Cybersecurity for SMEs

There's a persistent myth that cyber criminals only target large enterprises. The reality is different: SMEs are targeted specifically because attackers assume they have weaker defences. The numbers support this. According to government statistics, 39% of UK businesses identified a cyber attack in the past 12 months. For medium businesses, that rises to 59%. The average cost of a breach for small businesses is around £4,200 - but that's an average. Ransomware attacks can cost tens of thousands in ransom, recovery, and lost business. More concerning: many SMEs don't even know they've been breached until weeks or months later. Attackers are patient. They compromise a system, observe how the business operates, and strike when the damage will be maximum. This isn't meant to scare you. It's meant to make clear that cybersecurity isn't just for large enterprises. It's for every business that relies on computers, which is every business.

The good news: most cyber attacks aren't sophisticated. They exploit basic failures that are preventable. **Phishing Emails** Still the number one attack vector. An employee clicks a link, enters their credentials on a fake login page, and the attacker now has access. Modern phishing is sophisticated - it's not Nigerian princes anymore. It's emails that look exactly like they're from Microsoft, your bank, or your CEO. **Weak or Reused Passwords** Password123 is still common. So is using the same password across multiple services. When a database breach dumps millions of password hashes online, attackers test those credentials against business systems. If your people use their personal email password for work systems, you're exposed. **Unpatched Systems** That Windows update you keep postponing? It probably fixes security vulnerabilities that are being actively exploited. Every month, Microsoft releases patches for critical vulnerabilities. The gap between patch release and exploitation is often days. **Misconfigured Cloud Services** Cloud doesn't automatically mean secure. Microsoft 365 with default settings isn't properly secured. AWS S3 buckets are regularly found publicly accessible. Configuration matters. **Lack of Multi-Factor Authentication** If a password is all that protects your email, your files, your business - you're one successful phishing attack away from compromise. MFA isn't optional anymore.

If you do nothing else, do these things. They prevent the majority of attacks and cost relatively little. **1. Multi-Factor Authentication Everywhere** Every system that supports MFA should have it enabled. Email, cloud services, accounting software, banking - everything. Yes, it's slightly less convenient. The alternative is breach. **2. Regular Patching** Operating systems, applications, firmware. Updates shouldn't wait weeks. Automate where possible, have a process where not. **3. Decent Email Security** Built-in email filtering isn't enough. You need proper filtering for phishing, malware, and impersonation attacks. Microsoft Defender for Office 365, Mimecast, Proofpoint - there are options. **4. Backup That Actually Works** Regular backups, stored separately from your main systems, tested regularly. When ransomware encrypts everything, backup is your recovery option. But only if the backup isn't also encrypted because it was connected to the infected network. **5. Staff Awareness** Your people are your first line of defence and your biggest vulnerability. Regular, relevant training on recognising threats. Not annual compliance exercises, but ongoing awareness. **6. Endpoint Protection** Modern endpoint protection (not just antivirus) that can detect and respond to threats. Windows Defender is better than nothing but isn't enterprise-grade. These six things stop most attacks. They're not expensive. They're not complicated. They're just essential.

Cyber Essentials is a UK government-backed certification scheme. It provides a framework of five technical controls that, implemented correctly, protect against the most common attacks. **The Five Controls:** 1. **Firewalls** - Properly configured boundary protection 2. **Secure Configuration** - Systems set up securely, default passwords changed 3. **User Access Control** - Appropriate permissions, admin accounts limited 4. **Malware Protection** - Endpoint protection against malicious software 5. **Security Update Management** - Regular patching process **Why It Matters:** Beyond the protection it provides, Cyber Essentials is increasingly a business requirement. Government contracts above certain values require it. Supply chains increasingly mandate it. Clients conducting due diligence look for it. **Cyber Essentials vs Cyber Essentials Plus:** Basic Cyber Essentials is a self-assessment questionnaire verified by a certification body. It confirms you have the controls in place but doesn't test them. Cyber Essentials Plus adds technical verification - an assessor actually tests your systems to confirm the controls work. We recommend at minimum Cyber Essentials for every business, and Plus for those handling particularly sensitive data or meeting supply chain requirements.

Once you have the basics covered, there's a second tier of controls that provide additional protection. **Network Segmentation** Not everything should be able to talk to everything. If your reception PC gets compromised, can it reach your accounts system? Your file server? Network segmentation limits how far an attacker can move if they get initial access. **Security Information and Event Management (SIEM)** Aggregating logs from across your systems to detect suspicious patterns. When someone logs in from an unusual location, when data starts leaving your network unexpectedly, when accounts are accessed at unusual times - SIEM can alert you. **Vulnerability Scanning** Regular automated scanning of your systems to identify security weaknesses before attackers do. Missing patches, misconfigurations, outdated software. **Penetration Testing** Hiring ethical hackers to attempt to breach your systems. More intensive than vulnerability scanning - it tests whether weaknesses can actually be exploited. Annual penetration testing is standard for businesses handling sensitive data. **Security Operations Centre (SOC)** 24/7 monitoring and response. When a threat is detected, someone is there to investigate and respond, not discover it Monday morning. For many SMEs, this is provided as a managed service rather than built in-house. Not every business needs all of these. The right level depends on your risk profile, regulatory requirements, and what you're protecting.

Even good security isn't perfect security. Things go wrong. The question is whether you've prepared. **Do You Have a Plan?** If ransomware encrypted your systems tomorrow, what would you do? Who would you call? What decisions need making? Having a documented incident response plan - even a simple one - dramatically improves outcomes. **Key Elements:** - **Detection** - How will you know something is wrong? - **Containment** - How do you stop it spreading? - **Communication** - Who needs to know internally and externally? - **Recovery** - How do you get back to normal? - **Learning** - What do you do differently next time? **Recovery Capability** Your backup matters most when you need it. Can you actually restore from backup? How long would it take? What's the gap between backup and breach? Test your recovery, don't just assume it works. **External Support** Do you know who to call? Having a relationship with an IT partner who can assist in an incident is valuable. At 3am during a ransomware attack isn't the time to start Googling.

**Treating Security as a Project** Security isn't something you do once and finish. It's ongoing. Threats evolve, systems change, people join and leave. Treat security as a continuous process, not a one-time exercise. **All Technology, No People** You can have excellent technical controls and still get breached because someone clicked a link. People are part of security, not separate from it. **Security Theatre** Impressive-sounding security that doesn't actually protect anything. Policies nobody follows, tools nobody monitors, training nobody remembers. **Ignoring the Cloud** "It's in the cloud so it's secure" is dangerously wrong. Cloud providers secure their infrastructure, not your data and configuration. Microsoft doesn't protect your Microsoft 365 tenant from your misconfiguration. **Assuming You're Not a Target** "We're too small" or "we don't have anything worth stealing" are common and wrong. You have money. You have customer data. You have systems that can be ransomed. You're a target.