Month: June 2026

Small to Medium Businesses – Scammed or Hacked?

This is something that I’ve alluded to in the past, in other articles and blogs.  What is the likelihood of an SME suffering and Scam as opposed to a more technical hack.  There is a lot of evidence to suggest that, for most SMEs, the probability of suffering a scam/social engineering attack is significantly higher than experiencing a sophisticated technical hacking attack.

A useful rule of thumb from cyber insurance claims, law enforcement reporting, and incident response firms is:

  • 70–90% of financially damaging incidents affecting SMEs involve people being manipulated (phishing, invoice fraud, CEO fraud, business email compromise, fake suppliers, fake tech support, payment diversion, etc.).
  • 10–30% involve primarily technical exploitation (ransomware through unpatched systems, web application attacks, malware exploiting vulnerabilities, credential stuffing, etc.). 

But you can argue that ransomware is often a hybrid of the two, starting often with phishing for credentials, obtaining a login, and then inserting malware.

The exact percentages vary by industry and geography, but the pattern is remarkably consistent.

Why scams are more common

  1. Humans are easier to compromise than systems

A criminal can send 10,000 phishing emails in minutes at almost no cost.

Convincing one employee to:

  • Click a link
  • Approve a payment
  • Share credentials
  • Change bank account details

is often easier than discovering and exploiting a software vulnerability.

  •  SMEs usually have weaker business processes than technology

Many SMEs now use cloud services from companies like Microsoft⁠, Google Workspace⁠, and  Amazon Web Services⁠, which has improved their security.

However, they often lack:

  • Payment verification procedures
  • Supplier validation processes
  • Security awareness training
  • Segregation of financial duties
  • Generally inadequate security policies

      Criminals exploit these business-process weaknesses.

  • Criminals follow the money

A fake invoice scam may generate £20,000–£100,000 with little technical effort, whereas a sophisticated network intrusion might require:

  • Research
  • Malware development
  • Vulnerability exploitation
  • Persistence mechanisms

From an attacker’s perspective, scams often provide a better return on      investment.

  • Business Email Compromise (BEC) is extremely effective

One of the largest causes of SME losses is BEC:

  • Attacker gains access to an email account (often through phishing)
  • Watches conversations
  • Sends realistic payment instructions
  • Diverts funds

Technically, the breach may be simple, but the financial loss comes from deception rather than hacking.

Why technical attacks still matter

Technical attacks tend to receive more media attention because they can be highly disruptive.

Some examples are:

  • Ransomware
  • Server compromise
  • Website defacement
  • Data theft
  • Supply-chain attacks

Although less frequent than scams, a successful technical attack can have larger operational consequences:

  • Business downtime
  • Regulatory penalties
  • Customer notification costs
  • Recovery expenses

What an SME should prioritise

Most, if not all SMEs, will have a limited security budget, and therefore they need to identify the highest-return controls to mitigate their risk. These can include:

  • Multi-factor authentication (MFA) on all email and cloud accounts.
  • Staff training on phishing and payment fraud.
  • Verification procedures for bank account changes and large payments.
  • Strong backups and ransomware recovery testing.
  • Endpoint protection and automatic patching.
  • Monitoring for suspicious login activity.

These measures reduce both scam risk and many technical attack paths.  It’s aways worth remembering that scammers and hacker alike will take the path of least resistance.  The more difficult you make it for them, the more likely they are to look elsewhere.

A practical estimate

For a typical 20–250 person SME and for illustrative purposes, the distribution of financially damaging incidents based on common industry observations is 80 to 20 in favour of scams.

This is not a universal statistic, but it reflects what many cyber insurers, incident responders, and fraud investigators observe in practice, that is that SMEs are generally more likely to lose money because someone was tricked than because a hacker defeated sophisticated technical defences. The most damaging incidents often combine both, such as a phishing email that steals credentials and then enables fraud or ransomware.

Cyber Essentials – How has it changed?

I think these days, pretty much everyone is aware of the UK government-backed Cyber Essentials scheme and those who have undertaken certification or are considering it, will, in the last 12 months, have been subject to the introduction of the “Willow” question set (v3.2), which became the standard for certifications from 28 April 2025. It didn’t fundamentally change the five Cyber Essentials controls, but it did make several requirements more explicit and raised expectations around asset management, authentication, remote working, and vulnerability remediation. 

For most organisations, the Willow update was not a complete overhaul. The real shift is that Cyber Essentials is becoming:

  • More focused on asset visibility
  • More aligned with modern cloud environments
  • More accepting of passwordless security
  • More rigorous about vulnerability management
  • More realistic about hybrid and remote working

If your organisation already has mature inventory management, MFA, vulnerability remediation, and cloud governance processes, the changes are relatively straightforward. If not, these areas are where most compliance effort will now be concentrated. 

Key implications for organisations

Asset management is now much harder to ignore

A significant practical change was a stronger emphasis on maintaining a complete inventory of:

  • Devices
  • Software
  • Cloud services
  • Network equipment
  • BYOD assets used for work

Organisations now need a much better visibility of what is connected to their environment. For many SMEs, this means formalising asset registers rather than relying on informal spreadsheets or staff knowledge. 

The Implication being that certification becomes more difficult if you cannot prove what systems are in scope. This may mean investing in discovery and asset-management processes.

Firmware is now explicitly in scope

The definition of software has been expanded to include firmware on devices such as:

  • Firewalls
  • Routers
  • Network appliances

Previously, some organisations focused almost entirely on operating systems and applications. Now, neglected network-device firmware can become a compliance issue.  The implication being that patch management programmes need to include infrastructure devices, not just laptops and servers.

“Patches” became broader “vulnerability fixes”

Cyber Essentials no longer focuses only on installing vendor patches.

The new language recognises that vulnerabilities may be fixed through:

  • Configuration changes
  • Registry edits
  • Vendor scripts
  • Other remediation methods

The expectation is that vulnerabilities rated CVSS 7.0+ are addressed regardless of how the vendor delivers the fix.  Again, there is an implication that organisations need a vulnerability-management mindset rather than a simple patching mindset.

Passwordless authentication is now recognised

The Willow update formally acknowledges modern authentication methods such as:

  • Passkeys
  • Biometrics
  • Security keys
  • Authenticator push notifications

These can satisfy MFA requirements where implemented correctly. 

This is good news for organisations moving away from passwords. It aligns Cyber Essentials more closely with modern identity-security strategies and NCSC guidance on passkeys.  Frustratingly though, I worked with a client recently to obtain CE and the assessor didn’t know what a passphrase was and it had to be explained to him.

Remote working is treated more broadly

The terminology changed from “home working” to “home and remote working.”

That sounds minor, but it reflects a wider scope including:

  • Hotels
  • Cafés
  • Shared workspaces
  • Other untrusted networks

I’ve blogged about this quite a bit and security controls need to work wherever employees connect from, not just from a home office.  Does a VPN suffice, maybe but maybe not.

Greater scrutiny of Bring Your Own Device (BYOD)

Now organisations are expected to have:

  • Clear BYOD policies
  • Device security controls
  • User responsibilities documented
  • Appropriate protection such as encryption and screen locking

Informal BYOD arrangements can be riskier from both a compliance and security perspective.

V3.3 (“Danzell”)

As if that wasn’t enough NCSC has published v3.3 (“Danzell”) requirements effective from April 2026, which further tighten areas such as MFA and cloud-service requirements. Organisations that have only just adapted to Willow should already be reviewing the next revision to avoid another compliance scramble next renewal cycle. 

What changed in the Danzell question set?

The five Cyber Essentials control areas remain the same:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Security Update Management

However, Danzell asks more detailed and specific questions about how these controls are implemented and evidenced. 

Key themes covered by the Danzell questions

Multi-Factor Authentication (MFA)

The questionnaire now requires organisations to identify all cloud services in use and confirm MFA is enabled where available. Missing MFA on supported cloud services can result in an automatic failure. 

Typical questions include:

  • What cloud services are used?
  • Is MFA enabled for all users?
  • Are administrator accounts protected by MFA?
  • What authentication methods are used?

Cloud Service Scope

Danzell explicitly brings cloud services into scope, including:

  • Microsoft 365
  • Google Workspace
  • Salesforce
  • Slack
  • Zoom
  • Cloud storage platforms

Organisations must declare these services and demonstrate appropriate security controls. 

Typical questions include:

  • Which cloud services store or process business data?
  • How are accounts managed?
  • How is access removed when users leave?

User Access Control

The questionnaire places greater emphasis on:

  • Administrative accounts
  • Privileged access management
  • Account lifecycle management

Typically questions include:

  • Are administrator accounts separate from standard user accounts?
  • How are privileged accounts controlled?
  • How are unused accounts identified and removed?

Industry discussions indicate auditors are applying the separate-admin-account requirement strictly. 

Security Update Management

Danzell asks for clearer evidence regarding:

  • Operating system patching
  • Application patching
  • Firmware updates
  • Patch deployment timescales

Applicants need to be able to identify:

  • How are vulnerabilities are identified?
  • Are high-risk vulnerabilities patched within 14 days?
  • How is firmware kept up to date?

The 14-day patching requirement is now a critical assessment point. 

Password and Authentication Controls

Questions now focus on:

  • Minimum password length
  • Password managers
  • Common-password blocking
  • Passwordless technologies and passkeys where used

Cyber Essentials v3.3 introduced a minimum 12-character password requirement in many scenarios. 

Structure of the questionnaire

The Danzell question set generally requires organisations to provide:

  • Asset inventories
  • Cloud service inventories
  • User account information
  • Details of security policies
  • Evidence of patch management processes
  • Details of MFA deployment
  • Administrative account controls

Assessors may ask follow-up questions if answers are unclear or inconsistent. 

What, typically, is the effect on SMEs?

This will change from company to company of course, many will already have much of this covered and some won’t.  Many will require guidance and assistance in making sure that they are prepared to what is now required, and that guidance will need to focus on how they need to change to meet the requirement.

But arguably the biggest operational issue is that CE now requires Owners/CEOs/Boards to certify that they will maintain the standard through its 12-month lifecycle, and not just at the point of certification.  That means monitoring their estate to maintain compliance, constantly, which in turn means having the means and resource to do it.  Not easy for many SMEs and they will be worried about cost.

The obvious answer though is a managed service.  SMEs often outsource their IT environment and see benefits in terms of cost and operational efficiency.  The same can be said for Cyber Security and monitoring, but the mindset tends to be different.  There is still the thought that their IT outsourcing company has this covered, or that cyber is a bit of black art and it will be expensive.

Let’s face it, the majority of SMEs aren’t going to try and hire cyber expertise full time, it would be expensive and unnecessary.  Having a managed service spreads cost and makes it affordable.  If you have a service that offers:

  • Continuous monitoring of endpoints, servers, and some cloud environments
  • Monitoring patching, including CVEs issued by vendors and comparing them against your estate
  • Vulnerability assessment
  • Rapid detection of ransomware, malware, insider threats, and advanced attacks
  • Expert-led response
  • Phishing simulations
  • Cyber awareness training programme
  • Dark web monitoring

Then you are a long way towards meeting the requirement for continuous monitoring and assessment, and if you can do this for £15-£18 per user per month, then it can be very affordable.

Scroll to top