Our amazing era of digital advancement has levelled the playing field for businesses, enabling even the tiniest enterprises to participate in the global arena. Nonetheless, this newfound accessibility carries a significant downside – even greater susceptibility to cyber threats. Recent reports highlight a consistent increase in cyberattacks specifically targeting small and medium-sized enterprises (SMEs), underscoring the need for robust cybersecurity. Amidst challenges such as escalating inflation, soaring energy costs, and diminishing demand, SMEs in the UK – all 5.5 million of them – cannot afford to overlook the critical importance of securing their IT networks. Vodafone’s 2022 report, Protecting our SMEs – Cybersecurity in a New World of Work, showed that the average cost of a cyberattack on SMEs is £3,230. That number has subsequently risen to £4,200. In the current economic climate, this is money that they can’t afford to part with and could even mean make or break for some. Andrew Stevens, Vodafone’s UK Head of Small and Medium Business, said:


“It’s clear that more needs to be done to convince SMEs that they need to be investing in cybersecurity to protect their businesses, especially during a cost-of-living crisis where they are most vulnerable.”




The statistics highlighting cyberattacks against SMEs on our little island, unfortunately, speak for themselves.


Insurer Hiscox reports that:


  • SMEs in the UK are hacked every 19 seconds
  • 79% of SMEs experienced a cyberattack in the past 12 months


Ransomware statistics reveal:


  • 1 in 4 UK SMEs were targeted by ransomware in the past year
  • 47% of those paid the ransom to regain access to files or systems
  • An Avast survey shows that 41% of SMEs lost data, and 34% lost access to devices after ransomware attacks


UK Government Cybersecurity Breaches Survey 2022 tells us:


  • 31% of businesses estimate being attacked at least once a week
  • 20% experienced a negative outcome directly from a cyberattack
  • 35% experienced at least one negative impact from cyberattacks




A rather disconcerting trend provides evidence that the average cybersecurity budget for SMEs halved in 2023, dropping from around £100,000 in 2022 to an average of £50,000 this year. Primarily, this decrease was attributed to the broader struggles faced by SMEs, often operating on tighter profit margins. The prevailing economic uncertainty further compounds the challenges, posing a threat to the future of many smaller enterprises. Emma Green, deputy director for cyber resilience at the UK’s Department for Science, Innovation and Technology (DSIT), said:


“This is the first time we see a decrease in SMEs’ cybersecurity investment, after many years of a slow increase, and the first time we see such a divergence between big organizations, who tend to keep investing more year on year in cybersecurity, and SMEs.”


Continued investment in cybersecurity is critical given that even a single cyberattack has the potential to obliterate a business. Despite financial constraints, the plea is for SMEs to persist in fortifying their defences, recognising the indispensable role of robust cybersecurity measures in safeguarding their operations against ever-evolving digital threats. So, how exactly should SMEs go about this?




Even as technology and cybersecurity strategies undergo constant evolution, human error remains the predominant avenue for unauthorized access to sensitive data. While antivirus software plays a crucial role in detecting and eliminating threats, the primary responsibility for prevention lies with humans. Mitigating the risk of falling victim to phishing attacks and inadvertently disclosing sensitive information demands comprehensive training for all staff members in cybersecurity, incorporating best practices and adherence to company policies in the event of a breach. The landscape has transformed with the widespread adoption of mobile working, transferring the onus of device security from IT specialists managing traditional office networks to individual users accessing company data globally. By ensuring that all staff receive thorough training, the potential for personal errors leading to security breaches can be significantly diminished.




In many instances, patches are released to safeguard against newly identified vulnerabilities. This means that patch management should always be a priority. However, the challenge intensifies in the context of an office network with a multitude of devices, especially considering the proliferation of IoT and smart devices like speakers and thermostats. Updating these devices can quickly evolve into a time-consuming endeavour. In some SMEs, a pragmatic approach may involve updating quarterly, yet this approach comes with risks. Hackers are attuned to such strategies, and the moment a new patch is released, they are likely to target those who have not yet updated. Therefore, it is imperative to ensure that every device capable of connecting to the office network receives prompt updates as soon as they are available. To streamline this process, the responsibility can be distributed among users, assigning the task to the individuals using each device. This approach allows IT staff to concentrate on shared devices like office routers and printers, ensuring a more efficient and comprehensive updating system.




A straightforward yet effective approach to safeguarding sensitive information involves limiting direct access to a select number of individuals and implementing zero trust architecture. Despite this, many companies grant administrative privileges based on an individual’s position within the organization rather than a direct necessity to access the data. In the event of a phishing attack, even if hackers gain control of a user’s account, if that user lacks the necessary access permissions, the attackers may need to pursue alternative strategies to reach the targeted data. To bolster security simply and cost-effectively, SMEs should ensure that each user’s access is strictly tailored to the information essential for their specific tasks. Implementing this policy uniformly across all levels of the organization, including freelancers, contractors, and former staff members, is crucial. Access should be promptly revoked for these individuals once their work is completed. This ensures that only IT staff retains total access, minimizing the potential for data to fall into the wrong hands.




The IoT industry is experiencing rapid growth, impacting both domestic and business environments. In 2021, estimates revealed approximately 500 million interconnected devices in the UK alone. Despite the Government’s Product Security and Telecommunications Infrastructure Regulations 2023, those in the know anticipate IoT to surge within the next five years. With that in mind, ensuring the security of each device cannot be overstated. Given the proliferation of these devices, it becomes essential to maintain the same level of security for all endpoints as if they were utilized within the confines of an office. Achieving this involves leveraging endpoint security tools and adopting mobile device management (MDM). MDM proves effective in monitoring each device, facilitating remote access, ensuring the installation of the latest updates, and enabling functionalities such as tracking, locking, or wiping devices in the event of loss or theft.




A timeless piece of advice in the realm of personal computing is to consistently back up your work. While it may be a rule easily overlooked unless a problem arises, the reality is that with approximately UK SMEs being hacked every 19 seconds, neglecting this precaution could prove to be the most expensive mistake in their security setup. Fortunately, there exists a straightforward solution to circumvent this potential nightmare – maintaining regular, full data backups. Notably, as many as 72% of ransomware victims can safeguard their data if they adhere to a practice of consistent backups.




Education and training, patching, zero trust, securing IoT endpoints, and making regular backups are vital for SMEs wanting to protect their data and their business. But there’s more.


IT Policy – Establishing a clear and comprehensible cybersecurity and information security policy serves as a practical starting point. It involves ensuring that every member of the business is well-informed about protocols and best practices, including explicit rules on device usage and document sharing within teams.


Advice and accreditation – Government guidance and accreditation from entities like the National Cyber Security Centre (NCSC) are valuable resources for small businesses. The NCSC provides practical technical advice that can significantly reduce the risk of falling victim to cybercrime. Moreover, the centre offers a Cyber Essentials accreditation, demonstrating that a business has implemented adequate measures, thereby providing reassurance to clients.


Security Protocols – Implementing up-to-date security and encryption protocols is crucial for any system, irrespective of a business’s perceived size in the eyes of potential cybercriminals. This includes features such as multi-channel two-factor authentication, four-eyes checks, maintaining a comprehensive audit trail of all activities, continuous backups, and other measures to enhance overall security.




Zhero’s CEO and Founder, Izak Oosthuizen, has just published his third international bestseller, You Don’t Need a £1 Million Cybersecurity Budget. In his book, which topped the charts on Amazon in the UK and the States, Izak provides the lowdown on all things cybersecurity for SMEs, from implementing an effective IT policy to managing those ever-increasing pesky endpoints, backups, patching, and limiting access through applying enforceable zero trust strategies. The bottom line of You Don’t Need a £1 Million Cybersecurity Budget is that by adhering to the basics, UK SMEs can dramatically improve their cybersecurity and cyber hygiene overnight. More good news for those cash-strapped SMEs out there is that implementing and enforcing the cybersecurity basics won’t break the bank either. Professor Ben Azvine, the Global Head of Security Research at BT tells us:


“You Don’t Need a £1 million Cybersecurity Budget is a must-have for any SME wanting to secure its place in the digital future.”


You Don’t Need a £1 Million Cybersecurity Budget is available on Amazon now. Any cybersecurity questions for Izak or Zhero? Get in touch here and now.

Leave a comment