Cyber Risks to SMEs

Contents:

Why cybersecurity is crucial for SMEs

Common threats to cybersecurity from SMEs

Ransomware

How can SMEs protect against ransomware?

Phishing attacks

How can SMEs protect against phishing?

Expanding IoT’s unpatched software, devices, and systems

How can SMEs minimise IoT vulnerabilities?

Whether you’re a small start-up or an established mid-sized company, a cyberattack can happen to anyone without the right security measures in place. This risk is a real reality and can happen no matter the company size – which is why it’s so critical to take all reasonable measures to protect your business’ and customer’s data. 

In this article, we will go over various cyber risks that SMEs may experience and several ways for businesses to protect themselves against cyberthreats. 

Why cybersecurity is crucial for SMEs

According to the Cyber Security Breaches Survey 2025 commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office. In 2025, 20% of 283,000 registered businesses have been the victim of at least one cybercrime. Whilst larger businesses are more likely to experience a cybercrime, the percentage of SMEs that experience an attack is far from insignificant. 18% of micro businesses, 25% of small businesses and 42% of medium businesses experienced a cybercrime.

Common threats to cybersecurity from SMEs

Ransomware

As you may be able to guess, ransomware is when an attacker makes important data inaccessible, holding it hostage in order to demand a ransom from the victim. In some cases, the attacker may also threaten to publish or sell sensitive information.

In cases of ransomware, a specific computer virus is used which disables or encrypts important data so that no one is able to access the data. The most common way the virus infects systems is through malicious links or downloads.

How can SMEs protect against ransomware?

• Make it routine to back up important and sensitive data to offline and secure locations. You can do so by using a comprehensive cloud platform like Microsoft Azure.
• Keep employees informed and educated on how to spot suspicious digital identities and links. 
• Closely manage roles and permissions to prevent any phishing attempts.
• Integrate detection and defence tools at initial entry points and channels to block attacks, for example, using a web application firewall (WAF) for security.
• Build and deploy ransomware recovery procedures into your SMEs’ cyber security policy.

Phishing attacks

Phishing is one of the most common cyberattacks wherein the attacker will impersonate a trusted contact or individual, usually over email, to extract personal and sensitive information from the victim. Prominent targets of phishing include passwords and card details.

Attackers most commonly put time pressure onto a victim or make an attractive offer which makes the victim act without thinking. While usually these phishing attempts present as written messages through email, WhatsApp or the like, phishing calls have become increasingly common.

With AI becoming increasingly sophisticated, phishing attacks now pose an even greater threat with improved deepfake technology. AI can be used to craft convincing emails which mimic the tone and writing style of trusted contacts. When these phishing attacks are highly personalised and crafted, they’re much more difficult to detect, and it means attackers would be more likely to succeed in these attacks.

How can SMEs protect against phishing?

• Invest in email filtering and threat detection systems to prevent as many phishing attempts as possible before they reach you or your employees’ inboxes.
• Educate your employees on what a phishing attempt may look like until they’re able to confidently spot phoney emails, messages, calls and the manipulation tactics that an attacker may use.
• Always check and encourage employees to deck any unusual requests by contacting the original sender directly through known and trusted channels to ensure that the request is not being made fraudulently.
• SMEs should also consider securing their accounts through multi-factor authentication for an extra layer of security. This usually adds two more methods beyond a password, such as an OTP sent to a phone/email and biometric data.

Expanding IoT’s unpatched software, devices, and systems

IoT, or the Internet of Things, describes a vast, interconnected network of hardware and software. With more devices, accounts, and systems being introduced into a business, it means there are more potential vulnerabilities and entry points for attackers to take advantage of. Many devices and software may lack the proper security protocols to keep your SME secure. It’s critical for businesses to ensure that proper steps and measures are taken to minimise that risk as much as possible.

Firmware and software should always be updated with the latest patches, as there can be weaknesses in old versions. SMEs should not delay in updating their systems. Attackers can expertly spot vulnerabilities, which allows them to set up attacks and implant viruses onto devices. Software companies know this and always look to patch these weaknesses with new updates, which is why it's so important to make sure updates are always installed. If not through auto-updates, check for updates frequently, ideally on a weekly basis. Or even better, use a partner such as ourselves at Collaborative IT to manage patches, backups and updates.

How can SMEs minimise IoT vulnerabilities?

• Always change the default password to something strong and secure. It’s best practice to not keep a written record of any passwords; instead, use a trustworthy password manager. 
• If possible, set an alternative login method in lieu of or in conjunction with a password. Two-factor or multi-factor authentication will always be more secure.
• Keep all devices and software updated to the latest versions with the latest patches.
• Keep IoT devices separate from critical systems needed for business by using designated networks.
• Make it routine to audit devices and software to eliminate and remove unnecessary or outdated equipment.

If you’re concerned about how to set up and navigate cybersecurity for your business, we help SMEs with setting up and managing roles and permissions, implementing and using WAFs, and using tools like Microsoft Azure to protect businesses like yours. Feel free to contact us for a no-obligation chat.