Picture the business a cybercriminal wants to target. A bank. A hospital. A government department. Not yours.

Now picture your business. A team of 30, 80, maybe 150 people. One person who handles IT on top of their actual job. No dedicated security team.

That is exactly what they are looking for. Not because your data is more valuable. Because you are considerably easier to get into.

What the data shows.

The government's Cyber Security Breaches Survey 2025, commissioned by the Department for Science, Innovation and Technology, found that 43% of UK businesses experienced some form of cyber attack or breach in the past 12 months. That represents an estimated 612,000 businesses across the country.

The NCSC's 2025 Annual Review was unambiguous. The UK experienced four nationally significant cyber attacks every week in the 12 months to August 2025, a sharp rise from the previous year. The NCSC's Chief Executive described cyber security as "a matter of business survival and national resilience." The UK is now the second most targeted country in the world.

Why SMEs are the preferred target.

1. Security infrastructure is rarely built in from the start. Most growing businesses were never set up with enterprise-grade security in mind. Without a dedicated IT function, the fundamentals often get missed, not through negligence, but because there was never the resource or the prompt to put them in place. Attackers know this and go where the path of least resistance leads.

2. You hold more data than you realise. Client records, payment details, employee information, supplier relationships. None of it needs to be on the scale of a national database to be worth stealing or encrypting for ransom.

3. You are a route into someone bigger. Supply chain attacks are one of the fastest-growing vectors. Only 14% of UK businesses formally review the security risks posed by their immediate suppliers. Your business does not need to be the end goal. It just needs to be the way in.

4. Attacks are automated and indiscriminate. The NCSC is clear: threat actors target vulnerabilities, not sectors. Automated tools scan the internet continuously for open doors. Size offers no protection from something that does not discriminate.

Attacks hitting UK businesses the hardest.

• Phishing. 85% of businesses that experienced a breach cited phishing as the primary method. It accounts for 93% of all successful breaches. An email that looks real, a link that gets clicked, and an attacker is inside your network. The NCSC has flagged that AI is making these attacks significantly harder to spot.
• Ransomware. The NCSC identifies ransomware as the single most pressing cyber threat to UK businesses. Attacks doubled in 2025, affecting an estimated 19,000 organisations. Files locked, systems down, and no guarantee of recovery even if you pay.
• Credential theft. Weak passwords, reused passwords, accounts without multi-factor authentication. Not sophisticated. Just an open door that most businesses have not thought to close.
• Business email compromise. An attacker impersonates someone trusted and requests a payment or data transfer. In 2025, HMRC revealed criminal gangs had used this method to extract 47 million pounds in fraudulent tax repayments.
  
  

Large breaches make headlines. When a well-known retailer loses customer data or a public service goes down, it becomes a national story. When a business without a security team loses two weeks of operational capacity to ransomware, it does not. The absence of coverage creates a false impression of an absence of risk.

The NCSC addressed this directly in its 2025 Annual Review: all businesses using digital assets are potential targets, and the barriers to better cyber resilience are not technical but cultural. The assumption of safety is the gap.

What good looks like, practically.

The steps that protect most businesses from most attacks are not technically complex or expensive. The NCSC's guidance points to a handful of foundational controls that, applied consistently, close the majority of doors attackers walk through.

• Multi-factor authentication. The single highest-impact step any business can take. A stolen password without MFA is useless to an attacker.
• Staff training, regularly. Most breaches involve a human decision. Training staff to recognise phishing, and running periodic simulations, makes a measurable difference.
• Software kept up to date. A significant proportion of successful attacks exploit vulnerabilities that already have fixes available.
• An incident plan. Only 22% of UK businesses have a formal cyber incident management plan. Knowing what to do in the first hour of a breach dramatically reduces the damage.

For a structured starting point, the government's Cyber Essentials scheme certifies against five core controls. The NCSC estimates it protects against the majority of common cyber attacks, and it is increasingly required by clients and public sector procurement teams.

The question was never whether you are a target.

It is whether you are ready.

The assumption that size offers protection is not just outdated. It is the assumption that attackers rely on. The businesses that come through attacks intact are not the ones with the largest budgets. They are the ones that took the risk seriously before it became a crisis.

Want to know where your gaps are?