Growing Cyber Threats to Small Businesses

• Almost half of UK businesses experienced a cyberattack in the past year, and many smaller organisations may be targeted without realising it.
• The financial impact can be devastating, with major firms losing hundreds of millions and typical ransom demands averaging around 1.5% of annual revenue.
• Most attacks exploit human behaviour, using tactics such as phishing, ransomware, and data leaks to take advantage of trust, urgency, or simple mistakes.
• Cyberattacks are becoming more ruthless, with incidents like the Kido nursery breach showing that no business or sector is off limits.

The nursery attack is more than just a shocking story – it’s a warning. Data itself is now a valuable asset in the criminal economy.

And if cybercriminals are willing to leak the personal details of children to extort money, then every business, in every sector, must consider itself a target.

The government Cyber Security Breaches Survey 2025 shows just how widespread the threat has become:

• 43% of UK businesses experienced at least one cyber breach or attack in the past 12 months.
• 42% of medium-sized businesses said they had been directly targeted by cybercrime.

The survey’s technical report also highlights that many smaller organisations likely experience attacks without even realising it, as limited resources and defences make detection harder.

The outcomes of these attacks vary.

For example, Marks & Spencer acknowledged that its 2025 cyberattack will cost around £300 million in lost profits and disruption.

More recently, Jaguar Land Rover has been successfully targeted. Its factories have been shut down in the UK after a ransomware-style attack, with reports suggesting it may be losing £50 million per week while the production halt continues.

For large firms with deep reserves or diversified revenue streams, such losses may be survivable. For smaller or mid-sized organisations, a comparable hit would likely be crippling.

Returning to the UK Government’s Cyber Security Breaches Survey 2025, the average financial cost of the most disruptive cyber incident reported by a business was £3,550.

However, this figure reflects only direct financial losses, not the wider costs of forced downtime, reputational harm, or lost customers.

Cybercriminals use many different methods to steal data, extort money, or disrupt operations. But most attacks succeed because of a single, universal weakness – people.

Hackers exploit trust, curiosity, or pressure to persuade someone to click a suspicious link, download an unsecured attachment, or disclose sensitive information.

Below are the most common types of attacks every organisation should recognise and prepare for:

Phishing is the most common form of cyberattack.

It typically involves a text message or email that looks genuine, often from a colleague, manager, or government body. The fake message asks the recipient to click a link, download a file, or share information. Once clicked, these malicious links either grant access to hackers, download malicious programs onto your computer, or steal sensitive data.

Phishing is so successful because it exploits our willingness to please others. Most people act without thinking when an authority figure or friend wants something urgently. Attackers use this instinct against us, pressuring people to click links to avoid a disaster or beat a deadline.

And the sophistication of these scams is growing. Attackers now use realistic branding, AI-generated messages, and even cloned websites to boost the reach and credibility of their phishing attempts.

How to reduce the risk: Pause before clicking. Check who the message really came from and verify unusual requests through another channel. Encourage employees to report suspicious emails rather than delete them.

Ransomware is a form of digital extortion.

Hackers gain access to a company’s systems and encrypt its data, locking users out until a ransom is paid. In some cases, the attackers also steal sensitive files and threaten to release them publicly if payment isn’t made, which is exactly what happened to nursery operator Kido.

These attacks work because organisations can’t function without access to their data. Each passing hour adds pressure, and many businesses are forced to pay to simply resume operations.

Ransomware typically enters through phishing emails, infected attachments, or stolen passwords. Once inside a system, it spreads quickly, targeting shared drives and backups to maximise the impact.

How to reduce the risk: Back up data regularly and store copies securely offline. Keep all software and devices updated to close security gaps. Use strong, unique passwords reinforced with multi-factor authentication (MFA).

Supply chain attacks target your organisation through trusted partners or suppliers.

Instead of breaching your systems directly, hackers compromise a company you rely on – such as a software provider or logistics partner – and use that connection to gain access. Again, this was a factor in the Kido hack.

These attacks work because businesses assume their suppliers maintain the same security standards, so aren’t actively scrutinised.

In reality, many third parties are actually less protected, making them easier entry points. Once inside a shared platform or network, attackers can move laterally, spreading the infection or stealing data unnoticed.

How to reduce the risk: Vet suppliers carefully and ensure they meet recognised cybersecurity standards, such as Cyber Essentials. Constantly review who has access to your systems and data, and restrict permissions to what’s strictly necessary. Regularly audit third-party access to confirm it’s still needed.

Data leaks happen when sensitive information is lost, sent to the wrong person, or left unsecured.

They’re often the result of everyday mistakes – an email sent to the wrong address, a spreadsheet uploaded publicly, or even paper files forgotten somewhere and found by the wrong person. The impact can be severe: reputational damage, legal consequences, and loss of client trust.

These incidents are so common because they stem from human error, not malicious intent.
Busy employees will rush to meet deadlines, and the pressure to move quickly causes mistakes.

How to reduce the risk: Limit who can access sensitive data and ensure staff understand how to handle it securely. Encourage employees to slow down when sending or sharing files, and create a culture where admitting mistakes early is rewarded.

Cybersecurity isn’t complicated – it’s mainly about awareness and consistency. Small improvements made today can protect your business from serious damage tomorrow.

1. Use strong passwords – Avoid reusing passwords across systems. Enable multi-factor authentication wherever possible.
2. Keep software updated – Regularly install updates for all devices, apps, and operating systems to close security gaps.
3. Back up your data – Securely store hard copies of important files so your business can recover quickly after an attack.
4. Control access – Give employees access only to the data and systems they need for their work.
5. Secure your network – Protect Wi-Fi with strong passwords and avoid public or shared networks for work devices.
6. Plan ahead – Have a simple incident response plan so everyone knows what to do if a breach occurs.
7. Train your team – Teach staff to spot suspicious emails, links, and attachments. Awareness is the strongest defence.

In fact, cybersecurity training is one of the simplest and most effective ways to reduce your organisation’s risk.

We offer a range of fully online courses covering the essentials of cyber security, data security and GDPR compliance.

Every course awards a certificate of completion, showing customers, suppliers, and partners that your organisation has taken active steps to protect itself against hackers. Certification also supports your company’s progress toward Cyber Essentials accreditation.