Beyond the Headlines: The Hidden Cyber Threat to SMEs

When a big-name brand like Marks & Spencer gets hit by a cyberattack, it’s all over the news. You might have seen headlines this week about M&S dealing with a “cyber incident” that led to store disruption and triggered an urgent investigation. It’s a serious issue, and rightly covered – but here’s the thing: while big companies make the news, small and medium-sized businesses (SMEs) are actually the ones most at risk.

As an IT partner working with businesses across Greater Manchester, we see this firsthand every day. Cyber threats are growing – and SMEs are often on the front line, whether they realise it or not. In this article, we want to unpack what’s really happening, why SMEs are such popular targets for cyber criminals, and, most importantly, what practical steps you can take to protect your business.

The Reality: Most Cyber Attacks Don't Make the News

When you read about cyber attacks in the media, it’s usually about a household name – an M&S, a law firm, a government body. But those high-profile cases are just the rip of the iceberg.

According to the UK Government’s Cyber Security Breaches Survey (2024), 50% of businesses experienced a cyber attack in the last 12 months. This report identified that while 74% of large businesses had identified breaches or attacks in 2024, the number of small and medium businesses that also experienced attacks were shockingly high – 58% and 70% respectively. The attacks might not be headline-worthy, but the consequences for smaller organisations are often far more damaging.

In the North West alone, 5% of SMEs were target more than 10 times in the last year, with the average cost of these attacks for small businesses in our region at over £8,000 per year.

When you consider that Greater Manchester alone is home to tens of thousands of SMEs, it’s not hard to see how big this problem really is – even if it doesn’t always make the front page.

Why SMEs are Prime Targets

It’s easy to assume that cyber criminals are only after big paydays from large corporations. But actually, attacking SMEs often offers a faster, easier win for them. Why? Because smaller organisations don’t usually have the same level of security – or the resources to bounce back quickly.

Here are just a few of the reasons SMEs are particularly vulnerable:

1.          Lower Security Budgets

A lot of small businesses are spending next to nothing on cyber security. One recent study found that 38% of SMEs spend less than £100 per year on it. That’s not nearly enough to defend against today’s threats.

2.          Lack of In-House Expertise

Most SMEs don’t have a full-time IT or cyber security professional on staff. It might be someone juggling multiple roles, or a third-party provider doing the basics. That leaves room for gaps, outdated systems, and missed warning signs.

3.          Awareness and Mindset

There’s still a widespread belief among SMEs that “we’re too small to be a target”. Unfortunately, that couldn’t be further from the truth. In fact, that assumption makes businesses even more attractive to attackers who know they’re unlikely to be met with much resistance. In 2024, even micro-businesses faced cyber attacks (47%).

4.          Remote Working Risks

Remote and hybrid work is now the norm, but many businesses haven’t updated their security to match. Staff are often using personal devices or unprotected home networks – without even realising the risk this poses to company data.

5.          Limited Training

Employees are often the first (and last) line of defence against threats like phishing emails. But over 50% of SME employees haven’t had any formal cyber security training. That means one accidental click could open the door to serious risks.

What's at Stake?

Most SMEs don’t have the deep pockets, dedicated legal teams, or PR firms that big businesses rely on after a breach. The impact of a successful cyber attack on a smaller business can be overwhelming.

Here’s what you might be dealing with if your business is targeted:

• Financial loss: From the cost of fixing issues to lost income while systems are down, the hit can be significant. In some cases, SMEs have had to pause operations completely or even shut down.
• Reputational damage: Customers and partners need to know their data is safe with you. A breach can quickly damage trust, which is much harder to rebuild for a smaller business.
• Operational disruption: If your systems go down, how long could you operate without access to emails, documents, or systems? For many businesses, the answer is: not long.
• Regulatory and legal risk: If personal or sensitive data is leaked, you could face legal consequences or fines under data protection laws like GDPR.

These outcomes might sound daunting, but they’re avoidable. The key is to take action before something happens – not after.

What SMEs Can Do Right Now

The good news is you don’t need an enterprise-sized budget to significantly improve your cyber security. Even small, affordable changes can go a long way. Here are our top recommendations:

1.          Get a Cyber Security Health Check

Start with a simple review of where your risks are. At Apex, we offer Security Audits that identify where your weak points are – and what to prioritise first.

2.          Keep Systems Up To Date

Make sure all your decides and software are running the latest versions. Most attacks target known vulnerabilities that could be patched with updates.

3.          Use Strong, Unique Passwords and Multi-Factor Authentication

It’s one of the simplest ways to block attackers from accessing accounts – even if a password is stolen – and free.

4.          Back Up Your Data

Back up regularly, and make sure those backups are secure and separate from your main systems. If ransomware hits, a good backup could save you.

5.          Train Your Team

Even a short session on how to spot phishing emails or use a strong password can make a big difference. There are lots of free or low-cost options available.

6.          Limit Access

Make sure staff only have access to the data and systems they need. This reduces the damage if someone’s account is compromised.

7.          Have A Response Plan

What would you do if you were attacked tomorrow? Having a basic incidence response plan and disaster recovery plan helps you act quickly and minimise damage.

8.          Consider Cyber Essentials accreditation

Cyber Essentials and Cyber Essentials Plus are UK government-backed accreditations which help businesses protect against common cyber threats, demonstrates a commitment to cybersecurity, and can enhance customer trust and confidence.

9.          Partner With The Right Experts

You don’t have to do this alone. Working with a trusted IT Partner (like us!) means you can get expert support tailored to your needs and budget. Whether it’s ongoing monitoring, help desk support, or setting up better protections – we’ve got your back.

A Little Proactivity Goes a Long Way

Cyber security can feel overwhelming, especially when you’re wearing many hats as a business owner or manager. But it doesn’t have to be complicated or expensive.

By taking some simple, practical steps, you can put solid defences in place that make your business much harder to target. And you don’t have to aim for perfection – just doing better than the average SME is often enough to convince attackers to move on.

At Apex, we believe in making cyber security accessible, understandable, and achievable for every business. If you’re not sure where to start, or if you’re worried your current setup might not be up to scratch, we’re here to help.

Let’s make cyber security one less thing to worry about: book a free consultation.