When a big-name brand like Marks & Spencer gets hit by a cyberattack, it’s all over the news. You might have seen headlines this week about M&S dealing with a “cyber incident” that led to store disruption and triggered an urgent investigation. It’s a serious issue, and rightly covered – but here’s the thing: while big companies make the news, small and medium-sized businesses (SMEs) are actually the ones most at risk.
As an IT partner working with businesses across Greater Manchester, we see this firsthand every day. Cyber threats are growing – and SMEs are often on the front line, whether they realise it or not. In this article, we want to unpack what’s really happening, why SMEs are such popular targets for cyber criminals, and, most importantly, what practical steps you can take to protect your business.
When you read about cyber attacks in the media, it’s usually about a household name – an M&S, a law firm, a government body. But those high-profile cases are just the rip of the iceberg.
According to the UK Government’s Cyber Security Breaches Survey (2024), 50% of businesses experienced a cyber attack in the last 12 months. This report identified that while 74% of large businesses had identified breaches or attacks in 2024, the number of small and medium businesses that also experienced attacks were shockingly high – 58% and 70% respectively. The attacks might not be headline-worthy, but the consequences for smaller organisations are often far more damaging.
In the North West alone, 5% of SMEs were target more than 10 times in the last year, with the average cost of these attacks for small businesses in our region at over £8,000 per year.
When you consider that Greater Manchester alone is home to tens of thousands of SMEs, it’s not hard to see how big this problem really is – even if it doesn’t always make the front page.
It’s easy to assume that cyber criminals are only after big paydays from large corporations. But actually, attacking SMEs often offers a faster, easier win for them. Why? Because smaller organisations don’t usually have the same level of security – or the resources to bounce back quickly.
Here are just a few of the reasons SMEs are particularly vulnerable:
A lot of small businesses are spending next to nothing on cyber security. One recent study found that 38% of SMEs spend less than £100 per year on it. That’s not nearly enough to defend against today’s threats.
Most SMEs don’t have a full-time IT or cyber security professional on staff. It might be someone juggling multiple roles, or a third-party provider doing the basics. That leaves room for gaps, outdated systems, and missed warning signs.
There’s still a widespread belief among SMEs that “we’re too small to be a target”. Unfortunately, that couldn’t be further from the truth. In fact, that assumption makes businesses even more attractive to attackers who know they’re unlikely to be met with much resistance. In 2024, even micro-businesses faced cyber attacks (47%).
Remote and hybrid work is now the norm, but many businesses haven’t updated their security to match. Staff are often using personal devices or unprotected home networks – without even realising the risk this poses to company data.
Employees are often the first (and last) line of defence against threats like phishing emails. But over 50% of SME employees haven’t had any formal cyber security training. That means one accidental click could open the door to serious risks.
Most SMEs don’t have the deep pockets, dedicated legal teams, or PR firms that big businesses rely on after a breach. The impact of a successful cyber attack on a smaller business can be overwhelming.
Here’s what you might be dealing with if your business is targeted:
These outcomes might sound daunting, but they’re avoidable. The key is to take action before something happens – not after.
The good news is you don’t need an enterprise-sized budget to significantly improve your cyber security. Even small, affordable changes can go a long way. Here are our top recommendations:
Start with a simple review of where your risks are. At Apex, we offer Security Audits that identify where your weak points are – and what to prioritise first.
Make sure all your decides and software are running the latest versions. Most attacks target known vulnerabilities that could be patched with updates.
It’s one of the simplest ways to block attackers from accessing accounts – even if a password is stolen – and free.
Back up regularly, and make sure those backups are secure and separate from your main systems. If ransomware hits, a good backup could save you.
Even a short session on how to spot phishing emails or use a strong password can make a big difference. There are lots of free or low-cost options available.
Make sure staff only have access to the data and systems they need. This reduces the damage if someone’s account is compromised.
What would you do if you were attacked tomorrow? Having a basic incidence response plan and disaster recovery plan helps you act quickly and minimise damage.
Cyber Essentials and Cyber Essentials Plus are UK government-backed accreditations which help businesses protect against common cyber threats, demonstrates a commitment to cybersecurity, and can enhance customer trust and confidence.
You don’t have to do this alone. Working with a trusted IT Partner (like us!) means you can get expert support tailored to your needs and budget. Whether it’s ongoing monitoring, help desk support, or setting up better protections – we’ve got your back.
Cyber security can feel overwhelming, especially when you’re wearing many hats as a business owner or manager. But it doesn’t have to be complicated or expensive.
By taking some simple, practical steps, you can put solid defences in place that make your business much harder to target. And you don’t have to aim for perfection – just doing better than the average SME is often enough to convince attackers to move on.
At Apex, we believe in making cyber security accessible, understandable, and achievable for every business. If you’re not sure where to start, or if you’re worried your current setup might not be up to scratch, we’re here to help.