Cyber Awareness Training General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

How Should SMEs View Cyber Security?

We experience a quite varied attitude amongst SMEs to cyber security.  There is still a prevalent view that they are not really a target because they’re not worth it, and we’ve commented again and again that this is simply not so.  SMEs are considered low hanging fruit amongst cyber criminals simply because they tend to have weaker defences and don’t have easy access to the right levels of advice and guidance.

Good cyber defences can be seen in a similar light to insurance.  Whilst you hope that you’ll never need it, you understand that it’s safer to have it and in turn, the insurance company will require you to meet certain requirements for your policy to remain extant.

100% protection against an attack is simply not possible and no responsible cyber security company will guarantee that.  But we do try and empower businesses by forging intelligent defences to protect them in an ever-evolving threat landscape, being made more dangerous as criminals adopt AI in greater numbers.

SMEs face many of the same cybersecurity threats as large organisations, but they are often more vulnerable due to limited resources, staff, and awareness. So far it’s being reported that the biggest cybersecurity threats to SMEs in 2025 include:

  1. Phishing & Social Engineering
  • What it is: Deceptive emails, texts, or calls that trick employees into revealing credentials or installing malware.
  • Why it matters for SMEs: They often have no formal training or tools to detect phishing. A single click can lead to a major breach.
  • Ransomware Attacks
  • What it is: Malware that encrypts data and demands a ransom for decryption.
  • Why SMEs are targets: They’re seen as “soft” targets, less likely to have backups or strong defences, more likely to pay.
  • Business Email Compromise (BEC)
  • What it is: Fraudsters impersonate executives or vendors to trick employees into sending money or sensitive data.  Traditionally done by email spoofing, now increasingly being done by AI impersonation.
  • Why it’s dangerous: BEC is low-tech but high impact, no malware, just manipulation. Losses can be substantial.
  • Poor Password Hygiene
  • Common issues: Weak, reused, or shared passwords; lack of multi-factor authentication (MFA).
  • Impact: Credential stuffing and brute-force attacks are easy ways into SME systems.
  • Unpatched Software & Systems
  • What it is: Outdated software with known vulnerabilities.
  • Why it happens: SMEs often delay updates due to compatibility fears or lack of IT resources.
  • Real threat: Attackers automate the search for these flaws.
  • Supply Chain Attacks
  • What it is: Attackers target less secure vendors or partners to infiltrate your network.
  • Relevance: SMEs often rely on third-party services (e.g. MSPs, cloud tools), but don’t vet their security rigorously.  Check their Ts&Cs, what are they responsible for and what are you responsible for?  This is becoming a big issue amongst those with critical supply chains of which SMEs may be a part.
  • Insider Threats (Malicious or Accidental)
  • Malicious: Disgruntled employees stealing or sabotaging data.
  • Accidental: Well-meaning staff misconfiguring systems or clicking unsafe links.
  • Problem: SMEs rarely have monitoring tools in place to catch insider issues early.
  • Insecure Remote Work Infrastructure
  • Examples: Unsecured Wi-Fi, lack of VPNs, personal device use (BYOD).
  • Why it’s risky: Many SMEs embraced remote/hybrid work without upgrading their security posture.
  1. Lack of Cybersecurity Training
  • Result: Employees don’t recognise threats or understand basic security practices.
  • Impact: Human error is still a major cause of breaches.  Cyber Awareness Training is arguably the biggest and cheapest quick win an employer can take.
  • Cloud Misconfigurations
  • Common mistake: Leaving cloud storage exposed to the internet.
  • Why it happens: SMEs may lack specialised cloud knowledge or rely on default settings.  Check with your supplier.
  • Bonus: AI-Powered Attacks
  • Emerging trend: Attackers use generative AI to craft more convincing phishing emails, deepfakes, and automated reconnaissance. Check out our earlier blog on this subject (An increase in sophistication of cyber-attacks).
  • Why SMEs should care: These tools lower the barrier for attackers and increase the success rate of scams.

What practical advice would we have for SMEs?  Obviously, that depends on the SME, their vertical, how they operate etc.  But generally:

  1. Enable MFA everywhere.
  2. Train staff regularly.
  3. Keep software up to date.
  4. Back up data (and test recovery).
  5. Use endpoint protection.
  6. Identify where all your sensitive data resides.
  7. Investigate protective monitoring services.
  8. Investigate Cyber Security Insurance.
  9. Hire or consult a cybersecurity professional, even part-time.

Scroll to top