Cyberattacks are becoming increasingly common. SMEs are under attack, as well as the larger companies. But how can they protect themselves? Four experts answer this question, starting below with AJ Thompson, CCO at Northdoor:
The threat from cybercriminals is increasing in regularity and sophistication. No longer just enterprise level organisations under attack, SMEs are now prime targets.
Without better protection, SMEs face attacks with potential to damage infrastructure, finances and reputation.
Recent research reveals cybercriminals constantly attack UK SMEs, with half suffering an attack in the last year.
Two-thirds of those attacked subsequently experienced increased incidents. This pattern is telling – once identified, vulnerable SMEs will be repeatedly targeted, increasing chances of breaches and significant damage.
Indeed, 54% of SMEs have suffered financial loss due to cyberattacks. With today’s acute financial pressures, any additional strain is potentially disastrous.
Research shows ransomware and phishing are the most common attacks on SMEs. Both target employees, often considered the weakest links within companies. This vulnerability has been exacerbated by pandemic-driven changes in working practices. With many employees working remotely, protection levels and concentration are frequently compromised.
Cybercriminals have recognised this, increasing their efforts and sophistication to trick employees into providing access to data and infrastructure.
When lockdown was introduced, SMEs quickly implemented solutions allowing remote work. This successful adaptation overcame business leaders’ technology concerns and boosted confidence in IT solutions.
However, this confidence sometimes became overconfidence, with companies rapidly implementing technology without necessary due diligence regarding integration with existing infrastructure.
Some SMEs applied this approach to security solutions, implementing software addressing only specific problems. Such isolated solutions, implemented without understanding organisational vulnerabilities, leave businesses at significant risk.
With cybercriminals exploiting any weakness, proper security implementation is critical. A single solution is typically insufficient for comprehensive protection and regulatory compliance.
Many SMEs now turn to IT consultancies offering managed security solution ecosystems. This approach enables monitoring and countering multiple threats before business impact occurs.
Managed services also ensure regulatory compliance, particularly regarding consumer data protection.
Most SMEs operate with small IT teams; expert support not only enhances security but frees overstretched internal resources to focus on core business activities.
Cybersecurity threats will only intensify in coming months, with 64% of European business leaders expecting a cybersecurity incident in the next 12 months. SMEs must take these threats seriously and understand the consequences of inadequate protection. Working with security experts provides access to experience, expertise and appropriate solutions needed to counter the growing threat landscape.
Steve Cobb, CISO, SecurityScorecard:
The threat landscape for SMEs is ever evolving, but I see three cybersecurity threats that I believe are critical for SMEs to understand and defend against today.
Zero day vulnerabilities, identity-based threats and supply chain attacks should all be top of mind for cybersecurity practitioners in small businesses.
We are seeing threat actors leverage vulnerabilities against small business-focused products like firewalls and storage arrays, such as Cisco, Western Digital, Ivanti and Qnap, in order to gain initial access to environments and then execute their mission, which is often ransomware.
Solution 1: SMEs need to adopt an effective Vulnerability Management Program that includes monitoring and patching of vulnerabilities. While this suggestion costs no money, it is one of the harder defensive measures to implement because it requires time and expertise, but it is incredibly important.
Phishing is still the most utilised attack method and SMEs are a favourite target for threat actors looking to gather compromised credentials in order to launch identity attacks. These compromised credentials are then used to gain initial access to environments or to launch more identity-based attacks.
Solution 2: SMEs should have multi-factor authentication (MFA) implemented across ALL environments and applications. Additionally, cybersecurity practitioners should be monitoring both successful and unsuccessful authentication attempts to monitor anomalous user behaviour and other suspicious activity.
The most devastating attacks are proving to be based on supply chain risks that are leveraged by threat actors to scale attacks to target an extremely large victim pool, most often including mostly small businesses. These compromised small businesses are then leveraged again to pivot into their customers, which are often large, global organisations.
Solution 3: Small businesses need to increase visibility into their third-party and fourth-party vendors and document their criticality to their own operations as well as to their customers’ operations. This process must occur continuously and SMEs should consider their responses when/if a supply chain attack proves successful.
Small businesses face increasing cyberthreats, but proactive security measures can significantly reduce risk. By prioritising vulnerability management, MFA and supply chain visibility, SMEs can defend against ransomware, identity-based attacks and supply chain compromises without major costs. Attackers seek the easiest targets – by patching vulnerabilities, securing identities and monitoring third-party risks, SMEs can strengthen defences and stay ahead of evolving threats.
Kern Smith, VP of Global Solutions, Zimperium:
Small- and medium-sized enterprises (SMEs) face increasing cybersecurity threats as cybercriminals target them for their valuable data and often-limited security resources. One of the most significant threats is mobile-targeted phishing, or ‘mishing’, where attackers use SMS and messaging apps to trick employees into revealing sensitive information or installing malware. Ransomware and other forms of mobile malware also pose serious risks, with attackers encrypting data and demanding payment for its release. Plus, vulnerabilities in mobile applications and third-party services create security gaps that hackers can exploit. Unmanaged or compromised devices further increase risk, especially as employees rely on personal mobile devices for work. Zero-day threats remain a growing concern, as attackers continuously seek out and exploit unknown vulnerabilities before security patches are available.
To mitigate these risks, SMEs need a cost-effective yet comprehensive security approach that prioritises mobile protection. Implementing mobile security solutions, such as AI-driven mobile threat defence (MTD), enables businesses to detect and respond to phishing, malware and zero-day attacks in real-time. Given the increasing reliance on mobile devices, SMEs should adopt a mobile security strategy, ensuring that both company-issued and personal devices used for work are protected. Multi-factor authentication (MFA) is another crucial defence, making it harder for attackers to gain unauthorised access even if credentials are stolen.
Employee security awareness training is an affordable yet effective measure to help prevent phishing and social engineering attacks. Staff should be educated on recognising suspicious links, avoiding unverified apps and securing their devices. Regular software updates and patching are also essential to closing security gaps, as unpatched systems remain a top target for cybercriminals. Implementing a zero-trust security model – where access to critical business systems is granted based on user identity, device security posture and behavioral analytics –further reduces exposure to cyberthreats.
For SMEs looking for scalable and budget-friendly security solutions, cloud-based security services offer a practical option. These services provide endpoint detection and response (EDR), secure web gateways and other protective measures without requiring significant infrastructure investments. By leveraging cloud-based security and AI-driven mobile protection, SMEs can enhance their cybersecurity posture while maintaining cost-efficiency.
As cyberthreats continue to evolve, SMEs must take proactive steps to protect their mobile devices, applications and data. A layered security approach that combines mobile security, employee training, authentication controls and cloud-based solutions ensures businesses remain resilient against cyberattacks without exceeding their budgets. Investing in the right mobile security solutions today can prevent costly breaches and disruptions in the future.
Nathan Charles, Head of Customer Experience, OryxAlign:
SMEs are increasingly finding themselves at risk of complex cybersecurity attacks. Their size no longer protects them from risk; in fact, it often makes them more vulnerable.
Sophisticated actors routinely target SMEs as entry points into broader organisations or as high-impact, low-resistance victims in their own right. Artificial Intelligence, now a tool used by both defenders and attackers, enables more convincing and scalable threats.
Nearly half of UK businesses, and 70% of medium-sized firms, reported a cybersecurity breach in the past year. With the average cost of the most disruptive incidents at £1,205, even a minor breach can cause major operational disruption, erode stakeholder trust and lead to lasting reputational damage that far outweighs the initial financial impact for budget-conscious SMEs.
Phishing remains the most common cyberattack, with 84% of UK firms targeted through email, SMS, phone or social media. Unlike past opportunistic malware, today’s AI-driven phishing campaigns are highly coordinated, using automated, personalised messages that blur the line between legitimate and malicious interactions, exploiting human behaviour over technical flaws.
The persistent reliance on social engineering underscores a critical reality: despite advancements in cybersecurity technologies, the human element remains the most exploitable point of failure.
Equally concerning is the rise in impersonation attacks, where malicious actors pose as trusted organisations or executives in order to deceive recipients into transferring funds or disclosing confidential data. This threat thrives on psychological manipulation, brand spoofing and gaps in internal verification protocols. For SMEs, where governance frameworks and approval processes may lack the rigour of larger enterprises, such attacks present severe consequences.
The advent of Generative AI has further escalated this threat landscape. Tools capable of real-time voice cloning, hyper-realistic image fabrication and contextually accurate text generation now empower malicious actors to conduct deception at a scale and authenticity previously unattainable.
Despite the scale of these threats, effective defence doesn’t require enterprise-level budgets. It requires strategic prioritisation. A critical first step is adopting a ‘defence in depth’ strategy. SMEs should layer traditional protections like firewalls, antivirus, encryption and regular patching with more advanced tools. Solutions like Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) provide continuous monitoring across networks, endpoints and cloud environments. These AI-driven platforms detect and isolate threats early, reducing potential damage without the need for large in-house security teams.
Employee awareness is another cost-effective defence. OryxAlign’s simulated phishing tests and tailored cybersecurity training have proven to reduce breach risks by up to 80% over 12 months. By identifying gaps in staff knowledge and delivering ongoing, targeted education through interactive platforms, SMEs can strengthen their ‘human firewall’.
Additionally, SMEs should prioritise data oversight, implementing clear policies around data access and device usage. With remote and hybrid working here to stay, securing endpoints and enforcing multi-factor authentication (MFA) is essential.
In this landscape where cyberthreats are constant and evolving, resilience hinges on a strategic blend of technology, policy and human vigilance, empowering SMEs to safeguard their operations effectively and sustainably.
