Cyber attacks are not something that happens to large corporations while small businesses watch from the sidelines. According to the UK government's Cyber Security Breaches Survey 2025, 42% of small businesses experienced a cyber attack or breach in the past twelve months. That is nearly half of all small businesses in the country, and the figure has been above 40% for several years running.

This guide sets out what threats small businesses in the UK actually face, what practical protection looks like, and what you are now legally expected to have in place — without the jargon that tends to make this topic feel more complicated than it needs to be.

Why Small Businesses Are Targeted

The assumption that attackers only go after large organisations is one of the most persistent and dangerous myths in cyber security. In practice, small businesses are attractive targets precisely because they often have less protection in place, less time to dedicate to security, and fewer resources to recover when something goes wrong.

Most attacks are not sophisticated. They are automated, opportunistic and designed to find the path of least resistance. An attacker is not specifically targeting your business — they are running tools that probe thousands of businesses at once, looking for weak passwords, unpatched software, or an employee who will click the wrong link. If your defences are weak, you will be found.

The financial impact is significant. The mean cost of a cyber incident to a UK business is £1,970, according to government data — and that figure rises sharply for more serious attacks. The average cost of a significant attack is approximately £195,000 when you factor in downtime, recovery, reputational damage and regulatory exposure.

The Threats You Are Most Likely to Face

Phishing. The most common attack type by a considerable margin. Phishing was behind 93% of successful breaches against UK businesses in 2025, according to government figures. It involves an email, text or call designed to trick someone in your business into handing over credentials, clicking a malicious link or authorising a payment. The messages have become significantly more convincing, particularly as attackers use AI to personalise them at scale.

Ransomware. Ransomware attacks doubled in 2025 and are now the top threat identified by the NCSC. Attackers encrypt your files and demand payment to restore access. Many businesses pay. Many never fully recover their data even after paying. The 2025 attacks on major UK retailers — which resulted in estimated combined losses of £270m to £440m — showed that ransomware has become both more frequent and more damaging.

Business email compromise. An attacker gains access to or spoofs a business email account and uses it to redirect payments, request sensitive data or impersonate senior staff. This type of attack causes significant financial losses and is often discovered only after the money has moved.

Credential attacks. Weak or reused passwords remain one of the most exploited vulnerabilities. Attackers use lists of previously leaked credentials and test them against your accounts automatically. If your staff are using the same password across multiple services, one breach anywhere becomes a breach everywhere.

What Basic Protection Actually Looks Like

The NCSC's position is that implementing five core controls — the same five that underpin Cyber Essentials certification — will prevent the large majority of common attacks. These are not advanced measures. They are the baseline that every business should have in place.

A properly configured firewall. Not a consumer broadband router left on default settings. A firewall configured to block unauthorised traffic, reviewed and updated as your setup changes.

Secure configuration of your devices and software. Removing unnecessary software, changing default credentials, disabling features you do not use. Most devices come set up for convenience, not security — those defaults need to be changed.

User access controls. Staff should only have access to the systems and data they need for their specific role. Admin accounts should not be used for everyday tasks like email and web browsing. Leavers' accounts should be disabled promptly.

Malware protection. Up-to-date antivirus or endpoint protection software across all devices, including any personally owned devices that access business systems.

Security updates applied promptly. Unpatched software is one of the most common ways attackers gain access. Critical updates should be applied within 14 days — this is now a requirement for Cyber Essentials certification, not just a recommendation.

Beyond these five controls, multi-factor authentication deserves separate mention. Enabling MFA on every account that supports it — particularly email, cloud services and anything containing customer or financial data — blocks the vast majority of credential-based attacks. It is the single highest-impact step most small businesses can take right now.

Staff Awareness Matters as Much as Technology

Most successful attacks exploit human behaviour rather than technical vulnerabilities. A firewall cannot stop an employee from entering their password on a convincing fake login page. Only awareness and training can do that.

Government data shows that only 19% of UK businesses provided cyber security training in the past year. That is a significant gap, given that phishing is behind the overwhelming majority of breaches. Training does not need to be expensive or time-consuming — regular, brief reminders about what phishing looks like and what to do when something seems suspicious are more effective than an annual presentation that staff forget within a week.

What the Government Now Requires

Cyber security is increasingly a legal and regulatory matter, not just a business decision.

Cyber Essentials certification is mandatory for any business bidding for UK government contracts that involve handling personal or sensitive data. Beyond government work, more organisations across the private sector are requiring their suppliers to hold certification as a condition of working with them.

The Cyber Security and Resilience Bill is currently progressing through Parliament and is expected to become law later this year. It will expand the sectors covered by cyber security regulation, introduce mandatory 24-hour incident reporting requirements and bring managed service providers into scope for the first time. Penalties of up to £17m or 4% of global turnover are proposed for serious failures.

Even if your business is not directly regulated, the ripple effects through supply chains mean these requirements will affect how your clients and partners expect you to operate.

Where to Start If You Have Not Started Yet

The NCSC's free Cyber Essentials Readiness Tool is a practical starting point. It walks you through the five controls and produces a tailored action plan based on your answers.

If you want an independent view of where you stand, our free email and website security tools will check your email authentication and security headers instantly — no signup required.

For businesses that want expert support — whether that is preparing for Cyber Essentials certification, understanding your current exposure, or putting a practical security plan in place — book a free consultation with the SME Cyber Solutions team. We are CREST-certified, hold Cyber Essentials ourselves and have been supporting UK SMEs with practical security for years.

You can also read our guide to the April 2026 Cyber Essentials changes for detail on what has just changed in the certification scheme.

Frequently Asked Questions

How much does a cyber attack cost a small UK business?
According to the UK government's Cyber Security Breaches Survey 2025, the mean cost of a cyber incident is £1,970. For more serious attacks, the average rises significantly — the estimated cost of a significant attack is approximately £195,000 when all impacts are accounted for.

Do small businesses really get targeted by cyber attacks?
Yes. Government data shows 42% of UK small businesses experienced a breach or attack in 2025. Small businesses are often targeted because they have weaker defences than larger organisations, making them easier to compromise with automated, opportunistic attacks.

What is the most important thing a small business can do to improve cyber security?
Enable multi-factor authentication on every account that supports it — particularly email, cloud services and anything containing customer data. This single step blocks the majority of credential-based attacks, which account for a significant proportion of all breaches.

Is Cyber Essentials mandatory for small businesses?
It is mandatory for businesses bidding for UK government contracts that involve handling personal or sensitive data. It is not currently mandatory for all businesses, but the Cyber Security and Resilience Bill progressing through Parliament in 2026 may expand regulatory requirements significantly.

What does cyber security cost for a small business?
Costs vary depending on what you put in place. Cyber Essentials certification starts at £320 +VAT. Basic security tools — antivirus, a password manager, MFA — are available at low cost or free. The more meaningful comparison is against the cost of not acting: the mean cost of a cyber incident to a UK business is £1,970, and serious incidents cost considerably more.