threats. In fact, smaller businesses are often see as quick wins, giving criminals gains without much challenge.
But this year, the tide seems to be turning. More small businesses are taking notice of rising risk levels and implementing specific initiatives to protect their business.
In this guide, we explore how things are changing, and what you should be doing to ensure you’re not getting left behind.
How are SMBs becoming more cyber secure?
In the last 12 months, a series of data reports have shown an increase in cyber security awareness and practice among SMBs.
In 2024, more than half of UK small businesses increased their cyber security spending, with 8% saying the increase was significant. This reflects more organisations making cyber security a priority in their budget.
This increase has been backed by the findings of the most recent government Cyber Security Breaches Survey. Survey data shows small businesses have improved across cyber hygiene practices, including:
- Increased uptake of cyber security risk assessments (48%, 7% increase from 2024)
- Cyber insurance (62%, 13% up from 2024)
- Formal cyber security policy covering cyber security risks (59%, up 8%)
- Business continuity plans that address cyber security (53%, up 9%)
- Incident response measure (with external communication plans up 8% from last year and internal reporting up 7%)
The benefit of this increased cyber security prioritisation is already being felt. Businesses reporting any cyber breach or attack has declined this year, driven by a decrease in micro (down 6% from 2024) and small (down 8%) businesses identifying a cyber breach or attack.
This has shown that small businesses are effectively making themselves less of an easy target by implementing stronger protective measures across the board.
Why are small businesses investing more into cyber security?
If cyber crime has been a threat for so long, you may be asking: why are small businesses acting now?
There are a few factors at play:
- An increase in high profile attacks. In this year alone we’ve seen household names like Marks & Spencer, Co-op and Adidas fall victim to cyber attacks, bringing long-lasting disruption and financial loss. With these large organisations susceptible to vulnerabilities despite strong measures and significant budgets, many SMBs may now be releasing it could easily happen to them. Plus, they might not have the financial power to withstand the implications.
- Increased volume of attacks. For years now, cyber risks have been rising, with more businesses being hit. Cyber criminals are increasingly sophisticated in how they mount their attack, even using tools like AI to scale attempts. For them, attacking businesses is a revenue stream. And as volumes increase, everyone is a target, including SMBs.
- Concern around AI. AI usage will be present in every business, even small ones. However, smaller businesses are less likely to have designated AI policies that eliminate risk and keep data safe. This means staff can use AI ungoverned, potentially opening weaknesses and putting sensitive information in the hands of attackers. As AI continues to grow, many SMBs will now be realising they need to protect themselves in case misuse puts their business in danger.
- Growing skills gap. There is a cyber security skill gap globally, with many businesses unable to get the expertise they need. SMBs are likely to feel this most, given budgetary constraints and smaller workforces. By implementing strong security baselines, these businesses can get the protection they need, even without skilled staff and constant threat monitoring.
Lingering challenges for small businesses cyber security_
While the rise of cyber security awareness is a positive, there are still obstacles SMBs need to tackle in their bid to be truly secure. This is especially key as attack levels increase.
1. Limited financial resources_
SMBs typically operate with tighter budgets compared to larger enterprises. Allocating sufficient funds for cyber security measures, including software, hardware and skilled personnel, can be a challenge. This means they need to find cost-effective tool that offer sufficient protection for their needs.
And while the outlook is more positive, some businesses will need education on the perception of cost of implementing security solutions vs the value of benefits. Some SMBs may view cyber security as an unnecessary expense until an incident occurs. It is therefore crucial for these businesses to understand the costs associated with a successful attack vs investment in security.
2. Lack of expertise and personnel_
The global shortage of cyber security professionals will likely impact SMBs most. They often struggle to attract and retain qualified staff due to salary limitations and the appeal of larger companies.
As a result, many SMBs lack a dedicated IT or security team, leaving cyber security responsibilities to employees with limited expertise in this area. General IT support personnel may not have the specialised knowledge required to implement and maintain advanced security measures.
This can cause a lack of strategy and vision for cyber security within the business, leaving risks exposed and allowing organisations to fall behind the curve. Outsourcing will be crucial to prevent this.
3. Time and resource constraints_
SMB owners and employees are often focused on day-to-day operations and may lack the time to dedicate to cyber security planning and implementation. Employees often wear multiple hats, making it difficult to add cyber security responsibilities to their already full workloads.
With nobody responsible for cyber security, it becomes harder to make progress and stay on top of best practices. Again, outsourcing is a key solution.
4. Awareness and training gaps_
If cyber security awareness has not been a priority for the organisation, employees may not be aware of common cyber threats like phishing or the importance of security best practices, making them vulnerable to social engineering attacks.
The cost associated with training may also bring it down in the priority list. However, raising awareness levels is crucial for ongoing threat avoidance.
5. Technology and infrastructure challenges_
SMBs are more likely to have older hardware and software that are more vulnerable to exploits and lack modern security features. This is the result of reduced digital transformation budget and vision.
While good security tools can close the gap, implementing and managing complex security tools can be daunting for businesses without dedicated IT security expertise. The businesses need guidance to discover useful solutions and utilise them effectively.
6. Difficulty in keeping up with evolving threats_
The cyber threat landscape is constantly evolving, with new attack methods emerging frequently. SMBs may struggle to stay informed and adapt their defences accordingly.
However, staying on top of emerging risks is crucial to putting the right measures in place. This is why designated cyber security resource is key, even for small organisations, to monitor the evolving landscape.
Tips for your small business cyber security practices_
The increase in cyber security is reassuring, especially as cyber crime becomes more complicated. If you aren’t on top of your cyber security practices, we’ve put together some top tips to help you optimise yours.
1. Cultivate a security-aware culture_
Staff training is crucial to building a security-aware culture, especially as your employees are your first line of defence. Regularly educate all employees about common cyber threats (such as phishing and malware), safe online practices, password security and data handling.
While finding the time for training can be difficult, even short, frequent reminders can be effective.
On top of this, establish and communicate clear cyber security policies (e.g. password requirements, acceptable use of company devices and reporting suspicious activity). Again, this can be time-efficient while still powerful.
2. Implement basic technical controls_
Your cyber security doesn’t need to be complex to be effective. Here are some basic controls you should introduce:
- Strong passwords and multi-factor authentication (MFA): Enforce the use of strong, unique passwords for all accounts and enable MFA wherever possible for an extra layer of security. Many free or low-cost tools can help manage passwords.
- Keep software updated: Regularly update operating systems, applications and security software (antivirus) on all devices. Enable automatic updates when available. These updates often include critical security patches.
- Firewall: Ensure a firewall is in place and properly configured on your network to control incoming and outgoing traffic. Most modern operating systems and routers have built-in firewalls.
3. Practice data security_
Data security is crucial for deterring criminals and avoiding breaches. Implement a consistent schedule for backing up critical business data. Store backups securely and, ideally, offsite or in the cloud to protect against localised incidents like hardware failure or ransomware. Many affordable cloud backup services exist.
Limit employee access to data and systems based on their roles and responsibilities (known as the principle of least privilege). Not everyone needs access to everything and streamlining access facilitates easy management.
4. Know your weaknesses_
Assessing your security posture is crucial to rectifying weaknesses. Many cyber security consultants will offer this at a reasonable cost or even for free. It’s a worthwhile investment, especially if you do not have the resource to conduct a self-assessment.
The outcome of an assessment should be a report of areas to work on. This will help prioritise where to focus your limited resources and strengthen protections.
5. Assign responsibility_
Designate at least one person to be responsible for overseeing and implementing cyber security efforts.
If nobody is able to conduct this, consider outsourcing your cyber security management to a managed security service provider (MSSP). Often, you can find cost-effective contracts that fit your budget and requirements.
This ensures accountability, even if it’s a part-time responsibility for an existing employee or left to your MSSP.
6. Have a plan for the inevitable_
While the ideal would be to never have an attack, rising risk means it is likely. An incident response plan is crucial to knowing how to respond and recovering quickly.
Even a simple plan outlining what to do if a security incident occurs (e.g. who to contact, steps to take) is crucial for minimising damage. Think about this now, document it as a standard process and remember to regular review it to ensure all bases are covered.
Access practical tips for securing your small business_
As a small business with limited time, budget and expertise, navigating cyber security can seem like a minefield. However, it doesn’t need to be. With the right resources and guidance, things will become much clearer.
In our Get to Secure video series, our cyber security experts explain what your business needs in the simplest terms, giving you a clear path. We explore the fundamentals of your security posture, raise what needs to be considered to the best results and give you practical tips to implement, backed by tried-and-tested tools.
You can watch the first video below, focusing on the specific cyber security challenges facing SMBs today. Then, sign up for the full series here for more videos covering data protection, AI, assessment advice and beyond.
