Cyber-attacks and why SMEs are particularly vulnerable

What Recent Attacks Have Looked Like

In 2025, several high-profile cyberattacks have dominated headlines in the UK, showing both old and evolving threats:

• Jaguar Land Rover (JLR) was hit by a major cyberattack in September 2025, forcing production shutdowns in the UK and disrupting its global supply chain, costing the business hundreds of millions per week.
• Marks & Spencer was targeted earlier in 2025, with ransomware disrupting Click & Collect and contactless payments, knocking out automated stock systems, and leading to estimated operating losses of £300 million.
• Synnovis, an NHS lab services provider, suffered a ransomware attack in mid-2024, costing an estimated £32.7 million, crippling diagnostic services across London hospitals.

These incidents involved ransomware, phishing, and supply chain vulnerabilities — proving that even well-resourced firms are exposed.

Origins & Motivations

Most recent UK attacks trace back to organised criminal groups such as Scattered Spider, Lapsus$ and DragonForce, often based in Eastern Europe or Asia.

Motivations include:

• Financial gain: ransom payments, stolen data resale, blackmail.
• Operational disruption: halting production or services to force negotiations.
• Reputational leverage: damaging brand trust to pressure settlements.

Methods vary, but many breaches start with phishing, vishing, weak authentication, or unpatched systems.

How Vulnerable SMEs Are

SMEs are particularly at risk because:

• Limited budgets often mean no full-time security staff.
• Fewer preventive controls such as multi-factor authentication, network segmentation, and backup strategies.
• A single breach can threaten business continuity, cashflow, and survival.
• Many SMEs sit within larger supply chains, making them indirect targets.

Market data is sobering: cyber attacks have cost UK businesses an estimated £44 billion over the past five years. SMEs face average direct costs of £3,400–£5,000 per incident, not including reputational damage and lost contracts.

The Importance of Cyber Insurance

Cyber insurance has become a critical safeguard:

• Covers direct financial losses from ransomware, downtime, and business interruption.
• Supports recovery with access to specialist incident response teams, legal counsel, and communications advisors.
• Mitigates liability in the event customer or employee data is compromised.
• Protects balance sheets when attacks escalate beyond what an SME could absorb alone.

Yet many SMEs remain uninsured or underinsured, often on the advice of IT providers who downplay the risk. The reality is that cyber insurance is now viewed by boards and auditors as part of a standard risk management framework, alongside firewalls and backups.

How Investors View Cyber Risk

Investors increasingly assess cyber security posture as part of due diligence:

• Private equity and venture capital investors know that a portfolio company breach can wipe out value. They look for strong governance, security certifications, and cyber insurance as indicators of maturity.
• Institutional investors are asking ESG-linked questions about cyber resilience, data governance, and operational risk exposure.
• Banks and lenders now factor cyber risk into credit decisions — businesses without basic protections may face higher borrowing costs or limited access to debt.

A PwC report in 2024 found that over 70% of institutional investors consider cyber security a “make-or-break” factor when investing in digital-first businesses. Companies without insurance or demonstrable resilience are increasingly penalised in valuation discussions.

Taking Guidance & Sensible Precautions

To protect against these risks, SMEs should:

• Carry out regular risk assessments and penetration testing.
• Train employees on phishing and social engineering threats.
• Enforce multi-factor authentication and regular patching.
• Develop a clear incident response plan.
• Ensure regular, secure backups of critical systems.
• Take out appropriate cyber insurance to limit financial exposure.

Conclusion

Cyberattacks are no longer abstract — they are shutting down factories, blocking supermarket shelves, and straining healthcare systems. SMEs are especially vulnerable, both as direct targets and as weak links in larger supply chains.

The cost of underestimating the threat is measured in billions, while the cost of preparation is modest by comparison. For SMEs looking to survive, scale, and attract investment, cyber resilience and insurance coverage are no longer optional — they are essential.