Fraud, hacks and data leaks: Is your small business really covered?

Cybercrime is not a problem confined to multinationals or high-profile tech firms. SMEs across the UK are increasingly in the firing line, and many don’t even realise it until it’s too late.

According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of UK businesses and 30% of charities experienced a cyber breach or attack in the past year. The nature of the attacks is evolving fast, with phishing and impersonation attempts still the dominant threats. These are not sophisticated technical break-ins – they’re low-effort, high-impact scams exploiting human error and unprotected systems.

And the scale is staggering. UK businesses faced more than 753,000 malicious attempts to breach their systems in 2024 – the highest on record. That’s an attempted attack every 42 seconds. Even major retailers like Marks & Spencer haven’t been spared, with a recent ransomware attack not only exposing customer data, but suspending online orders and disrupting store deliveries, costing the company millions.

For SMEs, the consequences can be even more severe. A smaller customer base means reputational damage can spread fast. A leaner team often means no dedicated IT department. And slimmer margins make it harder to absorb operational downtime or regulatory fines.

Despite this, many SMEs are underprepared.

Why are small businesses such attractive targets?

Cybercriminals know that small businesses are often easier to breach. They are more likely to use older software, rely on outsourced or informal IT support, or have engaged in inadequate employee training when it comes to identifying threats like phishing emails or spoofed login pages. Once inside, attackers can steal customer data, lock systems with ransomware, or quietly sit within a network until the time is right. 

Cyber insurance: A safety net that’s too often overlooked

This is where cyber insurance comes in. While most businesses wouldn’t dream of operating without employers’ liability or public liability insurance, cyber insurance is still seen by many SMEs as optional, or possibly overly complex. It’s neither.

Cyber insurance isn’t just about reimbursing costs. It can cover data recovery, legal fees, regulatory penalties, business interruption losses, and even PR or crisis communications support. More importantly, it gives access to specialist cyber response teams who can help minimise the fallout in the critical first hours of an attack.

It’s practical peace of mind.

What can businesses do to reduce their risk?

Insurance is a powerful tool, but it works best as part of a wider defence. Here are some simple, practical steps SMEs can take:

• Train your team: Human error is likely to be every company’s biggest weakness, regardless of its size. Make sure staff know how to spot phishing emails, suspicious links, and impersonation attempts.

• Use strong passwords and two-factor authentication: This is especially key when it comes to using things like admin accounts, cloud tools, and anything that handles customer or financial data.

• Keep systems updated: Regular updates can fix vulnerabilities that cybercriminals love to exploit. These will often update automatically, but it makes sense to regularly check for new patches.

• Back up data regularly: And make sure those backups are stored separately from your main network.

• Have a plan: In the event of a breach, knowing who to call, what to shut down, and how to communicate with customers can save time, money, and a lot of potential stress.

It’s not just tech companies that need protection

Whether you're a bakery using a point-of-sale system, a small marketing agency storing client data, or a legal firm handling sensitive documents, digital risk is a major business risk. If you hold any customer data — and nearly all businesses do — there’s a chance you’ll be a target at some time or another.

As the cyber landscape continues to evolve, SMEs can’t afford to assume they’re too small to be noticed. The damage from a breach isn’t theoretical – it’s financial, reputational, and potentially legal.