Top 5 Cyber Threats for Small and Medium Enterprises Today

Customer support agent wearing a headset working at a computer with a colleague assisting beside her in a modern office.

In the UK, a small and medium enterprise (SME) is defined as one that has fewer than 250 staff, as well as £44m or less in annual turnover or a balance sheet total of less than or equal to £38m.

Many SME owners might not think they are as much of a target as bigger businesses when it comes to cyber crime. Unfortunately, they’d be wrong. 43% of cyber-attacks target SMEs, and the effects can be devastating, with many SMEs that fall victim to a serious cyber-attack going out of business within six months.

So, what are the most common cyber threats facing small and medium enterprises in 2025? We’ll run through the top five…

Why Small Businesses Are the Prime Target

They might not offer the same resources and potential rewards to cybercriminals as larger businesses and organisations, but SMEs account for 99.9% of the UK business population. That makes for a broader range of targets, and there’s also a perception that SMEs are an easier target. In many cases, this can be true, due to their smaller budgets and weaker security.

The Top Five Cyber Threats Facing UK SMEs Today

Threat 1: Phishing and Social Engineering

Phishing attacks remain the most prevalent and disruptive type of breach or attack faced by all businesses and organisations. Of businesses reporting a breach or attack over the last 12 months, 85% had experienced a phishing attack.

Phishing is an attempt to steal sensitive information through deception, such as an email purporting to be from a legitimate person or organisation. It is a very common entry point for cybercriminals and exploits human weaknesses. Phishing is also evolving into other social engineering threats such as the fast-growing quishing, which uses QR codes instead of email links.

Threat 2: Ransomware Attacks

Ransomware has generated a lot of headlines and tends to be one of the most financially damaging types of attack. The recent attack on Jaguar Land Rover was the costliest cyber-attack in UK history, at an estimated £1.9bn, but SMEs can also face damage that can be catastrophic in relation to their own smaller resources.

Double or triple extortion is a rising trend that sees multiple layers of attack used to persuade victims to pay a ransom to the attacker.

Threat 3: Malware

Malware, including viruses and trojans, remains a threat, and there is a constant arms race between malicious actors and cyber security specialists looking to neutralise the threat. Malware can have a number of impacts, from costly downtime and system compromise to theft of sensitive data.

Threat 4: Weak Passwords and Missing MFA

Despite growing awareness of the threat, weak passwords remain a problem. This is not just oft-quoted examples such as ‘Password’ or ‘12345’. Hackers are increasingly using automated password-cracking techniques, and one report noted that password-cracking attempts succeeded in 46% of tested environments.

Multi-factor authentication (MFA) can be a crucial tool in protecting credentials when used alongside passwords, but this important step is too often missing from policies and protocols, especially among SMEs. As with phishing, password cracking exploits the human element and a lack of good cyber hygiene.

Threat 5: Supply Chain Vulnerabilities and Third Parties

A supply chain attack is when products, services, or technology you are supplied with are compromised and then used against your own systems. This means that when you use third parties or IT service providers, you should ensure that they have appropriate security measures and comply with all relevant regulations.

Essential Defence: Your Action Plan Against These Threats

Establish a Strong ‘Human Firewall’

The human factor can provide a weak link for cybercriminals to exploit. It’s important to construct a strong ‘human firewall’ with appropriate ongoing training and policies that let staff know exactly what is required of them and what mistakes to avoid.

Adopt Multi-Factor Authentication (MFA) Everywhere

Multi-factor authentication is one of the most effective single measures you can implement. It should be standard procedure on everything from emails to financial accounts, customer databases, and critical applications.

Prioritise Key Security Tools

Key security tools such as antivirus software, firewalls, and secure cloud backup should be seen as essential. It’s also important not just to install them but also to keep them current and up to date.

Follow the NCSC Cyber Action Plan

The National Cyber Security Centre has a wealth of advice and free resources for SMEs, such as its cyber security policy for small business PDF. It can help you draw up a cyber action plan, and you can also access NCSC cloud security guidance.

You can also turn to third-party experts for help. Find out more about how Clipeum’s cyber security solutions and proactive monitoring can protect your data and security.

Your Small Business Cyber Security Checklist

  • Install anti-malware software
  • Implement a strong password policy with multi-factor authentication
  • Secure mobile devices and access to systems
  • Train staff to avoid phishing and other attacks
  • Back up your data
  • Make use of cyber security experts

Resilience Is the Best Policy

When it comes to cyber security for small businesses in the UK, the cost of prevention is always less than the cost of recovery. Putting measures in place to reduce the likelihood of a successful cyber-attack is vital, but you should also have incident response policies in place in case you are affected.

If you want to ensure that you have the highest levels of protection in place, contact Clipeum today for help or advice.

FAQs

What is the biggest threat to small businesses?

According to insurers, the cost of living is seen by SMEs as the biggest threat, but cyber incidents are right up there at number 4, cited by nearly a quarter (24%) of SMEs.

What are the cyber security challenges facing SMEs?

Phishing, ransomware attacks, malware, missing MFA, and supply chain vulnerabilities. SMEs have fewer resources than larger organisations, but still face cyber threats and should take these risks seriously.

Where can I get more help or information?

Consult a cyber security expert, such as Clipeum, or visit the National Cyber Security Centre (NCSC) website.

Join the Clipeum Security Community

Gain access to our exclusive Breach of the Week PDF series. One short case study every week, yours to download free.

When you submit your details through this form the information will be stored on our customer relationship database. Your information will only be used to answer your query with Clipeum IT and it will not be shared with a third party.

Get in touch

Have a quick question or want to learn more? Drop us a message and we'll get back to you shortly.

When you submit your details through this form the information will be stored on our customer relationship database. Your information will only be used to answer your query with Clipeum IT and it will not be shared with a third party.

Gain access to our exclusive Breach of the Week PDF series. One short case study every week, yours to download free.