SMEs urged to ‘lock the door’ on cyber criminals. Here’s how to do it

Cyber crime isn’t just a big-business problem anymore. Figures from the UK government show that cyber threats cost UK businesses £14.7 billion a year, while it’s estimated that half of small firms experienced a cyber breach or attack in the past 12 months. 

For SMEs, the stakes are high: a serious incident can cost around £195,000 and, in some cases, threaten a business’ survival.

That’s why the government has launched a new campaign encouraging small businesses to “lock the door” on cyber criminals by adopting basic protections through the Cyber Essentials scheme. The message is simple: most attacks don’t rely on sophisticated hacking; they exploit everyday weaknesses like outdated software or weak passwords.

For time-pressed founders and small teams without dedicated IT departments, cyber security can feel overwhelming. But the reality is that building strong digital defences often comes down to a handful of simple practical steps that can significantly reduce risk.

Why SMEs are targets

It’s easy to assume that cyber criminals will only ever be interested in going after big brands. However, attackers often prefer smaller firms simply because they’re easier targets. SMEs generally have fewer security controls, less staff training, and limited monitoring, which can make them low-effort, high-reward opportunities.

It’s also the case that criminals will sometimes use SMEs as gateways into supply chains. So, if your business works with larger companies or holds sensitive client data, you may be seen as a stepping stone.

At the same time, cyber crime is becoming more automated. Mass phishing emails, password-cracking bots, and ransomware kits are widely available to those who operate in criminal circles. That means attackers might not even need to target you personally; they can just scan for vulnerabilities, and strike where they find them.

Why the basics matter

The government’s campaign highlights that most cyber incidents exploit simple gaps. Things like unpatched software, shared logins, or unrestricted access to files can create easy entry points. According to government data, 92% fewer insurance claims were made by organisations with Cyber Essentials in place, which goes a long way to showing that baseline protections work. 

However, even with strong digital defences, no system is completely risk-free. That’s where business insurance can play a crucial role. Cyber insurance can help cover costs such as data recovery, legal fees, customer notification, and lost income following an attack. For small businesses in particular, having the right cover in place can mean the difference between a temporary setback and a major financial blow.

Start with practical steps

Improving cyber security doesn’t always require big budgets or specialist teams. The National Cyber Security Centre (NCSC) helped develop Cyber Essentials specifically for smaller organisations, focusing on five core protections that stop the most common attacks.

So, with that in mind, here are some clear actions UK SMEs can (and arguably should) take.

• Install and maintain firewalls Use firewalls on your internet connection and devices to block unauthorised access.

• Secure your devices and systems Turn off unused features, change default passwords, and ensure routers and laptops are properly configured.

• Keep software up to date Enable automatic updates on operating systems, apps, and plugins. Many attacks exploit known vulnerabilities that patches already fix.

• Control who has access Give staff only the access they need. Use strong passwords and enable multi-factor authentication on email, banking, and cloud tools.

• Protect against malware Install reputable antivirus software and train staff to recognise phishing emails and suspicious downloads.

• Back up your data regularly Keep secure, offline backups so you can recover quickly from ransomware or system failures.

• Train your team Most cyber incidents start with human error. Short training sessions can dramatically reduce risk.

• Review your suppliers If partners handle your data, check their cyber security practices too.

• Treat cyber security as ongoing Set regular reminders to review passwords, updates, and access controls.

Keep in mind that cyber criminals are always looking for easy wins. By putting basic protections in place, small businesses can remove the low-hanging fruit and make themselves far harder targets. 

For SMEs trying to grow, protect cash flow, and build trust with customers, locking the digital door is no longer optional; it’s a crucial part of running a successful modern business.