contents
Cyber Security for SMEs: What the Latest Numbers Really Tell Us
The government’s latest Cyber Security Breaches Survey found that 43% of UK businesses identified a cyber breach or attack in the past 12 months. That works out at roughly 612,000 organisations.
If you run an SME, it’s tempting to read that and assume the attacks are landing on big corporates with household names. They aren’t. Nearly half of small businesses reported a breach or attack, and the attacks aimed at smaller organisations are rarely sophisticated. Most start with something as simple as a convincing email and one click from a busy employee.
The Threats Aren’t Clever. They’re Consistent.
Phishing remains by far the most common attack, experienced by 38% of businesses last year. Among organisations that suffered a breach, phishing was involved in the overwhelming majority of cases. Ransomware grabs the headlines because the damage is severe, but the front door for most incidents is still the inbox.
What’s changed is the quality of the bait. AI tools have made phishing emails easier to produce and much harder to spot. The days of dodgy spelling and obviously fake addresses are behind us. Attackers can now generate polished, personalised messages at scale, and the government’s own figures show the cost is rising: the proportion of businesses reporting lost revenue from an attack more than doubled year on year.
The Gap Between Knowing and Doing
Here’s the part of the survey we find most frustrating. Awareness isn’t the problem. Most business leaders know cyber attacks can disrupt operations and damage trust. The problem is what’s actually in place:
- Only 25% of businesses have a formal incident response plan.
- Fewer than half use two-factor authentication.
- Just 5% hold Cyber Essentials certification, despite it being the government-backed baseline designed to stop the common, opportunistic attacks SMEs face most.
That last figure matters to us because we’re a Cyber Essentials certification body ourselves. We see first-hand that the businesses who get certified aren’t doing anything exotic. They’re putting five sensible technical controls in place, and those controls block the vast majority of the basic attacks doing the rounds.
Your People Are Your First Line of Defence
Technology does a lot of the heavy lifting, but culture decides whether it holds. When your team feels confident spotting a suspicious link, questioning an unusual payment request, or reporting something that doesn’t feel right, you’ve built a defence no single product can replicate.
That confidence doesn’t come from a once-a-year slideshow. It comes from consistent, practical awareness training and an environment where reporting a near miss is welcomed rather than punished. Small habits, repeated across a whole team, protect a business in powerful ways.
Where to Start (Without Buying Anything New)
If you’re on Microsoft 365 Business Premium, there’s a good chance you already own more security capability than you’re using. Defender, Intune, Conditional Access and multi-factor authentication are all sitting inside the licence most SMEs already pay for. Properly configured, they cover a remarkable amount of ground. So before adding another tool to the pile, our advice is simple:
- Turn on multi-factor authentication everywhere. It’s the single highest-value control you can enable today.
- Get the basics assessed against Cyber Essentials. Even if you don’t certify immediately, the five controls are a practical checklist.
- Make sure someone owns it. Whether that’s internal or a partner, security fails fastest when it’s nobody’s job.
- Train your people, little and often.
- Write down what you’d do if it went wrong. A one-page incident plan beats improvising at 2am.
How We Help
At bzb IT we build a complete blueprint around cyber security, from deploying and managing the security tools inside your Microsoft licences, through continuous monitoring, to employee awareness training. And because we’re both an IT provider and a Cyber Essentials certification body, we can get your environment to the standard and carry out the assessment, all under one roof.
Source: Cyber Security Breaches Survey 2025/2026, Department for Science, Innovation and Technology and the Home Office, April 2026.
Contact our team
Consider this the shameless plug: if the numbers above made you wonder where your own business stands, that’s exactly the conversation we’re here for.
