Close this search box.

Thinc insights

Cyber security risks for businesses – what SMEs need to know

In a world of constantly-evolving cyber threats, here's what you need to know to stay safe

Small and medium-sized businesses generally have plenty of problems to be worrying about, especially in the current economic climate – and cyber security hasn’t always been top of the list. But according to the UK Government’s Cyber Security Breaches Survey, it is now starting to be seen as more of a priority. 

While we’re starting to see companies take cyber more seriously, there are still significant gaps in the organisational awareness, and many companies still aren’t fully equipped to deal with these threats. This may come down to a common misconception that cyber attacks are only a problem for big businesses – after all, those are the ones that generate all the headlines. In fact, the opposite is true.   

SMEs are actually more at risk as criminals know their defences aren’t as sophisticated. The US Cybersecurity and Infrastructure Security Agency reported that small businesses are three times more likely to be targeted than larger organisations. Most are likely only equipped with the sort of out-of-the-box antivirus solutions that aren’t capable of deal with more advanced threats. 


“It’s easy to think of cyber attacks as some far-away threat that won’t really affect you, but with 70% of medium-sized businesses experiencing cyber breaches or attacks in the last 12 months, this just isn’t true. “We know that cyber security can be an intimidating prospect for many businesses. But with the number of threats out there, ignoring it just isn’t an option.”

Steve Hannon, Business Advisory Consultant, Thinc


The cost of cyber crimes for businesses

Looking at the financial impact that these attacks have underlines the seriousness of the risks faced by businesses today. The average (mean) annual cost is estimated at £1,120 per victim by the UK government. Among businesses that experienced breaches or attacks, the most disruptive breach in the last 12 months cost each business an average of approximately £1,205. For medium and large businesses, this cost escalated to approximately £10,830. Charities faced an average cost of approximately £460.

There is a massive volume of attacks – 7.78 million cyber crimes over the year – with most attacks ultimately resulting in no financial loss, but those that do succeed have a significant impact.


The current picture for SME cyber security

The cyber landscape for SME businesses is getting more dangerous with each passing year. According to the 2024 SonicWall Cyber Threat Report, attack volumes are up nearly across the board. Malware has increased by 11% from last year, with encrypted threats up 117% and cryptojacking up a staggering 659%. Despite this, according to the Cyber Breaches Survey, phishing is still by far the most common type of attack with 84% of businesses having fallen victim. This is followed by impersonation in emails or online with 35% and viruses or other malware at 17%.



The biggest cyber threats facing SMEs

Cyber criminals are constantly having to adapt their attacks but some of the old favourite methods are still proving popular and just as devastating. Here’s a rundown of some of the biggest cyber threats that SMEs are currently facing.



Malware (short for malicious software) is a broad term encompassing a range of different types of software that are designed to harm, disrupt or damage your systems. This is typically either to steal your sensitive data, such as credit card information, hold you ransom or to take control of your computer to either mine cryptocurrency or launch attacks on other devices.



Ransomware is a specific type of malware that will shut down your system and stop you from accessing your device and all the data on it, typically by encrypting your files. The cyber criminals then demand you pay a ransom, typically in untraceable cryptocurrency, to regain access to your devices or to avoid sensitive data being leaked. However, there’s no guarantee that paying the criminals will even get you back in as they may just end up asking for more money or not removing the encryption.



Cryptojacking attacks are when cyber criminals install some form of malware on your system that uses your device’s resources to mine for cryptocurrency, without you even knowing about it.

These types of attacks can be harder to spot as criminals generally want to remain hidden for as long as possible so their programs can mine as much crypto as possible before being removed from the computer. If your device is experiencing an unexpected dip in performance, it could be a sign that these cryptojacking scripts are running in the background, draining your resources.



When a criminal gains access to your systems or network through some kind of vulnerability, this is known as an intrusion. Once they’re in they’ll typically look to steal your data or spy on your systems. This can also occasionally involve either altering a website or leaking data, either as a form of cyber vandalism or politically motivated ‘hacktivism.’



Phishing attacks rely on exploiting your business’ biggest weak spot – its employees. Cyber criminals will typically pose as legitimate organisations such as banks, government agencies or trusted companies to try and trick staff into revealing sensitive information. This can take the form of malicious emails, text messages or webpages that encourage people to either enter their details or click on links that will install malware.

The best way to counter the threat of phishing is by educating your staff. Make sure they know how to spot the tell-tale signs of a dodgy phishing email or link and are clued up on what to do if they do accidentally enter sensitive details or click something they shouldn’t.



How to protect your business 

The UK’s National Cyber Security Centre (NCSC) is a great source of advice for SMEs looking to protect themselves. Combating cyber attacks, according to the NCSC, generally comes down three priority areas – understanding, preparation and mitigation. That means you’ve got to be aware of the potential threats facing your business and how you can be ready for attack – both in terms of your defences and response plan. 

The NCSC has put together a list of ten steps it recommends as a guide for good cyber hygiene to mitigate and protect against most attacks. It’s not necessarily an expectation for companies to apply all ten of the steps as it will depend on how you work.  


Risk Management Regime:  

This is an inevitable part of doing business, so you need to find a good balance between risks and opportunities. Assess cyber risks specific to your business, prioritise mitigation efforts, and regularly review risk assessments to adapt to changing threats. 

Engagement and Training:  

Your staff should always be right at the core of your cyber security strategy – they are one of the business’ biggest vulnerabilities, but they can also be a major asset in staying protected from attacks. Make sure that everyone in the business is engaged in cyber security and is fully trained on what they need to do to stay safe.  

Asset Management:  

As your business grows, it can become hard to keep on top of all your different digital assets and systems. Misunderstandings of these systems, and things like not patching software or having an exposed cloud account, can cause incidents.  

Architecture and Configuration:  

Make sure that your systems are designed and set up in a way that’s easy to maintain and update, makes compromise and disruption difficult, and reduces the impact of a potential attack. 

Vulnerability Management:  

Most cyber incidents come from criminals exploiting known vulnerabilities. Conduct vulnerability scans, promptly apply security patches, and monitor third-party software used by the business. 

Identity and Access Management:  

You need to understand who can access your data and systems and what measures are in place to stop unauthorised access. Develop robust procedures for access management, including multi-factor authentication for all user accounts.  

Data Security:  

Your company’s data is one of the prime targets for attackers and needs to be protected in transit, at rest, and at end of life (by effectively sanitising or destroying storage media after use). Make sure your data is regularly and securely backed up and is protected by current, standardised cryptographic algorithms.  

Logging and Monitoring:  

Every time someone uses of accesses your systems or data, this activity should be monitored and logged. That way, you can retrospectively look back and understand the impact of what’s happened. This can go further by actively analysing this log information to look for unusual behaviour or signs of attacks. 

Incident Management:  

If an incident is to happen, you need a plan in place to make sure you can minimise its impact. Make sure this plan is laid out step-by-step, with clear and practised instruction on how to communicate, analyse, contain and mitigate any attack. 

Supply Chain Security:  

An attack on your supply chain can be just as harmful as one on your organisation, but due to the size and complexity, can be harder to protect against. Assess and understand each step of it and encourage continuous improvement and alignment with your own security standards. 


According to the NCSC, only 39% of businesses have done five or more of these steps, with just 3% being able to tick off all ten. This points to potentially significant gaps in the cyber security strategy of many companies. 


Cyber security support for SMEs 

If you’re following most of the steps we’ve just listed, you’re well on your way to keeping your business safe. However, for something as important as cyber security, you may be reassured that you don’t need to tackle the problem alone. 

Support is out there for businesses who want to take the next steps to bolster their security strategy. One of the biggest parts of the puzzle when it comes to security is your staff and you need to make sure they’re clued up to be able to protect your business.  

The NCSC offers a government-backed, industry-supported scheme called Cyber Essentials that helps businesses, and their employees stay safe from common online threats. This covers employee education on things like spotting phishing as well as putting measures in place like firewalls. 

For the more technical side of cyber security, you’ll need to work with a trusted managed security partner to make sure you’ve got the solid defences you need. They’ll be able to look at your current strategy and setup, perform a thorough vulnerability assessment and figure out your weak spots and exactly what you need to improve.  

The best cyber security partners will also be on hand with strategic advice, keeping you up to date with the latest threats, proactively monitoring your systems and making sure you’re always prepared for a potential attack.  

At Thinc, we’re certified partners for security software leaders SonicWall and CrowdStrike, with decades of experience providing tailored cyber security solutions that help businesses scale while staying safe.  

Get in touch with our team today for a no-obligation chat about how we can create a custom strategy to protect your business. 

Discover how to keep your business safe

In a world of constantly evolving cyber threats, you need a trusted partner backing you up. We’re here to come up with a custom solution to find out your weak spots and get you set up with the tech you need to stay safe. Get in touch with one of our experts for a no-obligation chat.

How can Sage Intacct help Canada’s SMEs?

Cyber Essentials Certification: what it is and why you need it

Sage 200 software – all your questions answered

Speak with us

Enter your details into the contact form below, and one of our experts will be in touch to arrange a time to speak.

Contact Details


If you’re an existing customer looking for support, please e-mail servicedesk@wearethinc.com, or visit our support page where you can download our remote support apps.