As we head into 2026, the cyber threat landscape continues to evolve at an alarming pace. While household names like Marks & Spencer, the Co-op, and Jaguar Land Rover made headlines for devastating breaches in 2025, cybercriminals are increasingly setting their sights on small and medium-sized businesses across London and the UK. The calculus is straightforward: SMBs hold valuable data but often lack the sophisticated defences that make larger enterprises harder targets.
The Numbers Paint a Stark Picture
According to the UK Government's Cyber Security Breaches Survey 2025, 43% of UK businesses identified a cyber attack or breach in the past year—equivalent to approximately 612,000 companies nationwide. For medium-sized businesses, this figure jumps to 67%, while large businesses face even higher exposure at 74%.
The financial toll is equally sobering. The average cost for micro and small businesses to recover from a serious breach now stands at £7,960, though costs vary significantly based on incident severity. For cyber-facilitated fraud—where breaches lead to fraudulent activity—average costs climb to £5,900, rising to £10,000 when excluding zero-cost responses. More concerning still, research from Vodafone found that 28% of SMBs say a single attack could put them out of business entirely.
Ransomware incidents have doubled year-on-year, rising from under 0.5% of businesses affected in 2024 to 1% in 2025, translating to an estimated 19,000 organisations now dealing with this threat. With upcoming UK ransomware legislation potentially restricting payments to critical national infrastructure, experts predict attackers will increasingly pivot toward softer SMB targets.
Why Attackers Are Focusing on SMBs
Understanding what makes your business attractive to cybercriminals is the first step toward effective protection.
Limited Security Resources
Most SMBs operate without dedicated IT security teams. According to BT research, around two million UK SMBs, approximately 39% of the total, have not provided any cyber security training to their staff. Only 40% of businesses are using two-factor authentication, and just 19% provide regular staff training around cyber security. Attackers know this creates exploitable gaps that would be quickly addressed in larger organisations.
Valuable Data, Weaker Protection
Your client databases, financial records, and intellectual property are just as valuable as those held by large corporations. The difference lies in protection levels. While 62% of small businesses now have cyber insurance (up significantly from 49% in 2024), many still lack the fundamental technical controls that would prevent an attack in the first place.
Gateway to Larger Targets
If your business works with larger enterprises, common in London's professional services sector, attackers may target you as a stepping stone. Supply chain attacks have surged in 2025, with high-profile incidents demonstrating how a breach at one smaller supplier can cascade through entire networks. The M&S attack reportedly originated through social engineering of a third-party contractor's service desk. Only 14% of UK businesses currently review the cybersecurity practices of their immediate suppliers, leaving a significant blind spot.
Common Attack Vectors
Understanding how attacks occur helps you defend against them.
Phishing remains overwhelmingly dominant, cited by 85% of businesses that experienced breaches. AI-powered impersonation techniques are making these attacks increasingly sophisticated and harder to detect. Professional cybersecurity services include email filtering and security awareness training to combat this primary threat vector.
Ransomware attacks have become more targeted and more devastating. Large businesses were disproportionately affected, with 14% reporting incidents compared to 6% overall. The recent JLR attack halted production for nearly a month, putting an estimated 104,000 UK supply chain jobs at risk. A robust backup and disaster recovery strategy is your best defence against ransomware extortion.
Business Email Compromise scams continue tricking employees into transferring funds or sensitive data. QR code-related scams, known as "quishing," have surged by 1,400% over the past five years.
Credential stuffing exploits reused passwords across multiple services, while supply chain compromises increasingly use smaller vendors as entry points to larger networks.
Building Your Defence
The encouraging news is that small businesses are improving their cyber hygiene. Risk assessments have increased from 41% to 48%, cyber insurance adoption jumped 13 percentage points, and more SMBs are adopting formal policies and business continuity plans. However, the rate of risk continues to outstrip the rate of uptake of sensible precautions.
Most attacks succeed not because of sophisticated techniques, but because basic security hygiene wasn't followed. Organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance.
Essential Security Measures
Multi-factor authentication on all critical systems and email remains fundamental, yet only 40% of UK businesses currently use it. Regular security awareness training for all staff is vital—the most common preventative measure adopted following a breach (32% of businesses) is additional staff training. A robust backup strategy with tested recovery procedures ensures you can restore operations without paying ransoms. Email security with DMARC, DKIM, and SPF properly configured helps prevent impersonation attacks. Endpoint protection with modern, managed security tools provides the technical foundation for defence. These essential measures form the core of our managed IT services offering.
The Compliance Advantage
For businesses in financial services, legal, or professional services, security certifications deliver genuine competitive advantage. Cyber Essentials certification isn't just a checkbox. Government statistics confirm that certified organisations are 92% less likely to face successful breaches. Yet only 3% of UK businesses currently hold the certification, despite many medium and large businesses already meeting the standard without seeking formal recognition. Building a formal information security programme is increasingly essential for winning enterprise clients.
Many larger clients now require suppliers to demonstrate basic security hygiene before doing business. As supply chain security becomes increasingly scrutinised following 2025's high-profile attacks, certification may shift from competitive advantage to essential requirement.
Taking Action
Don't wait for an attack to take security seriously. The government's record 204 nationally significant cyber incidents handled in 2025 demonstrates that threats are escalating. Start with a security assessment to understand your current posture and prioritise improvements based on your specific risks.
For London-based SMBs, working with a local managed security provider can give you access to enterprise-grade protection without the enterprise-grade price tag. The investment required for proper security implementation, typically £3,000-10,000, is a fraction of the potential £200,000-500,000 in ransomware losses that could otherwise follow. Whether you're an established firm or a fast-growing startup, the fundamentals of security remain the same.
The criminals are adapting their strategies. The insurance markets are pricing in elevated SMB risk. Your supply chain partners are preparing for potential compliance obligations. The question isn't whether to act, it's whether you'll be prepared before the next attack arrives.
