Why SMEs need to be aware of cyber security

Joe A. J. Beaumont Headshot
Joe A. J. Beaumont
Chief Security Evangelist
14th May 2021

Cyber security is a pressing issue

It was a turbulent time for business across the globe in 2020 and, whilst the situation is improving in 2021, there are still obstacles to overcome. Not least of all is the ever-present issue of cyber security: an average of 57% of SMEs admit to a breach in 2020, and 86% of organisations expect attacks to increase going forward.

As business focus on recovering revenue streams and driving growth, investing in cyber security is often overlooked. But with the risk of cyber attacks, data breaches and fines all more acute than ever, covering the basics of cyber security is essential for SMEs in 2021.

Stories from the frontline of SME cyber security

In our role as a trusted advisor to SMEs and enterprises alike, Bulletproof has heard a wide range of objections and opinions on cyber security. To help SMEs understand why cyber security is essential in 2021, we’re presenting the most common real-world myths that our security consultants hear. Some of these might be on your mind too, so it’s important to realise the consequences of these attitudes, and ultimately show why SMEs should care about cyber security.


“I’m too small to be a target”


Every business is at risk of cyber attack – targeted or not

This is the biggest misconception there is in security right now. Many SMEs think that because of their small business size, or the sector they operate in, that they’re unlikely to be hacked. This is wrong on two counts.

Firstly, you don’t have to be a target to be hacked – you can just be collateral damage. Hackers regularly send out attacks en-masse and if you’ve not covered the basics, your business will get caught in the crossfire. This is exactly what happened to the NHS in 2017 when it was hit by the now-infamous WannaCry ransomware. The NHS wasn’t directly targeted, yet it still found itself crippled because of out-of-date IT security. That could very easily be your business.

Secondly, and perhaps surprisingly, your SME is actually a target too. Hackers are constantly scanning the internet for things to hack, and new systems put online are typically found within just 0.3 seconds. A hacker doesn’t pay attention to what kind of business you are – if a system is hackable, they’ll try to break into it. Even if there’s nothing of immediate value, your compromised system might be included in a hacker’s botnet.


“Security doesn’t matter because my employees are remote”


Remote working opens new security vulnerabilities

This is sadly a very popular position, and one that is actively opening up businesses to an increased risk of cyber attacks. SMEs are still catching up with the landscape change to remote-first working practices, and until that process is complete, the fact is that remote workers can actually create more security risk to your business. This is because your staff are now operating outside the walls of whatever security investment you’ve previously made – and are doing so with reduced oversight. The scope of your security has gone from your office premises to every remote worker’s home and their Wi-Fi networks.

For example, remote staff are at increased risk of phishing attacks, and this type of attack jumped by 350% in 2020. And as we progress further into 2021, the Bulletproof Security Operations Centre is still defending our customers against continued high volumes of phishing attempts.

The cloud is often held as an example of why security doesn’t matter with a remote workforce, but worrying numbers of SMEs never bother to verify that their cloud services are securely configured, or ascertain who’s responsible for what. The grey areas caused by this so-called ‘shared responsibility model’ introduce the most dangerous security vulnerabilities – dangerous because they’re unknown, untested, and unmitigated.

Clipboard with checklist icon

Top tips for securing your remote workforce

Looking for help securing your remote workforce? This Bulletproof blog gives helpful best practice advice for SMEs, and includes an insightful webinar from our Co-founder!

Learn more

“I just need to focus on growth right now”


Good cyber security can actually help power growth

This is an entirely understandable position, especially in 2021. However, the presumption that cyber security is disruptive just isn’t true. Undertaking basic cyber security measures can be done without any impact to a business’ day-to-day operations. Penetration testing and VA scans, both elementary cyber defences, are very low-touch and can be conducted by a trusted third party with zero impact to your business operations. Security training, another basic yet highly effective measure, might only take a few hours.

Contrary to the objection, doing something about your cyber security can actually help power growth, as it will build trust and credibility in your in your business. Meeting basic security standards will help you connect with a customer-base that, thanks to the GDPR and high-profile breaches, is increasingly aware of cyber security and data privacy. That alone is a powerful reason why SMES should care about cyber security.


“Revenue is already down – I don’t have budget for this”


Cyber security services are accessible to all businesses, even start-ups.

Despite the well-publicised benefits associated with SME cyber security (not to mention the risks of ignoring it), our consultants report that impact to budget is often the number one concern for businesses in 2021. But basic cyber security services aren’t expensive, even for small start-ups.

Penetration tests and VA scans are cheap to procure, and can make a huge difference to your security posture. Meanwhile security training is quick, affordable and can be delivered in a way that harmonises with your business practices. Training is also a secret super weapon – the most basic training can turn your staff into a proactive line of cyber defence that can stop all opportunistic attacks. It might only take half a day to effectively train an SME’s entire workforce.

Cyber Essentials is a Government-backed security certification that covers fundamental security measures that apply to every business – from tiny start-ups to multinational enterprises. And when Bulletproof packages for Cyber Essentials packages start from only £295, the cost argument doesn’t stand up.

Every organisation can find budget for these simple steps – especially when they will literally save your business from ruin.


“It doesn’t matter if I’m breached because I’m insured”


Cyber insurance is no substitute for cyber defences

Insurance is not a magic safety blanket against cyber attack. It’s highly likely that insurance won’t cover the whole cost of recovering from a cyber incident, which reputable reports put at over £10 million. And that’s if they pay out at all – there are multiple cases of insurance companies not paying out for specific types of malware attack, and the NCSC’s own guidance states that it’s likely insurance companies won’t pay out for “monies lost through business email compromise fraud”. That also happens to be a description of the most common cyber attack – phishing.

In the case of a small attack and data breach, insurance might help save your business financially, but can you afford to spend the time and resources recovering, just to get back to where you were? Insurance also won’t help with the reputational damage – and 33% of companies admit to losing customers after a security breach (the real figure is likely to be much higher).


“Cyber always sounds so complicated”


Getting started with cyber security is simple to do

It may not seem like it for busy business owners or IT managers, but it’s actually easier for SMEs to do something about their cyber defences compared to larger organisations. SMEs have a more simple infrastructure, higher use of cloud services, no legacy systems, and smaller employee base. Contrast this to large enterprises, whose sprawling technical infrastructure is made complex through acquisitions, legacy systems, shadow IT and the sheer size of their operations.

For example, the British Airways and easyJet data breaches of 2020, which resulted in multi-million-pound fines, could both have been prevented via a simple penetration test. SMEs can procure and run penetration testing exercises quickly and cheaply, with practically zero impact on their day-to-day operations. Cyber security basics aren’t complicated – that’s why they’re called the basics.


“I don’t have skills in-house nor the budget for dedicated cyber hires”


Find a trusted security partner and get an affordable managed security service

Cyber security is a niche set of diverse abilities and there’s a well-publicised skills gap in the market, all of which make hiring in-house security personnel a difficult and expensive proposition for SMEs. The solution is to hire third-party specialists on a retainer or project basis. Find a cyber security partner with a good reputation, who demonstrates an awareness of SME challenges, and make the most of their experiences. Afterall, they’ve solved this problem before for other businesses like yours. This will deliver a high-quality service without the considerable expense of hiring in staff.

So what do SMEs really need to do?

It’s becoming clear that what SMEs really need is to cover the basics. Even a very modest investment in your cyber defences, such as £60 per month, will stop the vast majority of opportunistic attacks. Here’s Bulletproof’s recommendations to give SMEs the best protection for the least financial impact:

  • 1. Run penetration tests once a year and VA scans once a month

    Pen tests and VA scans are not difficult or time-intensive tasks, and they’re the best way to find your security flaws before a hacker exploits them. They’re also very affordable. As with all security scans, ensure you act on the results!

  • 2. Train your staff

    As mentioned above, basic security training is a cyber security super weapon. Training schemes can be procured cheaply and delivered quickly. There’s a variety of schemes out there to best fit your business model. If on-site training doesn’t suit you, what about self-led learning videos with interactive quizzes?

  • 3. Get Cyber Essentials certified

    Gaining a reputable certification such as Cyber Essentials is a great way to build trust and credibility, and enable you to bid for UK Gov, NHS and MoD contracts. Cyber Essentials is backed by the UK Government and is specifically designed to be ‘first step’ certification. This means the measures it mandates are cheap and simple to enact for even the smallest SME.

  • 4. Invest in endpoint

    With remote workers using either their own devices or hastily-acquired corporate devices, chances are that the device security isn’t up to standard. Having up-to-date endpoint protection is a basic component of cyber security and this simple step can protect against a wide variety of opportunistic cyber attacks, as well as play a part in preventing more sophisticated attacks

  • Bonus: Good cyber security helps with your GDPR compliance!

    Getting the basic cyber controls embedded in your business also goes a long way to helping with GDPR compliance. Most businesses are aware that compliance with GDPR is not optional and still applies post-Brexit. If you’re an SME who doesn’t know where to start check out our infographics on ‘10 steps to achieving compliance’ and ‘How to maintain GDPR compliance’.

Dangers of ignoring cyber security

Put simply, if an SME isn’t doing the basics then it’s just a matter of time before you’re hacked and your data is breached. In fact, recent research by Vodafone says one million small businesses at risk of collapse due to cyber security threats.

Regulatory action is also an issue to bear in mind. The ICO regularly fine companies big and small for breaches where personal data is affected. Falling foul of GDPR or PECR regulations can have large financial repercussions. As mentioned above, BA and easyJet were both fined around £20 million for their breaches, which grabbed headlines around the world, but many smaller businesses are issued with significant monetary penalties every single month.

But there’s more for an SME to consider beyond fines, reputational damage and data breaches – cyber attacks can also slow down your app development or leak your killer first-to-market ideas. Don’t forget that sometimes hackers just want to cause damage. If you’re one of the 57% of UK organisations who are targeted by ransomware, and you’re not perfect with your backups, you’ll find that you no longer have a business left to salvage.


When it comes to cyber security, the risks are real, but so are the benefits. Getting the basics right is affordable for all sizes of SME and will go a long way to keeping your business stable and in a position to concentrate on growth. Plus there’s the added benefit of enhancing your reputation and building trust with a customer base that’s increasingly aware of security and privacy. This is why SMEs should care about cyber security.

Get started with a cyber security assessment

Consultant-led cyber security assessment to assess your risks & boost business resilience. Find the next step in your strategy with this insightful review.

Review your security today

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.