Jessica O'ConnorSmall and medium-sized enterprises (SMEs) in the UK are facing an increasing number of cyberattacks, with Government data indicating that these businesses are being targeted more frequently than ever before.
According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of UK businesses and 30% of charities reported experiencing a cyber breach or attack in the past 12 months.
The most common forms of attack include phishing scams and impersonation attempts.
These are typically low-technical-effort scams that exploit human error and unprotected systems rather than sophisticated hacking techniques.
In total, UK businesses faced more than 753,000 malicious attempts to breach their systems in 2024, setting a new record and averaging one attempt every 42 seconds.
Major UK companies have also been affected. Marks & Spencer recently reported a ransomware incident that disrupted online orders and store deliveries and exposed customer data, resulting in significant financial losses.
However, experts say smaller businesses may face even greater challenges recovering from such incidents.
Joe Phelan, a business savings expert at money.co.uk, said SMEs are increasingly being targeted by cybercriminals due to their comparatively weaker security measures.
He said: “Think you’re too small to be hacked? Think again.
“From phishing scams to ransomware attacks, cybercriminals are targeting SMEs in record numbers.”
Smaller firms are often seen as attractive targets because they are more likely to use outdated software, lack dedicated IT support, and provide minimal cybersecurity training to staff.
These factors make it easier for attackers to gain access to sensitive information or systems.
Phelan emphasised that many SMEs are not adequately prepared to respond to cyber incidents.
He added: “Cybercrime is not a problem confined to multinationals or high-profile tech firms.
“SMEs across the UK are increasingly in the firing line, and many don’t even realise it until it’s too late.”
Phelan sugggested that cyber insurance could provide an important safety net for SMEs.
Unlike traditional policies such as employers’ liability or public liability insurance, cyber insurance remains underutilised among small businesses.
Coverage typically includes data recovery, legal costs, regulatory fines, loss of business income, and access to specialist cyber response teams.
Phelan also noted that insurance should be part of a broader risk management strategy.
Recommended measures for SMEs include staff training on how to identify phishing emails, using strong passwords with two-factor authentication, keeping systems up to date with the latest patches, regularly backing up data to offline locations, and establishing a clear response plan in case of a breach.
He concluded: “Whether you’re a bakery using a point-of-sale system, a small marketing agency storing client data, or a legal firm handling sensitive documents, digital risk is a major business risk.
“If you hold any customer data — and nearly all businesses do — there’s a chance you’ll be a target at some time or another.”
