top of page

Cyber Security - what is it and why is it a risk for SMEs?

Updated: Apr 17, 2023

In the current economic climate, we know that small businesses believe they do not have the budgets or time to prioritise cyber security. Often, many SMEs also feel that they are not of interest to online criminals as they’re not big enough or their profits are too small, sadly we know that this is far far from the truth.

There are many ways in which SMEs can protect themselves from the threat of cyber-attacks and the majority of these are free and simple to implement. For example, turning on two-step verification for social media channels and email accounts is a very simple way to add a layer of protection, or using a strong password will help to keep you in your accounts and criminals out of them.

To help SMEs understand the threat that cyber-attacks pose, we have created a Frequently Asked Document (FAQ) blog to expose the most commonly asked questions on why SMEs should take cyber security seriously.


What is a ‘cyber risk?’ Cyber risk is a potential exposure to financial or reputational loss or harm stemming from an organization’s information or communications systems.

What is cyber security? Cyber security refers to protecting hardware, software, and data from attackers. The primary purpose of cyber security is to protect against cyberattacks like accessing, changing, or destroying sensitive information.

Why is cyber security necessary for small businesses?

Cyber-attacks are potentially ruinous events for business owners. The average cost of a cyber security breach in the United Kingdom is £1,010 across all businesses, however, this figure becomes greater as the size of a business increases.

The cost of a cyber-attack is not only financial, without any protection in place cyber-attacks can cost businesses in many other ways. Often, cyber-attacks will have impact on the ability for customers and clients to trust the business, whilst also impacting upon employee integrity, data integrity and the longevity of the business.

What are the differences between a cyber incident, cyber attack and cyber threat?

  • A cyber security ‘incident’ is a cyber incident such as a breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).

  • A cyber-attack is when a business or individual is targeted by criminals for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

  • A Cyber Security ‘threat’ is when there is a possibility of a malicious attempt to damage or disrupt a computer network or system.

Types of cyber-attacks:

What is ransomware? Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.

What is Malware? Short for malicious software, malware is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

What is Phishing?

Phishing’ is when criminals trick their victims using scam emails, text messages or phone calls. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.

Phishing is often untargeted, in the form of a mass email, text or cold calling campaign.

However, an attacker may use more targeted information to make their messages more persuasive and realistic (sometimes known as ‘spear phishing’).

What is Business Email Compromise?

Business email compromise (or BEC) is a form of phishing attack where a criminal attacks a business in order to defraud the company. Criminals behind BEC send convincing-looking emails that might request unusual payments or contain links to 'dodgy' websites. Some emails may contain viruses disguised as harmless attachments, which are activated when opened.

Protecting your business to mitigate cyber risks:

What is Two-Step verification?

Turning on 2SV is one of the most effective ways to protect your online accounts from cyber criminals.

You should protect your most important accounts (such as email, banking, social media and online shopping) by making sure you have 2-step verification turned on for each of them.

2-step verification (2SV), which was previously known as two-factor authentication (2SV) or multi-factor authentication (MFA), helps to keep criminals out of your accounts, even if they know your passwords. The NCSC recommends you take time to set up 2-step verification on all your important accounts, even for ones that you've protected with strong passwords.

How do I make my business safer?

For businesses, improving your cyber hygiene is critical to protecting your business from cyber-attacks. Cyber hygiene refers to the practices and steps that all computer or device users within a business take to maintain and continuously improve their security both on and offline. These practices are often part of a routine to ensure the safety of identity and other details that could be stolen or corrupted.

What steps can I take to improve my cyber hygiene?

1. Install a reputable antivirus and malware software

2. Protect computer with robust firewalls and secure routers

3. Update all software regularly

4. Set strong passwords using the NCSC’s password guidance

5. Enable 2-step verification

6. Employ Device Encryption

7. Back up all files regularly and keep an offline copy disconnected from live devices

8. Secure your router

9. Join your local cyber resilience centre for regular and free guidance, toolkits and resources all designed for SMEs.

What can I do if I think I’m being/or have been attacked?

The South East Cyber Resilience Centre is here to provide help and guidance to protect and prevent businesses from falling victim to cybercrime. If you think you have fallen victim to a cybercrime, you need to know how to report it.

If you are a business, charity or organisation that is currently suffering a live Cyberattack, then please call Action Fraud's 24/7 helpline on 0300 123 2040.​

What is a supply chain?

If your business has a company that supplies its stationary, printing and computer equipment or office premises cleaning and you have digital contact with these suppliers, then they form party of your supply chain.

A supply chain is the network of all the individuals, organisations, resources, activities and technology involved in the creation and sale of a product. A supply chain attack is a cyber-attack that targets the less secure elements of a company’s supply chain, with the intent to cause serious damage for those on the end of the attack.

The more links in a supply chain, the more vulnerable it becomes which highlights the importance of securely handling and storing data.

How do I protect other companies and partners that I work with? (Your supply chain)

  • Protect your internal systems via the installation of firewalls and virus-detection programs to block malware from accessing your systems.

  • Regularly back up your files and databases in the event that a cyber-attack deletes any trace of them.

  • Train your employees so they are able to recognise attempted cyber-attacks and know how to respond if their devices are affected. Your employees do not need to be cyber experts but should be educated on the dangers of opening suspicious emails, clicking on unknown URL’s, links, and email attachments.

  • Lockdown permissions on devices so that employees are unable to download unauthorised software and applications that could potentially damage your firewalls.

  • Be careful of those who supply your supply chain, ensure that they regularly conduct security audits or have security certifications and put this within a contract.

  • Manage the risks with a cyber security policy that is regularly updated and adopted, you also should have an incident response plan that provides a process that will help your business, charity or third sector organisation to respond effectively in the event of a cyber-attack.


Build your cyber resilience with The South East Cyber Resilience Centre

Would your business survive a cyber-attack? We offer a #FREE membership that provides expert guidance and toolkits to help boost your business's cyber resilience levels against cyber-attacks.

➡️Download your free information pack here



bottom of page