In this Help Net Security interview, Steven Furnell, Professor of Cyber Security at the University of Nottingham, illustrates how small and medium-sized businesses (SMEs) must reassess their risk exposure and prioritize resilience to safeguard their long-term growth and stability.
Learn how SMEs can better protect themselves, adapt to regulations, and build stronger cyber resilience.
Where do you see SMEs most vulnerable? Is it still phishing and ransomware, or are there more nuanced threats emerging?
Phishing and ransomware are still prominent threats, and so they are certainly issues that SMEs need to be aware of. Attackers are willing and able to scale their demands to match whatever they think the victim is likely to be able to afford, and so the fact that an SME doesn’t have as much in the bank as a big player is not a default disincentive to target them. However, these aren’t the only threats, and the unfortunate reality is that SMEs can be vulnerable to anything they’ve not prepared for.
If we look at the latest Cyber Security Breaches Survey it shows phishing as the most prominent issue, with 85% of businesses having experienced related attacks or breaches in the last year. However, the findings also suggest that small businesses are more likely to experience impersonation-related attacks (e.g. others impersonating their organisation or staff in emails or other online contexts). Indeed, the survey showed that 51% of small businesses experienced this compared to a third of businesses overall.
What are the most common misconceptions SMEs have about cybersecurity, and how do those misconceptions put them at risk?
Fundamentally I’d say the main misconception is that their size places them at less risk of experiencing an incident. However, if we again look at results from the Cyber Security Breaches Survey they continue to show that SMEs are anything but immune here. Using the 2025 survey results as a specific example, while the accompanying commentary encouragingly refers to “significant decreases among micro and small businesses” when compared to previous years, it still reports 41% of micro businesses and 50% of small ones having identified breaches or attacks in the last 12 months.
Meanwhile, two-thirds of medium business had identified something, as compared to three quarters of large ones. On the surface. these figures might suggest that SMEs (and the micro and small organisations in particular) could be right to conclude that they are at less risk of a breach. However, this overlooks that the large and medium organisations may simply have been better placed to identify incidents in the first place (e.g. through having cyber security expertise and capability in-house and already having eyes on the issue). And in any case, with half of small businesses still having identified something, they are not good odds to bet against.
Another misconception would be to consider that cyber breaches exclusively occur as result of targeted attacks. It’s important to recognise that many attacks are still opportunistic – if you’re vulnerable to a given exploit, then you stand to get affected. And also, of course, many breaches are unrelated to attacks. Data loss can occur through device failures, data breaches can occur from accidental and unintentional origins. If these aspects are overlooked, then significant areas of risk can still remain.
How can vendors better tailor their products and services to meet the specific needs and constraints of SMEs, without sacrificing security?
A key thing is to think about the various constraints that SMEs are facing, which are typically an unenviable combination of budgets, skills and time.
From the budget perspective, it’s relevant think about SME-friendly pricing or licensing, and to recognise that SMEs themselves are far from a uniform population – what is affordable for a medium business may be far less accessible to a micro or small one.
The same essentially applies from the other perspectives as well – vendors should consider the potential for products to be used and deployed as easily as possible, by organisations that don’t have significant in-house IT support.
How are changing regulatory requirements — like NIS2 in Europe or privacy laws — affecting SMEs’ approach to cybersecurity?
It’s a sign of the times, and ultimately positive from the cyber security perspective, but can still represent a challenge. NIS2 widens the scope of organisations falling within its remit, with a wider range of sectors being expected to be compliant. Although it directly addresses medium and large organisations it’s easy to imagine onward pressure for smaller players as the larger ones consider risks in their supply chain.
In the UK we already have a cyber security accreditation that SMEs could aim towards in terms of government-backed Cyber Essentials scheme, and there is evidence to suggest that more businesses are motivated to seek it on the basis of expectations and requirements from clients or partners.
So, from the SME perspective (as for other businesses), it becomes progressively harder to ignore the issue, but unfortunately makes it no easier to deal with it if they are still facing the aforementioned constraints.
What practical first steps would you recommend to an SME that’s just beginning to take cybersecurity seriously?
Fundamentally take the step of looking at your position if you haven’t already done so. Understand your use of technology – the data you hold, the devices you use, your online presence and dependence – and what it means for the business. If any element were to be compromised, what would happen, and do you have safeguards in place to prevent and detect incidents, and (if necessary) recover in the event of problems?
A good starting point for actual guidance would be to take a look at the National Cyber Security Centre’s Small Business Guide. This has some clearly identified steps, and associated tips, addressing some core areas of protection.
As time goes on, we’d also hope to suggest that SMEs join a Cyber Security Community of Support, which is the approach we are designing and trialling as part of our current CyCOS project. As the name suggests, the aim is to build communities in which SMEs can engage with cyber security issues in an accessible and collaborative context, with communities that include a mixture of SMEs themselves, alongside cyber security advisors and providers.
The intention is not to replace existing cyber security support, but to offer a further channel through which cyber security issues can be socialised within a peer environment. SMEs can then pose questions, share experiences, offer recommendations etc, in a way that enables them to help themselves as the communities develop. At this stage, we are still in the preparatory stages of the work, but will be establishing a series of community pilots in the latter half of the year.
If you’re attending Infosecurity Europe 2025, you can hear Prof. Steven Furnell in the “Enabling Cyber Security Communities of Support for SMEs” session on the keynote stage, Wednesday, 4th Jun at 11:45 am.
