Skip to main content

Cybersecurity for SMEs

Cybersecurity. We’re all aware we need to do something about it. After all, 65% of businesses report having suffered a breach in the last 12 months.

Cybersecurity. We’re all aware we need to do something about it. After all, 65% of businesses report having suffered a breach in the last 12 months. 

However, when it comes to cybersecurity for SMEs, things get confusing. As an SME owner, you probably have a limited budget (not to mention time) for cybersecurity.

And, with so many different tools and options available, how do you see the wood from the trees?

Well, we’ve got you covered. Strap yourselves in for a whistlestop tour of cybersecurity for SMEs. We’ll cover why good cybersecurity is so important, the main threats SMEs face, and explain some of the tools you can use to protect your business.

An SME is successfully hacked every 19 seconds in the UK
Cyber breaches cost the average small business in basic "clear up" costs alone

Why is cybersecurity so important?

Awareness of the threat posed by cybercrime is pretty good. By now we’re all used to seeing headlines about the latest data leak or ransomware saga. 

However, among small business owners, there’s often a misconception that it only happens to large, high-profile organisations. After all, why would a cybercriminal attack a start-up or small business with little to steal?

Unfortunately, this couldn’t be further from the truth. An SME is successfully hacked every 19 seconds in the UK, according to Hiscox. And over 88% of UK businesses suffered a data breach in the last year. That’s a lot of SMEs when you consider that the FSB estimates small businesses account for 99.9% of the business population

For those SMEs who are successfully breached the fallout can be disastrous. 

First, there’s the financial impact. Cyber breaches cost the average small business £25,700 in basic ‘clear up’ costs every year. But it’s not just clean up costs, systems downtime during and after the breach could impact productivity and cost you valuable business. And this is before we factor in the payment of any ransoms or theft of financial assets. 

Then there’s the reputational damage and loss of customer trust. It can take years to build customer relationships, a successful cyber attack can undo that in seconds. 

Finally, a cybersecurity breach can come with legal consequences for your business. Data protection and privacy laws require businesses to secure any personal data they hold – both for staff and customers. If this data is leaked or compromised and you’ve failed to adequately protect it, you could face a hefty fine or regulatory sanctions.

What are the main threats SMEs face?

2020 was the year the world of work changed forever. But while remote working offers many benefits to SMEs, from happier, more productive staff to real estate savings, it also brings risks with it.

Can you be sure your people will follow the same security protocols they would in the office? The networks, devices, and security tools your staff use at home are likely to be far less secure than those in the office. And it’s not just the tools they use; as ZDNet has reported, 52% of employees believe they can get away with riskier online behaviour when working from home.

So it’s perhaps not surprising that 91% of global businesses have seen an increase in cyber attacks as a result of employees working from home.

For more on remote working, download our ebook.

Ransomware is the new kid on the block when it comes to cyber threats for SMEs. Once a concern for big-name businesses with large budgets, ransomware is increasingly affecting SMEs as cybercriminals switch their focus to easier targets.

Sadly, this is also backed up by the statistics. 1 in 2 SMEs have been attacked by ransomware and more than 73% have paid out to get their data back. The consequences can be disastrous, ranging from company downtime to reputational damage and even bankruptcy.

According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best cybersecurity tools and processes, so breaching their defences is difficult.

However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. And this makes SMEs a prime target for cybercriminals with an eye on big enterprises.

Read more on supply chains here.

Most of us know the importance of strong passwords, but that doesn’t stop us from using the same easily guessable phrase we’ve been using since 2001 for everything. We’re only human after all.

The problem is that this poses a huge security risk. Research from the UK’s National Cyber Security Centre (NCSC) revealed that the 100,000 most commonly used passwords were responsible for millions of breaches worldwide. And It only takes a cybercriminal to crack one insecure password in your business for disaster to strike.

Read more about the importance of passwords here.

Without a doubt, the most common cyber threat to small businesses is a phishing scam.

A recent report from CybSafe, reveals that nearly half (43%) of UK SMEs were targeted by a phishing attempt in 2019. Even more alarmingly, two thirds (66%) of those attempts were successful, demonstrating the threat phishing scams pose.

For more on how to avoid phishing scams, read this.

According to recent research, 95% of cybersecurity breaches are caused by human error. However, before you start picking on Barbara in accounts, it’s important to note that most cybersecurity experts agree that ‘blaming’ staff for cybersecurity failures isn’t productive or helpful.

Instead, they advocate adopting a no-blame culture when it comes to cybersecurity, more on which in the on training section. 

To find out more, check out our blog on the subject.

How can SMEs protect themselves from cyberattacks?

So far, we’ve dealt mostly in doom and gloom. However, there’s plenty SMEs can do to protect themselves from most cybersecurity threats, often at little cost. 

From government-backed certifications to simple fixes, here are a few of the options open to you for improving your cybersecurity. 

blocks - decorative

Cybersecurity certifications


Cybersecurity certifications are a relatively new invention. For example, the UK government’s Cyber Essentials scheme was only conceived in 2014 as a response to growing concerns about businesses’ cybersecurity.

However,  while they might be new, certifications have quickly become an important part of the fight against cybercrime. 

But what are they and how do they work? And, more importantly, why should you bother? 

The Benefits of cybersecurity certifications

Although all the major certifications have subtle differences, they do offer a few key benefits in common.

  • Peace of mind that your organisation is doing all it can to prevent cyber attacks, remain compliant and fulfilling its data protection obligations
  • Proof to potential customers, partners and suppliers that you take cybersecurity and data protection seriously, giving you an edge over competitors
  • The ability to bid for some government tenders and work with the NHS
  • Protection from 98.5% of the most common cyber threats (Cyber Essentials and Cyber Essentials Plus)

You’ve probably heard the phrase ‘Cyber Essentials’ mentioned before, but what is it?

Cyber Essentials is a government-backed certification scheme, covering the essential actions every business should take to ensure its protection from cyberattacks. Think of it as ‘cyber hygiene’ – a bit like washing your hands, brushing your teeth or wearing a face mask.

The scheme assesses five key criteria:

  • Is your internet connection secure?
  • Are the most secure settings switched on for every company device? 
  • Do you have full control over who is accessing your data and services? 
  • Do you have adequate protection against viruses and malware?
  • Are devices and software updated with the latest versions?

Getting Cyber Essentials certified is a requirement for many government tenders and can protect your business from 98.5% of cybersecurity threats. 

But the benefits don’t end there. It’s also a great indicator of your business’s commitment to security, marking you stand out as trustworthy and safe to potential partners and customers.

Cyber Essentials Plus is the older, slightly more involved sibling of the standard certification. It has the same requirements as Cyber Essentials (you must have all five security controls in place) but differs in one crucial aspect.

While Cyber Essentials is self-assessed, Cyber Essentials Plus also includes an independent assessment carried out by a licensed auditor. After you’ve completed the self-assessment portion of the certification an auditor will either come to you or remotely access your network and manually check for the five Cyber Essentials controls.

This provides you with absolute assurance that your cybersecurity is up to scratch. And customers don’t have to take your word that you’re cyber secure – they can rely on the expertise of a professional.

To find out more about Cyber Essentials and Cyber Essentials Plus, download our handy guide.

Complying with GDPR has a reputation for being complex, costly and time-consuming. But it doesn’t have to be. At its heart, GDPR is simply about safely securing data and preventing breaches.

The Cyber Essentials certification covers some elements of GDPR compliance. However, for those customers who want complete assurance, we recommend the IASME Governance certification.

The IASME governance certification addresses many of the same things as Cyber Essentials but goes much deeper. The assessment criteria include 110 questions based on the following areas:

  • Security management 
  • Information assets 
  • Cloud services risk management 
  • Data protection 
  • People 
  • Security policy
  • Environmental protection 
  • Operations and management 
  • Vulnerability scanning 
  • Monitoring backup and restore 
  • Incident management 
  • Business continuity

Many of these questions cover GDPR specifically, giving you a much greater coverage for GDPR compliance than Cyber Essentials.

To find out more about GDPR and the certification options open to you, download our guide.


In simple terms, a VPN (or virtual private network) allows you to connect to business systems securely while using a public network. A ‘public’ network could be the free connection you get on public transport, the WiFI at your favourite cafe, or even your home internet router.

It’s best understood as a ‘tunnel’, used only by you, between your workplace and wherever you’re working from. Essentially a VPN keeps you safer and offers a greater level of privacy than a regular connection. 

For the lowdown on VPNs check out our blog on the subject.

Encryption is most commonly used to protect data in transit and at rest. Ever sent a Facebook Messenger or WhatsApp message? That uses encryption. Or, a payment using online banking? Also encryption. How about buying something from a web store? You guessed it, encryption again.

You get the picture. Encryption is used everywhere in our daily lives, but how does it work?

In non-technical terms, encryption is a way of randomising data so that only an authorised recipient can understand the information. Encryption converts plaintext – for example, the text in an email between you and a colleague – and converts it into ciphertext, a string of random numbers and letters. To unlock the real message or data, you need an encryption key, which is a set of mathematical values that only the sender and the recipient of the message know.

For more on encryption, read our blog, Encryption explained: how does it work and why do SMEs need it?

Anti-virus and anti-malware software are by far the most common cybersecurity tools used by businesses to protect themselves. Unless you’ve been internet-free for the past couple of decades, chances are you already have one. 

What’s more, you probably already have a good idea of what they do (to detect and stop malicious traffic from infecting business systems and devices). However, with so many options on the market, it can be difficult to choose the right software for your business. So, we put together our Top 10 Antivirus products for SMEs.

Remember how your mum would fix your school uniform with a patch of similarly coloured fabric when you ripped it falling over in the playground for the hundredth time? Well, the same principle applies to patching in cybersecurity.

Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. It could be that the software was built with vulnerabilities that weren’t anticipated at the time or it might be that a new cyber threat has emerged. Whatever the reason, software developers get around the problem with security patches.

Just like the million little fixes to your school trousers, security patches are small adjustments. They don’t change the fundamental function of the software, but they do get rid of ‘holes’ a cybercriminal might exploit to access your data or systems.

We bang the patching drum a lot at CyberSmart. But, as repetitive as it might be, there’s a very good reason behind our love affair with patching.

Regularly updating your software and operating systems is the easiest, most time-efficient way to improve your cybersecurity. Even the best software becomes outdated or develops gaps and, when it does, cybercriminals suddenly have an easy route into your business.

Fortunately, avoiding the worst is incredibly easy and it shouldn’t take you more than a couple of minutes each month. All it requires is that you check every now and then for any new updates to tools and software you use. Or, if you want an even easier solution, simply turn on auto-updates in your device’s settings, and you won’t even have to think about it.

For more on patching, read this blog

Before we get into password management tools, there are several things you can do to improve your business’s password security. 

Start by using unpredictable passwords. The NCSC recommends using ‘three random words’, that are memorable but not easy to guess, in combination. Then, set up different passwords for each account you use. 

However, remembering endless combinations of passwords is virtually impossible for most of us. It’s why we tend to use the same password with small alterations over and over again. This is where password management tools like 1password or LastPass can come in handy.  

These tools can help you store hundreds of different passwords without having to remember a thing. All you need to do is head to the website you need and the password manager will enter your login details for you. And, there’s no need to worry about your details remaining secure, your password management provider will do that for you. 

Alongside this, you should also create a password policy for your business. A password policy is used to establish the rules and requirements for setting passwords. Creating a secure password policy for staff helps businesses protect themselves.

The goal of a password policy is to take away the burden of individual users to create solid passwords. However, users should still be made aware of the password policy so that they pick sensible passwords for their email, devices, and other accounts.

A ‘firewall’ is a tool that protects your home or office systems from malicious traffic on the internet. 

Think of it as a well-armed bouncer, checking anything that enters your network for threats. It creates a barrier between a ‘trusted network’ (such as your office) and an ‘untrusted network’, like the internet. 

Firewalls keep your devices operating reliably. But they also protect you from a variety of threats, such as DoS (Denial of Service) and malicious packet attacks. Most modern devices contain a firewall of some kind. You’ll find one built into your laptop and internet router, although, crucially not on most smartphones. 

Simply put, firewalls are a vital first line of defence. To return to our bouncer analogy from earlier, without a doorman anyone can enter the building. Without a firewall, anyone can get into your business. It’s not difficult for even a relatively unsophisticated cybercriminal to probe your organisation’s devices in an attempt to break into your systems.

Find out more about firewalls here.

A ‘policy’, in cybersecurity terms, is a set of principles that guide decisions within an organisation. These principles can inform the decisions senior management make or guide employees in their day-to-day activities. 

What is the purpose of a policy?

A well-crafted policy can help your organisation achieve its goals, say reducing the risk of phishing attacks. Any policy worth its salt should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. 

Why are policies so important? 

95% of security breaches occur through human error. However, improving your cybersecurity isn’t about blaming employees for their all-too-human mistakes. It’s about giving your people the tools and knowledge to better protect themselves.

This is where policies come in. Policies and procedures provide a roadmap for day-to-day operations. They ensure compliance with laws and regulations, offer guidance, and even help employees make better decisions. After all, if your people don’t know which behaviours are harmful, they can’t correct them.

But clear, readily available policies have benefits beyond merely reducing the likelihood of a successful security breach. Think improved business efficiency, better customer service and a safer workplace.

Policies are a simple tool, but one that provides an important first line of defence for your business against cyber threats.

For more on policies, read this.

In simple terms, two-factor authentication (2FA) is an extra layer of protection on top of your password. Think about when you log into your online banking, chances are you need to enter some combination of a PIN, memorable word, or a one-time code sent by SMS or email. That’s 2FA (or even multi-factor authentication). 

Switching on 2FA couldn’t be simpler. Most software will offer it as an option in the settings. Alternatively, you could download a free tool like Google Authenticator. It’s a quick and easy way to instantly improve your cybersecurity.

With remote working fast becoming the norm, it’s never been more important that your staff can access company systems and data safely from any device. Unfortunately, certification only guarantees protection at the time of assessment. So how do you ensure your people are working safely all the time, even if they’re using personal devices?

CyberSmart Active Protect does exactly that. Installable on any device, Active Protect scans your devices every 15 minutes, checking all installed software against the National Vulnerability Database. If a device fails a security check, you’ll be notified via the CyberSmart Dashboard with step-by-step guidance on how to fix the issue.

In addition to security monitoring, Active Protect also allows you to distribute company security policies to any device through the CyberSmart Policy Manager. So your people will have access to the guidance they need wherever they are.

Find out more here

When you think about tools for improving your organisation’s cybersecurity, it’s likely things such as anti-virus software, firewalls and encryption that immediately spring to mind. And, if it appears at all, security training is probably some way down the list.

However, security training is one of the most effective ways to protect your business against cyber threats. Here’s everything you need to know. 

Why is training so important? 

According to research, 95% of cyber breaches can be put down to human error. Or, in simpler terms, if your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them. 

The best way to beat this is through training. Training can help your people better recognise and understand the threats they face. And, more importantly, learn how to counter them. 

For more on why training is so important, read our blog on the subject

What does effective security training look like? 

Firstly, there’s no such thing as one-size-fits-all security training. Well, at least not if you want it to be effective. The sort of training your business requires will depend on your staff and their knowledge gaps. 

For some businesses, this means starting with the basics. Meanwhile, in others, training addressing specific weak spots in employee knowledge will prove the best route. To read more on tailoring security training to your business, check out this excellent piece from our UX Researcher Anete.

Whichever approach you choose, remember there’s such a thing as too much information. Learning about cybersecurity (especially for the first time) can feel overwhelming. 

There is a multitude of different threats and concepts to learn. So keep it simple. Your employees don’t need to know everything or become cybersecurity experts overnight. They just need the information that’s most relevant to your industry or business. 

Training should follow the little and often approach. Little, because no one learns best by bombardment. Often, so that your people get into the habit of thinking about cybersecurity regularly. 

Think short, sharp exercises that fit into a lunch break or the time between meetings. It’s important that the training doesn’t impact staff’s core work or become a chore they quickly disengage from. 

And, finally, make it engaging. Include a mix of text, videos and interactive tasks in your training. After all, few of us learn best when the method is boring or feels like a slog.

How do you get started?

By this point, you’re hopefully convinced by the merits of security training. You may even have a good idea of which knowledge gaps you need to address within your business. But where do you start?  

At CyberSmart, we’ve noticed a gap in the market for engaging, jargon-free training to help build cybersecurity awareness within SMEs. So, we’ve created CyberSmart Academy. CyberSmart Academy is a simple, do-it-yourself approach to security training. And it’s available to anyone who uses CyberSmart Active Protect. 

Through a series of bite-sized modules, CyberSmart Academy helps your people sharpen their knowledge of cyber threats and develop the skills needed to avoid them. Through videos, articles and interactive quizzes, your staff will quickly boost their knowledge. And, with each module designed to fit into a lunch break, it won’t impact their work or bore them to death. 

We’ve even included a little healthy competition into the process. Once training is complete, staff enter into a company-wide league table, so they can see how they performed against their peers.

Ready to protect your business?

Speak to a member of our team today.

Get in touch