Cybersecurity for UK SMEs: how can you protect your business from emerging threats?
43% of UK businesses were hit with some form of cyber attack in 2025 and it’s important to remember that no organisation is immune. From multinational brands to smaller UK firms, business leaders must all be vigilant. Most breaches stem not from sophisticated hackers, but simple human errors that leave vulnerabilities exposed. This blog introduces some of the risks that SMEs are facing now, providing practical guidance and suggested next steps to help businesses to protect themselves and their staff.
Why are cyberattacks on the rise?
Cyberattacks in the UK have surged over the past year, with incidents categorised as “highly significant” rising by 50%, according to the National Cyber Security Centre (NCSC). Household names like Marks & Spencer, Jaguar Land Rover and the Co-op Group have all fallen victim in recent months, reminding businesses that a proactive and consistent approach to cybersecurity is critical.
But why are cyberattacks on the rise? Some of the most important factors are advances in technology, increasing reliance on digital systems and the growth of remote working - meaning attackers have more opportunities than ever to exploit vulnerabilities.
What kinds of risks have we seen in recent big cyberattacks?
Recent breaches have resulted in a number of different negative impacts for the businesses involved. Advertising giant Dentsu confirmed in October that personal and payroll details were potentially stolen via its subsidiary agency Merkle, creating identity theft and financial exposure risks for staff. In April 2025, Marks & Spencer (M&S) suffered a ransomware attack that forced the retailer to halt online orders and click and collect services for weeks. The incident highlighted how criminals exploited a third party contractor’s system to gain access and encrypt over 600 of M&S’s servers, demonstrating that even major UK enterprises are vulnerable through weak vendor links. Profits slumped from £391 million down to £3.4 million as a consequence of this attack.
Other attacks on major firms involved supply chain compromises and system shutdowns that disrupted operations for days. These examples show that cyber threats can affect finances, reputation, and operational continuity, whether the attack targets your data, your customers, or your suppliers.
What are the most common things putting UK SMEs at risk from cyberattacks?
When hearing about cyber attacks, it’s easy to think they’re all coming from highly sophisticated individuals with complex plans. Perhaps surprisingly, for UK businesses the majority of breaches (around 90%) stem from human error rather than sophisticated hacking. Mismanaged emails, weak passwords, poor staff training and insecure third-party connections are common entry points.
The attack on M&S was found to have been caused by hackers phishing (impersonating) IT staff to trick employees into resetting passwords and providing authentication credentials. The recent attack on Kido Nurseries has been blamed on flaws in third party systems used by the company, highlighting how weaknesses can ripple through a supply chain and cause disruption far beyond the initial breach. Let’s not forget that the thefts at the Louvre in Paris were enabled by the attackers being able to remotely disable security systems as the password allowing access was “Louvre”.
However: only 15% of UK SMEs actively assess their cyber resilience, and only 14% train their staff in cybersecurity, leaving many blind to hidden vulnerabilities.
What measures can UK SMEs put in place to protect themselves from cyberattacks?
Proactive steps can dramatically reduce risk. The first step for SMEs is to commission a cyber security audit to identify weaknesses and understand how to strengthen the resilience of the business. FACT3 helps businesses strengthen cybersecurity through:
Cybersecurity audits to identify vulnerabilities
Progress through an understood cybersecurity posture roadmap:
Level 0 – Not aligned to any cybersecurity standard, dangerous
Level 1 – Aligned to Cyber Essentials Plus, the absolute minimum standard of cybersecurity
Level 2 – Level 1 plus FACT3 Systems Team protection that includes additional technical security and policy controls
Level 3 – ISO27001 alignment and additional technical security controls
Phishing simulations and staff training to reduce human error
Supply chain audits and continuous monitoring to secure trusted connections
Cybersecurity Level 2 (CSL2) framework to move beyond a basic Cyber Essentials level, helping to move towards ISO standard resilience quickly
Once they’ve taken action, organisations see results quickly. A recent logistics client reduced its phishing risk by 68% in 60 days, while other SMEs we work with in manufacturing and retail achieved robust security within weeks.
Cyber threats are evolving rapidly and are a significant concern. But a proactive approach will help SMEs to stay ahead of the cyber attackers, protecting their operations, reputation, and staff.
At which cybersecurity level does your organisation sit? If it’s 0 or 1, we recommend you take action now. FACT3 Level 2 controls offer a great intermediary step towards full ISO27001 with enhanced protection in the near term.
If you would like to find out more about how to protect your business, book a free cybersecurity audit with FACT3 today via our Head of Client Development, Neil Rushbrook to take a first step in understanding your real risk exposure - and how to reduce that risk.
Author biography
Andrew Doyle, Fractional Chief Information Officer and Partner, FACT3
Andrew brings over 26 years of IT experience to the FACT3 Systems team having worked with Royal & Sun Alliance, IBM, and AstraZeneca in his previous roles. Since Andrew joined FACT3 in 2021, he has driven significant growth through delivery of pragmatic, cost-effective IT solutions for SMEs. Andrew is passionate about delivering technology strategies that are of the scope and scale to suit the individual needs of each of his SME clients.