It’s Everyone’s Business to Protect SMEs in the Cybercrime Battle

It’s hard to avoid the subject of cybersecurity, following the recent damaging attacks on Marks & Spencer, The Coop and other high-profile organisations.^[1]

And whilst this exposure has undoubtedly focused the minds of businesses, media and individuals, what is lacking from the cyber security conversation is small businesses and how they are not just at risk of cyber-attacks, but present a serious threat to the global IT infrastructure.

I wrote about the impact of SMEs on global cybersecurity back in 2009 and today, the issues identified 16 years ago not only remain, but are of greater concern. Much more needs to be done to acknowledge the importance of SMEs and, in turn, offer them the necessary support to mitigate their risk in the cyber ecosystem.

Yet despite SMEs forming a crucial part of our critical infrastructure, the government’s own research has shown that 26% of micro businesses have no formal cyber policies, 38% use default or weak passwords across key systems and 42% are unaware of key compliance standards relevant to their sector.^[3]

So why does this matter? Although small businesses might not own public infrastructure or ISP-level assets, collectively they manage vast private IT environments that are a potential risk for cyber-attacks. There is currently a lot of talk around supply chain security and, whilst this is admirable, it fails to understand that many businesses further down the supply chains are likely to be SMEs that lack adequate protection.

The Threats and Risks
Since I wrote the original article, the cyber landscape today is even more sophisticated, fast-moving and interconnected that before. Attackers are not just targeting the FTSE 100 companies – they’re going for SMEs, who are often woefully under protected.

My original paper highlighted the risk posed by botnets – malicious networks often powered by hijacked, poorly protected systems – and this has worsened significantly since 2009.

In 2024, more than 90% of spam and Distributed Denial of Service (DDoS) traffic came from botnet-compromised systems.^[4] Their network configurations, especially with outdated or consumer-grade devices, remain attractive targets – almost half of malware infections in 2023 came from unmanaged or semi-managed SME networks, particularly in healthcare, retail and education sectors. ^[5]This reaffirms that SMEs are not just victims of cybercrime, but increasingly form the digital surface through which attacks scale.

Yet despite clear evidence of the risks, small businesses often operate with little effective cyber governance. National cyber policies remain too complex for most SMEs to implement – ISO 27001 certification^[6] and NIS2 compliance^[7] are admirable goals, but for a five-person accounting firm, they’re about as feasible as building their own firewall from scratch.

Even with the availability of simplified guides and toolkits, the onus still falls on SMEs to make sense of fragmented and complex technical advice and turn it into action.

The Way Forward
Burdening SMEs with more bureaucracy and legislation is not the answer. There must be state-level acknowledgement that SMEs form part of the UK’s critical infrastructure and the necessary support put in place to limit their vulnerabilities.

Some key areas that could help address this:

• The government needs to gain an understanding of the SME risk by mapping the real structure of the SME IT landscape across industries and sectors. This should ideally be led by the NCSC (National Cyber Security Centre).^[8]
• Help and encourage the use of new technologies that naturally make it harder for hackers to attack a system, including SaaS (Software as a Service), MDM (Mobile Device Management) and hardened Linux-based platforms.
• Move more of the responsibility for cybersecurity to the corporations (such as Microsoft, Google) that provide internet, software and cloud services. There should be enforced secure-by-default configurations and remote enforcement of minimum standards.
• Simplify language and configuration: Make security products easy to understand and use, even for non-experts. They should come with simple settings, clear access controls based on roles, strong password practices and automatic updates built in.
• Focus on the basics: Make sure features like User Account Control (UAC), limited admin access, multi-factor authentication (MFA) and real-time backups are used. Encourage these practices by offering rewards or requirements in insurance policies and business contracts.