How SMEs Should Respond to the Recent Surge in Cyber Attacks

28 September 2025 /

The last 18 months have seen a sharp rise in cyber-attacks targeting businesses of all sizes — and SMEs are increasingly in the crosshairs. From high-profile ransomware incidents at major corporations to smaller-scale breaches that rarely make the headlines, the message is clear: no organisation is too small to be a target.

For SMEs, the impact of a cyber-attack can be devastating. Research from the UK Government’s Cyber Security Breaches Survey 2025 shows that nearly 40% of small businesses experienced some form of cyber breach in the past year, and the average cost of a successful attack on an SME is estimated at £120,000. Unlike large corporations, many SMEs lack the resources to absorb these losses or recover quickly.

Cyber criminals are also becoming more strategic. They deliberately target organisations with known weaknesses — for example, businesses with high staff turnover (where systems and access are less controlled), or companies that are in the process of raising or have just received investment, when financial flows are high and oversight may be stretched. For SMEs, this means the risk profile spikes at exactly the moments when stability is most needed.

So how should SMEs respond? The answer lies in taking a joined-up approach — combining risk assessment, technical resilience, insurance, and compliance to create a protective shield around the business.

Step 1: Conduct a Comprehensive Risk and Threat Review

The first priority is to establish a clear-eyed view of your current cyber posture. This includes:

  • Identifying your most valuable assets: customer data, financial systems, IP, supply chain data.
  • Mapping potential threats: phishing, ransomware, insider threats, and supply chain compromises.
  • Assessing vulnerabilities: outdated software, unpatched systems, weak access controls, lack of staff training.
  • Measuring impact: what would downtime, data loss, or reputational damage mean financially and operationally?

This review should be formalised and repeated regularly — ideally at least annually or following any major IT change. SMEs with recent funding or restructuring should treat this as a priority.

Step 2: Strengthen Core Defences

While SMEs may not have the budgets of large corporations, many best-practice defences are accessible and affordable:

  • Multi-factor authentication (MFA) across email, systems, and cloud applications.
  • Regular patching and updates of all devices and software.
  • Staff awareness training — since 90% of breaches still start with human error.
  • Robust backup strategies that are both secure and regularly tested.
  • Endpoint detection and monitoring for unusual activity.

These steps significantly reduce the likelihood of a breach and limit damage if one occurs. Seeking advice from a cyber security expert at this stage ensures your priorities are set correctly and that hidden gaps are addressed.

Step 3: Review Cyber Insurance and Compliance

Cyber insurance is no longer optional for SMEs — it is a critical part of the risk management toolkit. However, insurers are becoming increasingly stringent in assessing whether businesses meet minimum standards. Typical requirements include:

  • MFA enabled across critical systems.
  • Regular staff training.
  • Documented patching and update policies.
  • Segregated and tested backups.
  • Incident response plans in place.

If these measures are missing, an insurer may decline to pay out following a breach. SMEs must therefore not only purchase cover but review compliance against the policy’s key terms. Working with an experienced broker or insurer who understands SME risks can help you secure the right cover and avoid nasty surprises.

Step 4: Take a Joined-Up Approach

One of the most common mistakes SMEs make is treating cyber security, compliance, and insurance as separate issues. In reality, they are interdependent:

  • Cyber resilience reduces the likelihood of an incident.
  • Compliance with standards satisfies both regulators and insurers.
  • Cyber insurance provides financial and operational protection if defences are breached.

A joined-up strategy means aligning IT, operations, finance, and leadership around one cyber security plan — supported by trusted advisers. Combining expert input from a cyber security professional with guidance from a good insurer ensures that your protections, policies, and cover work hand in hand.

Step 5: Build a Culture of Resilience

Finally, SMEs must view cyber security not as a one-off project but as part of business culture. This includes leadership buy-in, employee engagement, and proactive monitoring. Cyber threats evolve daily, so resilience must be continuously refreshed.

The Bottom Line

SMEs can no longer rely on luck or assume they are too small to be noticed. The recent surge in attacks proves that hackers see SMEs as easy targets — especially businesses with high staff turnover or those in the spotlight after raising capital. Both situations create opportunities for criminals to exploit.

By conducting a full risk review, strengthening defences, taking advice from cyber experts, ensuring insurance coverage is compliant, and adopting a joined-up approach across the business, SMEs can dramatically reduce their exposure and increase their ability to recover if an attack occurs.

Cyber security isn’t just an IT issue anymore — it’s a business survival issue, and SMEs that combine expert guidance with strong insurance protection will be best placed to withstand what comes next.

You May Also Like

Where the UK’s Wealth Grows: Market Sectors and HNWI Distribution

29 April 2025

Inside the M&S Cyberattack: Anatomy, Impact, and Lessons for Every Organisation

21 May 2025

Family Offices

19 March 2025