Cyber attacks - are the smallest firms at the biggest risk?

SOUTHAM, U.K. - Dec. 22, 2025 - PRLog -- Devastating cyber attacks on big businesses like Jaguar Land Rover and M&S attract the big headlines. But according to the latest research, it is the small to medium enterprises (SMEs) that are hit more often, with SMEs accounting for 81% of all UK businesses that are victims of cyber attacks. According to the UK government's annual Cyber Security Breaches Survey 2025, 42% of small businesses and 67% of medium-sized businesses experienced a cyber attack or breach in the last 12 months.

Understanding the reasons behind the figures can help SME's minimise their cyber risks. Smaller businesses are vulnerable for three key reasons: complacency, lack of IT expertise and underinvestment. Many small business owners mistakenly believe they are too small to be targeted, which leads to a false sense of security and poor cybercrime prevention measures. They may lack dedicated IT security teams, expertise, or the budget to implement the right digital security measures. A lack of a formal cybersecurity policy and incident response plan can also leave businesses at risk.

However, one of the biggest cyber risks can also be a company's biggest strength: its people. Phishing attacks, when individuals are conned into giving criminals passwords or other sensitive information, account for 85% of identified breaches. This is partly the result of increasingly sophisticated hardware and software security. It is now easier to "hack a human" than a computer system.

The cyber attack on transport firm KNP, serves as a stark warning to others. One weak password was all it took for a ransomware gang to bring down the 158-year old company with the loss of 700 jobs. It is one of the reasons Emily Lowe, Head of Technology and Projects, at logistics firm Invo Fulfilment, (https://invo-fulfilment.co.uk/) believes cyber training for teams is so important, "In January 2025, we rolled out company-wide training, giving all colleagues the opportunity to improve their knowledge and competence around emerging cyber threats - some of which we, like many businesses, had already been targeted by."

But it can never be a case of "once-and-done" when it comes to dealing with cybersecurity. Businesses must be proactive, as criminals seek to exploit human and system weaknesses for political or financial gain. The truth is that, however big the firm, cybersecurity comes down to the individual. Companies must make sure that everyone in the business, whatever their role, is fully equipped with the knowledge and tools they need to do protect themselves in the battle against cybercrime.