Cybercrime: The silent threat to UK SMEs and how to fight back

Cybercrime is a pervasive and growing threat that affects businesses of all sizes. UK Government data shows that 43% of businesses faced a cyber breach last year, demonstrating that small and medium-sized enterprises (SMEs) are not too small to be targets. Ransomware pressure is also rising, placing boards on notice.

The state of UK cyber risk

Prevalence and attack vectors

• Reported breaches: 43% of businesses reported a cyber breach or attack in the last year.
• Phishing dominance: Among those businesses hit, 85% cite phishing as the primary cause. Phishing remains the number one route for attackers.
• Ransomware: Ransomware attempts increased, equating to roughly 19,000 companies.

Information gathered from the Cyber Security Breaches Survey 2025

Five technical controls that reduce risk

The good news is that a handful of controls can reduce cyber risk. Implementing these controls can help turn cyber from a critical business risk into a manageable risk, which Insurers will expect you to have in place.

According to the National Cyber Security Centre (NCSC) in their Cyber Essentials: Requirements for IT Infrastructure v3.1, organisations should implement these five basic security controls to protect against common cyber threats.

1. Multi-factor authentication (MFA)
2. Patching (ensuring a regular patching cadence)
3. Tested backups (including secure backups)
4. Endpoint detection and response (EDR/email and endpoint protection)
5. Access hygiene (e.g., implementing least privilege)

The role of cyber insurance

Cyber insurance is essential for fighting back against modern threats. It provides a comprehensive safety net that extends beyond mere financial reimbursement.

Key coverage can include:

• Incident response: Provides 24/7 access to experts, including forensic investigators and legal counsel.
• Business interruption: Covers lost revenue due to a covered cyber event.
• Liability cover: Protects the business against claims arising from breaches, such as regulatory fines or third-party lawsuits.
• Crime protection: Covers financial losses from crimes such as funds transfer fraud.

Conclusion: a manageable risk

The path to turning cyber risk into manageable risk involves three clear steps:

Step One: Foundation

Start with the five core controls: Multi-Factor Authentication (MFA), regular patching, secure backups, Endpoint Detection and Response (EDR), and least-privilege access.

Step Two: Validation

Prove these controls are in place by achieving certification, such as Cyber Essentials, which demonstrates your commitment to security.

Step Three: Protection

Ensure your cyber insurance coverage aligns with your security controls, so you have financial and expert support when an incident occurs.

Don’t wait until it’s too late!

By combining strong cyber hygiene, certification and tailored insurance, SMEs can significantly reduce exposure and recover quickly if the worst happens. Speak to a member of our team today to review your cyber risk strategy and arrange comprehensive cyber insurance cover that safeguards your business.

For further articles around cybercrime, please see:

• The dark side of the AI boom
• AI: Business risk, friend or foe?