Apricorn comments on cybersecurity trends facing SMEs

​​​

The cyber threat landscape facing SMEs represents a significant business risk, extending beyond mere technological concerns to potentially result in substantial financial and reputational damage.  With cyberattacks becoming increasingly more sophisticated we talk to Jon Fielding, Managing Director, EMEA, Apricorn about some of the complex  cybersecurity challenges facing SMEs.

“IT budgets are set to remain flat due to the current economic doldrums which will make it difficult for firms to justify the additional investment needed to boost SME security.  Alongside this the skills gap continues to widen but interestingly this is no longer down to the number of ‘boots on the ground’. The ISC2 2025 Cybersecurity Workforce Study, which historically looked at the number of personnel in the sector, attests that the need for critical skills is now more important than the number of people and it will be interesting to see if AI can help in this regard by assisting and augmenting or even upskilling the workforce. But AI tooling is a double-edged sword that will benefit both defenders and attackers.  In fact, 70% of those at small organizations had experienced an AI-related security incident –  the highest level in the ISC2 survey – revealing SMES are particularly exposed.”

“Phishing, malware and ransomware are the dominant attacks affecting the SME sector.  Unlike larger businesses, SMEs often struggle to devote the necessary resources to security which means the impact of these attacks can be devastating.  Yet there’s no real reason for the SME to be a sitting duck.  Most attacks take advantage of a low level of cyber hygiene such as tardy patching or failing to ensure there’s alternative backup so by attending to the basics it’s possible to significantly reduce the likelihood of a breach and the blast radius.”

“Cybersecurity has to become more visible and part of the business culture.  That means top-down leadership that prioritizes and promotes best practice such as the use of company sanctioned devices and enterprise-wide encryption.  It means creating security awareness training programs that have real relevance to staff and utilises their experiences to make the messaging meaningful and impactful.  And it means putting in place processes that make sense so that staff don’t work around them.  Backup is a great example here.  It’s a critical element of recovery but relying on staff to back up their own data will inevitably lead to data being missed or backed up erroneously, so automated backup is preferable.  Alongside this it’s important to create an open culture where everyone is heard so that if an incident does occur, its reported and can be acted upon quickly.”

“A Vodafone report found the average cost of a cyber attack for an small business was £3,398 rising to £5,001 for those with 50 employees.  Other impacts include punitive regulatory measures or fines, potential damage to the reputation of the business which could lead to loss of custom, and of course the cost of any remedial action.  However, the Cyber Security Breaches Survey 2025 found that while many SMEs have instigated some form of incident response, 36% took no action post-breach to prevent future breaches or attacks.  It’s not clear why although perhaps its due to lack of resource or the misguided notion that lightning doesn’t strike twice even though it’s very common for organizations to be attacked multiple times.”

At a grass roots level, breaches can also impact confidence in the company and its ability to support its staff.  “The same survey found outcomes ranging from compromised accounts, to money being stolen, corrupted systems, personal data that was altered or destroyed or taken, and permanent loss of files.  In fact, a third of cyber attacks lead to employee dismissals (either due to a blame culture or out of financial necessity.”

“With regards to cyber security breaches sinking businesses, the headline statistic often quoted is that 60% of SMEs go out of business within six months of an attack but this has little basis in fact (it has been openly refuted by the alleged source, the National Cyber Security Alliance).  But the Vodafone survey did find that 28% of SMEs said an attack could potentially put them out of business.”

“Backups are a routine safety measure but as with any parachute it’s only when you come to use it that you wish you’d maintained and tested it more often.  In the annual Apricorn survey we found that 31% of IT decision makers had to resort to recovering from backups in 2025.  Of those, 58% were able to do so successfully but 31% were only able to partially recover their data/documents because they did not have robust backup processes in place. In addition, 13% stated their current backup systems were not sufficiently robust to allow rapid recovery.  These statistics indicate that, despite having backups in place, those processes were not fit for purpose.”

“Moreover, the Cyber Security Breaches Survey reveals that only 47% of businesses backup data by another means (statistics were not available purely for SMEs).  This means few are following the 3-2-1 rule which states at least three copies of data are retained, with two stored on different media, one of which is offsite.  One copy of the data should be offline, for example, on an encrypted removable hard drive that can be disconnected from the network.”

“People have begun to migrate back to the office but it’s still commonplace for workers to spend a portion of their time working remotely.  SMEs therefore have to consider how they will ensure their staff can do so securely.  Having in place acceptable use policies that detail how workers can access and store data is imperative.  This should include details on which storage devices are permitted and the level of encryption required if non-sanctioned company devices are allowed.”

“When those workers return to the office, it’s also important to have in place controls to stop just any external hard drive or USB stick being plugged into the network.  Setting ports to reject any device that isn’t permitted can significantly reduce the likelihood of the network being infected by malware.”

“Without doubt, cyber criminals are diversifying their attacks on SMEs.  Ransomware is a significant problem despite law enforcement efforts because this has led to the formation of splinter groups and their affiliates.  These are expanding their remit to target SMEs who are seen as being under resourced and lacking in protection.  These same threat actors are also targeting software supply chains by issuing malicious updates which the SME then becomes infected with by proxy.  The Cl0p ransomware gang, for instance, was able to compromise secure file transfer tools from Accellion, Fortra and of course MOVEit with the latter affecting close to 400 organizations.  Such tools allow the cost effective and efficient transfer of high volumes of data, so are in widespread use among SMEs.”

“It's a situation that’s set to worsen because all roads seemingly lead these attackers to the SME.  The focus on cyber spend is seeing defences improve among big business and there’s also a big push on regulation.  Last year we saw the Government carry out a consultation on ransomware reporting () which is likely to either ban or discourage businesses of a certain size from paying ransoms.  This will almost certainly paint a cross on the back of the SME who will become the only viable target.”

So, should SMEs be putting in place cyber insurance policies?  The Association of Business Insurers reveals that SMEs have previously considered themselves too small to be targeted by cyber criminals so opt not to invest in cyber insurance.  However, the Cyber Security Breaches Survey found 62% of SMEs now have cyber insurance in place, up from 49% in 2024.  That’s a welcome turnaround because from an attacker’s point of view, the 5.7 million SMEs that exist in the UK are well worth attacking, collectively generating over £2.8 trillion in turnover.”

“Taking out a cyber insurance policy makes sense as it can safeguard the business against high-risk events such as ransomware, phishing, and insider incidents as well as third party aka supply chain attacks.”

“Going through the process of meeting the policy demands is also beneficial.  The Apricorn survey found that businesses that do take out a policy have to take steps to meet the insurer’s requirements, boosting their resilience, with 54% ensuring they have efficient backup strategies, 61% encrypted data backup, 57% employee training and awareness, 49% encrypted storage at rest, 44% encrypted storage on the move.  Such measures tally with cyber hygiene best practice and reduce the potential for attack as well as allowing those business owners to sleep at night.”