Small UK businesses’ cybersecurity review

How can small UK businesses face the rising tide of cyberthreat?
13 December 2022

Cybersecurity is increasingly vital for small UK businesses.

Getting your Trinity Audio player ready...

Small UK businesses account for 99% of the country’s business population. In 2022, there were 5.5 million small UK businesses in legal operation, of which, 1.4 million had staff, and 4.1 million were sole traders. And in 2022, a full 50% of those businesses suffered from at least one cyberattack.

One especially effective cyberattack is all it takes to cripple or bankrupt many small UK businesses.

There are good reasons why SMBs (SMall and Medium Businesses) are so relentlessly targeted. They frequently don’t have the budget to deploy the same sort of high-tech cybersolutions that enterprise-level businesses do, and so are frequently regarded as “low-hanging fruit” for scammers, hackers, and data-hijackers.

The paths to protection

There are two main ways in which businesses can protect themselves from cyberattack.


The first way businesses protect themselves from the cyberthreats that exist to ruin both their day and their business is the internal method, where there are sufficient resources of both time, money and people to set up an internal team dedicated to monitoring activity on, for instance, the business’ web and email servers, train other staff what to look for in spam email, and monitor any high-tech threat detection and mitigation software.

This is, unsurprisingly, a strategy most pursued by enterprise-level businesses, which can afford to take cybersecurity as seriously as it needs to be taken, while keeping the process and reporting internal.


The external option is often more useful to SMBs, who do not have the resources available to enterprise-level businesses to deal with their cybersecurity profile internally. Using MSPs – managed service providers – to deliver on the necessary cybersecurity functions is a way that many SMBs have found of at least giving themselves some armor against the many threats that try to compromise them.

Just as, for instance, small businesses may manage their courier needs using an MSP like FedEx, and their internet connectivity to an internet service provider, so the option exists to contract with a cybersecurity MSP, where for a regular fee, small businesses can leave their cybersecurity to their provider, and hopefully focus on what they’re best at – delivering their products or services.

While no system is guaranteed to be perfect, cybersecurity MSPs are a growing market because of their relative convenience, and because in the absence of enterprise-level resources, they not only allow SMBs to feel significantly more protected, but also allow them to check a box on a cyberinsurance form to attest that they’re taking cybersecurity as seriously as their resources allow.

The third option of course is to do nothing about cybersecurity, reasoning that small businesses aren’t a big enough payday for cyberattackers, and that everything will probably be fine. This is also known as the “walking naked in a thunderstorm and hoping not to get wet” cybersecurity strategy, because it’s characterized by magical thinking, ignores verifiable fact and past experience, and is nobody’s fault but your own when you come home soaked to the bone and die of hypothermia on the rug. That said, it’s often the way sole traders are forced by the small nature of their operations to respond to the threats of cyberattack.

The main cybersecurity threats for small UK businesses

So, what are the main threats that small UK businesses need to look out for?

Traditionally, there are five main issues, and their profiles occasionally blur and overlap.


Malware is a piece of malicious code that gets into your computer or your system. There are three broad subdivisions of malware: the Trojan horse, the virus, and the worm.

To put it simply, Trojan horses hide in applications or downloads, and infect your system once they’re in, viruses are more versatile and can get into your system through downloads or even visiting particular websites, and worms tend to be more specific in the nature of their danger, attacking particular programs and moving on to neighboring software.

If you get asked by an email or a pop-up to “Click here” to open an attachment or visit a website, especially from an unknown source, the chances are high that it contains some sort of malware that’s activated by the click of a link. Double-check and don’t automatically trust those links.

Malware now comes with more sophisticated forms of delivery, too – Microsoft has recently strengthened the strictures on sending files with macros in, because hackers were hiding malware within those tiny automated programs. And ZIP folders, which are often used to send large files by email, are rising in popularity as a way of sending malware to your system.


Viruses are a form of malware, but they’re so prevalent that they earn their own classification. Viruses will often have a specific function, whether it’s to wipe data, to send data to the hacker, or to otherwise incapacitate a system. Viruses, like other malware, can be introduced to a system in any number of ways – a clicked link, a downloaded and opened file, a visited webpage. And while affordable “domestic” anti-virus software shouldn’t break the bank of most UK small business’, they work better in addition to a thorough awareness of cybersecurity, and how not to let viruses past your personal defences in the first place.


Ransomware is “the big threat” as far as enterprise-sized businesses are concerned – but there’s every indication that it’s being used to attack SMBs more and more often. Ransomware is a form of malware that either locks you out of crucial, business-critical parts of your system or your data, or allows a hacker to steal that data and hold it literally to ransom.

You only get the data back if you pay – and the price is often business-crushingly high. What’s more, you have no guarantee that if you pay, you’ll actually get your data or your access back, or that if you do, you’ll get the only copy of it, meaning the hackers can potentially double their payday by selling off your confidential data to the highest bidder.

While this has traditionally been more of an enterprise problem, because of the potential for a quick, hefty payout, recent analysis by threat experts claims that from 2023 onward, ransomware attackers will be focusing much more on SMBs, for a smaller – but proportionately just as devastating – payout, repeated more times against more businesses.

Ransomware can put you out of business in an afternoon, so the fact that there’s likely to be more of it aimed at UK small businesses in 2023 is worth considering in whatever cybersecurity budget you have.


Phishing is the practice of sending emails, text messages or social media messages that look entirely legitimate, in a way that makes you share login details, account details, or other vital information that can be used to compromise a system. The traditional example of phishing is the email that says there’s been a problem with an invoice, and a request to “resend” payment details. If you send account details to a phisher, it’s unlikely there’ll be anything left in the account by the time you call your bank.

An outgrowth of phishing is the even more insidious practice of “Business Email Compromise” (BEC). This is when cyberattackers do their homework, usually using social media (particularly LinkedIn) to learn your organization’s structure and business relationships, then send emails or texts from spoof accounts pretending to be either someone senior in the business or an external contractor, using harvested details and the social engineering of urgency or crisis to put you on the spot and make you more receptive to the idea of handing over business-critical data.

Like ransomware, business email compromise is forecast to be on the rise among UK small businesses in 2023.

Password hacking

Password hacking is one of the oldest tricks in the book – after all, passwords exist to protect systems from everyone but the password owner, so getting the password allows hackers to pretend to be you, and to stroll past all your safeguards with an airy wave and an “Open sesame.”

Password hacks affect all levels of business – the International Hotel Group, owner of the Holiday Inn chain, recently suffered an attack because its central password was ridiculously weak. But 59% of people tend to use a single password for everything they protect. That’s more or less a welcome mat for hackers, and being one among the 59% puts your whole business on the line every day you re-use passwords.

What to do to improve your cybersecurity as a small UK business

Whether you’re handling your small business cybersecurity in-house, or using an MSP to administer your system’s security from cyberthreats, there are things you can do to render your business less likely to become a victim.

  1. Have a cybersecurity strategy

This includes knowing about the threats that are out there and how to avoid falling into their traps – not clicking on suspect links, checking the real sender address of emails by hovering your mouse over the sender field, not succumbing to pressurizing emails, checking independently whether there are issues (eg calling the supposed vendor to check if they sent you the email you have). It also includes sharing the strategy with any and all staff in the business, and passing on the ways in which a moment’s reflection when faced with possible cyberthreats can save the company from being compromised.

  1. Use a reputable antivirus program

There are lots of antivirus software packages out there, including the likes of Norton and McAfee. Spending money on enough licenses for every net-accessing piece of technology – PCs, laptops, smartphones, tablets – in the company will help close as many doors against viral attack as possible.

  1. Use a reputable password manager

These are tools with incredibly hard-to-break security, which allow you to generate individual, hard-to-crack passwords, and overcome the fact that such passwords are hard to remember by virtue of holding them all in one place with one master password – which should also be hard to crack, but which you should immediately be able to remember. Passwords should usually be at least 8 characters long, including multiple upper and lower case letters, numbers and special characters. Using a reputable password manager like Dashlane or LastPass helps you avoid password hacking.

  1. Use an MFA vendor to double-down on security

Multi-factor authentication (MFA) is a relatively new system of security that usually involves not only a password but a randomly generated code that is texted to your phone as a way of making it more difficult for hackers to simply guess your password and help themselves to your data. You can engage an MFA vendor to help give your systems and your staff an extra layer of security.

  1. Spend money on an easy-to-use, effective VPN

In the year after the end of domestic UK lockdowns, hybrid working patterns saw lots of people work in public venues, like coffee shops. Cyberattacks rose dramatically among remote workers as a result, because frequently, people would use public wi-fi to access company systems – and private wi-fi is easy for hackers to take advantage of. Using a reputable Virtual Private Network (VPN) every time anyone works remotely is a way of securing your system and your data.

  1. Operate a clean desk policy

This is not as neurotic as it sounds – you’re not about to spend your day dusting. It means you should be sure to password-lock your computer any time you leave it, and not leave data sticks or drives lying around. Lock them in your drawer (and take the key) when you go away from the keyboard, to avoid dangling temptation in front of anyone who might otherwise have access to your data. That helps minimize the threat of “insider compromise” to your systems and data. The same is true of hard copy data – lock reports away when you leave your desk.


Cyberinsurance has traditionally been tough to get, and depended on small businesses having demonstrated they were doing a lot to tackle their cyberthreat liability. That looks like growing even tougher from 2023, as the rising threat level for SMBs and the challenging economic outlook make insurers raise their premiums and potentially even remove ransomware from their policies just when small UK businesses need that protection more than ever.

Nevertheless, cyberinsurance is a necessary cost of doing business for SMBs, because the potential penalties for a major data breach are at least as potentially crippling as the data breach itself.