Cyber security in UK SMEs: What, why, and how?

Published on 12/01/2022 by Sukanya Awasthi

As consumers, we live in a digital world. Technology affects how we communicate, shop, spend our leisure time, and look after our money, and this applies just as much to the world of business. Even if your small to medium enterprise (SME) doesn’t exclusively operate online, there’s a good chance you use the web for email, ordering supplies, handling tax returns, and online banking, for example.

Cyber security UK SMEs

This raises the issue of cyber security. Keeping your data, people, and business safe when connected to the internet is just as important as physical measures such as installing the correct locks and a burglar alarm, but it can be daunting to SMEs who are not IT experts.

In this two-part blog series, we look at cyber security for UK SMEs. Our insight is based on a survey of 500 managers at companies with 250 employees or less. In part one, we look at the major cyber threats to SMEs and some of the cyber security software they might employ to defend against them. In part two, we will take a look at the processes and training required to round off a comprehensive SME security programme.

Scroll down for the full methodology for our survey.

How is COVID-19 affecting cyber security in the UK?

COVID-19 gave cybercriminals new opportunities to launch attacks. First, there were many more people working from home after March 2020 than before. A study by YouGov found that the amount of British people working from home at least some of the time has risen 37% since before the pandemic. The speed of transition to home-working meant that some companies prioritised enablement over security. An IBM survey from June 2020 found that 53% of people newly working from home in the United States were using their personal laptops for work –often with no new tools to secure them– and that 45% had not received any new training. Attackers exploited these vulnerabilities. According to Security Magazine, the UK experienced a 31% rise in cyber attacks during the height of the pandemic in May and June 2020.

Second, cybercriminals capitalised on people’s fears about COVID-19 and the general uncertainty of the pandemic to launch new attacks. These included scam emails where hackers posed as government bodies offering a COVID-19 vaccine or seeking personal information from the victim. The victims would be tricked into handing over personal or financial data, or downloading malicious software.

Of the SME managers we surveyed in late 2021, 62% said they had seen an increase in attacks in the last 2 years. And of those, 12% said that the increase was significant. Furthermore, SME employees can project against certain cyberattacks. 

Increase in cyber security threats UK

Weak passwords remain a problem

SMEs may be aware of vulnerabilities that require specific remedial action, although many companies are also unaware of any vulnerabilities they might have. Common weaknesses can include careless employees, insufficient network security, software bugs, and unencrypted data, to name a few. Passwords and authentication continue to be a cyber security bugbear for SMEs. In our survey, 39% admitted to reusing passwords on work accounts, for example.

Cyber security UK password safety

But there are some simple good practices and low-cost, low-effort technical solutions that SMEs can employ. The first is good password hygiene. The UK National Cyber Security Centre (NCSC) has a step-by-step guide to cyber security for SMEs, and step 4 covers protecting data with passwords.

The guide has tips on setting easy-to-remember but hard-to-guess passwords and helping staff manage ‘password overload’ with password management software.

The guide also recommends turning on two-factor authentication (2FA) where possible for important accounts. This is a secondary method of authentication, such as a code sent to a mobile phone that users enter in addition to a password, to access an account. It is also known as multi-factor authentication (MFA), especially when more than two methods are used.

We asked SME managers whether their organisation uses two-factor authentication for business applications, and most do. 21% said they do so for all applications, and 52% for some applications.

Did you know? Password management software can help businesses generate strong passwords for accounts, store them securely, and share them safely within the business. Some solutions also offer multi-factor authentication, the ability to sign onto multiple services using one set of login credentials (‘single sign-on’ or SSO), and the ability to reset passwords automatically.

What cyber defences do UK SMEs have in place?

SMEs have a range of technical solutions they can deploy to protect themselves against cyber threats. 

Two of the most common types of computer security software at SMEs might include anti-virus and anti-malware, which are familiar to consumers as they have been bundled with PCs for many years. Today, ‘invisible’ anti-virus solutions are often included within the computer’s operating system, too. Other software-specific measures can include the procurement of firewall solutions. Traditionally, firewalls were physical devices that a company could install on its on-site network to protect it from attacks. Today, many businesses operate outside of a physical network —either in the cloud or with employees logging in remotely— so firewall software is more common and works as part of an overall network and cloud monitoring solution.

Another vital part of any data protection strategy —and step 1 in the NCSC guide for small business cyber security— is data backup. It is possible to buy specialist backup software, which simplifies and automates the backup process, meaning managers don’t have to actively copy data onto secondary devices.

All of these preventative software-based solutions, along with staff training and other offline measures, can form part of a wider cyber security incidence response plan. We asked managers in our survey to tell us if they have a formal incident response plan in place to deploy in the event of a cybersecurity breach. Half of the respondents said no, whilst 18% said they were not sure.

Cyber security incident response plan UK

In part two of this series, we will explore the need for businesses to have an incident response plan in place. We will also take a look at a more holistic SME security programme and ask how people and processes can augment the defences that technology provides.

Key takeaways

  • COVID-19 has increased the number of threats, but SMEs have not adjusted their practices.
  • SMEs can take simple, zero- and low-cost steps to improve their password hygiene.
  • Most SMEs have anti-virus software in place, and many also use other technical solutions.
Want to know more? Check out our catalogue of cyber security software.


To collect the data for this report, we conducted an online survey on cyber security from November 2021 to December 2021.  Of the total respondents, we were able to identify 500 UK respondents that fit within our criteria:

  • UK resident.
  • Over 18 years of age.
  • Business owner or decision-maker for a UK SME (a company with 250 employees or less).

This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the author

Sukanya is a Content Analyst for the UK and India market. Committed to offering insights on technology, emerging trends and software suggestions to SMEs. Café hopper and a dog mom.

Sukanya is a Content Analyst for the UK and India market. Committed to offering insights on technology, emerging trends and software suggestions to SMEs. Café hopper and a dog mom.