Small and medium enterprises (SMEs) are increasingly vulnerable in today’s digital economy. In the UK, there are about 5.5 million SMEs – roughly 99% of all businesses – yet many lack the resources of larger firms to defend against cyber threats. Attacks on these businesses are becoming more frequent and costly.
According to the Cyber Security Breaches Survey 2024 – technical report, about half of all businesses (50%) and three-quarters of medium-to-large firms report experiencing a cyber attack or breach in the past year. Smaller firms are targeted most often: 42% of small UK businesses and 67% of medium businesses were hit in the last year. Phishing scams are by far the most common attack (targeting about 85% of firms), but SMEs face other threats too – from ransomware encrypting files to fraud via fake invoices.
Financial impact on businesses
Cyber attacks can inflict severe financial damage on SMEs. Immediate costs include paying ransoms or covering stolen funds, but even without extortion demands the recovery process is expensive. Government research estimates the average cost of the single most disruptive breach per business at around £1,600 (about £3,550 excluding those reporting zero cost). According to a BT-sponsored survey, micro and small businesses will on average pay around £7,960 recovering from a serious data breach.
These expenses are the result of restoring systems, examining the breach, and fixing damage. In addition to losses, cyber attacks also produce lost revenue on downtime, as operations can cease when systems are brought online. For SMEs, just a matter of days offline can be equivalent to missing payroll or revenue targets, with lasting effects on cash flow and credit. Their aggregate effect is staggering: one estimate pegged the total UK business losses due to cybercrime as running into tens of billions per year.
One high-profile example included Jaguar Land Rover (JLR), which in September 2025 was ‘severely disrupted’ by a cyber attack on its systems. JLR was hugely damaged by the hack, which caused a 17.1% sales slump from July to September compared to 2024.
Although the hack caused an enormous amount of disruption to JLR, the impact is felt more by the businesses underneath JLR, who struggled to cope with the car manufacturer being closed for almost a month. The “turmoil across its sprawling supply chain” is something that is hard to quantify.
Operational disruption
Aside from money, cyber attacks disrupt normal business operations. Vital information or systems can be shut down or disabled, leading to the suspension of service provision or project delivery. For example, ransomware can freeze sales or accounting systems until the ransom is paid or backups are activated. A Hiscox survey has found that 30% of businesses that had been attacked noted drops in key performance indicators (such as revenue or productivity) following the breach.
Even unsophisticated breaches like phishing consume staff time as the IT team devotes time to investigations and restoring email services. Even supply chains can be vulnerable: should your partners or vendors be breached, a small business can lose access overnight to orders or raw materials. Prolonged shutdowns can be fatal; surveyed researchers have noted that prolonged interruption from a cyber attack, or total inability to recover, is a frequently cited reason for small business failure.
Reputational and customer trust damage
The fallout of a cyber attack isn’t only technical, as it erodes customer and public trust. News of a data breach or fraud can damage a company’s brand and credibility. In a recent UK SME cyber readiness report by Hiscox, 29% of SMEs said they found it harder to attract new business after a cyber attack. Existing clients may also become wary: if customer personal or payment data was exposed, customers could switch providers.
Rebuilding goodwill requires time and investment. The hidden costs of an attack include customer turnover and lost contracts, which (unlike direct breach costs) are often not covered by insurance. Indirect losses can thus multiply the impact: over two-thirds of attacked small businesses suffer long-term setbacks to growth or market opportunities.
Regulatory and legal consequences
SMEs must also consider legal risks. Under UK data protection law (the UK GDPR, businesses that suffer a personal data breach must report it to the Information Commissioner’s Office (ICO) within 72 hours if it risks individuals’ rights. Late or missing reports can lead to enforcement action. In fact, the Hiscox report found that about one-third of surveyed SMEs faced substantial regulatory fines after a cyber incident.
Even if no fine is levied, there may be costs for legal advice, customer notifications and litigation. Payment diversion fraud – where invoices are intercepted and diverted – is another legal headache. If attackers trick a business into paying a fake vendor account, the company could lose large sums and face difficulty recovering funds. Regulatory fines and penalties (for example, from the ICO or sector regulators) can far exceed the direct repair costs of a breach, making compliance and reporting critical.
Knock-on effects of cyber attacks
Cyber attacks can often have a knock-on effect from larger companies on the companies below them – quite simply, it might not even be your company that is hacked, it could be your clients. As an article in the BBC described it, the “pyramid of suppliers” comes tumbling down, as larger firms close operations or pause for long periods of time while they deal with the attack. This can leave businesses underneath them scrambling to plug cash flow gaps.
What to do if your business is hacked?
If an attack strikes, a quick, organised response is vital.
Recognise and contain
Shut down affected systems or disconnect them from the network to stop further damage. Notify your IT team or external provider at once. If you have a cyber incident response or business continuity plan (ideally established before any attack), put it into action. Keep staff informed about what is happening and what they should do – for instance, whether they should refrain from logging into potentially compromised systems.
Notify the right parties
If your data is at risk, inform the ICO as soon as possible, (within 72 hours if you can) as GDPR law demands. You should also inform affected customers and suppliers if their data or service is implicated. Alert the police too; in the UK, the contact number for initial cases involving cybercrime is Action Fraud. If you are currently under attack or heavily targeted, call the Action Fraud hotline urgently on 0300 123 2040. Take precise notes on what happened and when – this will be useful information that will provide clarity on the breach to police, insurers and information security experts.
Investigate and recover
Recruit cybersecurity experts (internal or external) to investigate the breach. They will try to eradicate malware, fix vulnerabilities and restore systems from backups securely. Only resume normal activity when you are assured the threat is gone.
At the same time, check your insurance: if you have a cyber-insurance policy, notify your broker and initiate the claims process. Cyber-insurance can be utilised to pay for incident response, ransom in limited cases, and remuneration to affected parties. If you don’t have cyber-insurance, consider it in the future – it can be a lifesaver for recovering SMEs after an attack.
Provide updates
Keep all parties informed (staff, customers, partners) about progress towards recovery, as well as the proactive steps being taken. Take a detailed assessment after the crisis. Identify what went wrong: was it a phishing email, a weak password, or outdated software? Make use of this review to reinforce defences in the future.
Avoiding further attacks
Aside from responding to a single incident, SME owners need solid cyber hygiene to mitigate risk.
Keep systems up to date
Install security updates on programs and operating systems regularly. Enable firewalls and anti-malware protection – these elementary controls can handle the majority of most attacks. In 2024, around 75% of UK businesses utilised network firewalls and 83% had up-to-date malware protection, as shown by the Cyber Security Breaches Survey 2024.
Educate staff
Because the number one attack vector is phishing (84% of breaches involve an initial spam/phishing email), employees should be vigilant on unusual-looking attachments or password demands. Even general awareness (looking at the email’s sender, not following strange links) can prevent many breaches. Phishing training or periodic phishing simulations can make vigilance second nature in the workplace.
Backup your data
Make secure offline or cloud backups of all vital files. In the case of ransomware attacks, you can restore without paying criminals. It is recommended by the National Cyber Security Centre (NCSC) that businesses maintain a minimum of one backup off-site and regularly test that it works.
Restrict administrative privileges
Don’t let all users have full admin access – limit it to IT personnel. This reduces the chance that malware or an intruder can change system settings. Organisations that restrict admin rights have lower breach rates.
Develop a response plan
Establish a clear incident response procedure before an attack happens. Assign roles (who calls the police, who contacts IT, who communicates to customers, etc.), and review the plan regularly. Even a simple checklist ensures you act fast and don’t forget steps under pressure.
Consider cyber insurance
As shown, cyber policies can provide reimbursement for financial losses and specialist services after a data breach. In 2024, over 60% of medium UK businesses had said that they had cyber insurance, and uptake continues to grow.
Keep up to date
The NCSC and national body publications provide small businesses with free advice. If adhered to – like the NCSC’s “10 Steps to Cyber Security“, for example – robust resilience can be significantly enhanced.
Emphasising the importance of cyber hygiene
Cyber attacks on SMEs are no longer rare. They can be devastating financially and operationally, but owners who invest in good cyber hygiene and plan ahead greatly reduce their risk. By understanding the threats, preparing a response, and acting swiftly if hacked, small businesses can protect themselves – ensuring that a cyber incident is a setback, not an end.
