Many small and medium-sized enterprises (SMEs) continue to operate under the belief that they are unlikely targets for cyberattacks. The prevailing assumption is that cybercriminals focus primarily on large corporations with deeper pockets and higher-profile data. However, this mindset is both dangerous and misguided, according to the UK’s National Cyber Security Centre (NCSC), which is linked to GCHQ.
The NCSC has cautioned that SMEs are often more vulnerable than large organizations precisely because of this false sense of security. In a recent post on LinkedIn, Richard Horne, Chief Executive Officer of the NCSC, highlighted that a significant number of SMEs remain either unprepared or underprepared to deal with increasingly sophisticated cyber threats. This lack of readiness, he explained, stems largely from the mistaken belief that cybercriminals have no incentive to target smaller firms.
Horne stressed that this assumption is incorrect. In reality, most threat actors are indifferent to an organization’s size or the sector in which it operates. Instead, attackers focus on identifying weaknesses—unpatched systems, poor access controls, misconfigured networks, and human error—that can be exploited with minimal effort. SMEs often fit this profile, making them attractive targets rather than unlikely ones.
Furthermore, many SMEs are data-intensive businesses, handling sensitive customer information, financial records, intellectual property, or operational data. For cyber-criminals, breaching such organizations can have devastating consequences for the victim while still yielding financial gain through ransomware, data theft, or fraud. In many cases, SMEs suffer disproportionately from cyber incidents because they lack the resources, expertise, or resilience to recover quickly.
To address this growing risk, the UK’s national cybersecurity body has developed the Cyber Essentials certification, a practical framework designed to help organizations of all sizes improve their cyber hygiene. The scheme outlines five core principles that significantly reduce the likelihood of successful cyberattacks or help mitigate their impact.
The first principle focuses on secure configuration, ensuring systems are set up in a way that minimizes opportunities for hackers to gain access. The second emphasizes restricting user access, which limits what individuals can see or do on a network and prevents unauthorized or fraudulent entry. The third principle involves installing and maintaining effective malware protection to block malicious software before it can cause harm. Automatic security updates form the fourth pillar, ensuring vulnerabilities in software are patched promptly. Finally, the use of firewalls helps protect devices and networks from internet-based threats.
By adopting these foundational measures, SMEs can significantly strengthen their defenses and move away from the risky assumption that cyberattacks are a problem only for larger enterprises.
