Why SME Boardrooms Can No Longer Treat Cyber Risk as a Back-Office Issue

By Greg Bell, CEO, Skipton Business Finance

Greg Bell - CEO of Skipton Business Finance.jpg

In recent months, the headlines have been dominated by cyberattacks on household names - the likes of Marks & Spencer, the Co-op, Harrods and Jaguar Land Rover. These are red flags for UK plc as a whole, but they must also ring alarm bells in every SME’s boardroom.

When a global carmaker halts production or a major retailer suspends online trading, it’s easy to think “that’s not me.” Yet the very tactics swirling around those high-profile hacks are the same ones that silently target small and medium businesses every single day. The difference is that larger firms often have deeper reserves and expert teams to absorb the blow. SMEs frequently do not.

The current environment demands a shift in mindset. Cybersecurity must move from being an IT issue to a critical strategic challenge. As the CEO of a finance business working closely with SMEs, I believe we need to move beyond complacency. SMEs must embrace a mindset of resilience, adopt layered protections, and ensure their board, leadership, and staff are ready.

The threat landscape is shifting fast

Recent attacks show the scale and boldness of adversaries:

  • Jaguar Land Rover, one of the UK’s iconic manufacturers, had to pause global operations for weeks following a cyber intrusion.
  • Marks & Spencer was forced to shut down its online store for over six weeks, and confirmed that hackers accessed some customer data.
  • Co-op also suffered serious disruption to systems and retail operations. 

These attacks are more than PR nightmares, they ripple through supply chains, cause cashflow stress for suppliers, and shake confidence across sectors. In the case of JLR, the ripple effects reached deep into its supplier base, some of which are SMEs themselves. 

Meanwhile, official surveys confirm what business people feel in their bones: cyber incidents are rising, and SMEs are being targeted.

  • The UK Government’s Cyber Security Breaches Survey 2025 shows 43 % of businesses experienced some form of breach in the past year.
  • BT (in partnership with Be the Business) reports that 42 % of small UK businesses (micro and small) reported a cyber-attack, and that the average cost of a serious breach is £7,960.
  • Many SMEs still lack basic staff training or formal security policies.
  • Experts warn that the most common weapon remains social engineering such as  phishing, helpdesk impersonation, MFA fatigue and voice scams. Attacks that exploit human trust rather than brute force. 

In short: if you can send a staff email, host client data, or connect to third-party vendors, you are in the line of fire.

Why SMEs are particularly vulnerable

There are several reasons SMEs are especially exposed:

  1. Lean budgets, fewer experts
    Many SMEs lack in-house cybersecurity specialists. IT support is often a generalist. Cyber defence may be seen as a cost centre rather than a strategic investment.
  2. Weaker hygiene, outdated practices
    Patch cycles lag, multi-factor authentication (MFA) is not enforced, and backup regimes are inconsistent. Attackers know to probe for these gaps first.
  3. Supply chain exposure
    SMEs often interface with larger clients or partners, and those links can become attack vectors. A hacker may compromise a small supplier and use it as a beachhead to reach bigger targets.
  4. Human factor risk
    Social engineering is tailor-made for smaller firms where roles overlap, oversight is light, and employees feel pressure. Attackers are adapting with advanced phishing, voice/social media lures, and impersonation.
  5. Reputational & financial fragility
    A breach could cost significantly more than technology remediation. Loss of customers, regulatory penalties, inability to trade, or collapse of trust. For many SMEs, there is less cushion to absorb chaos.

So, what should SMEs do differently, and do now?

Building a defence framework that scales

Here are six core steps I believe every SME, regardless of size, must consider as an urgent, phased strategic effort.

1. Elevate cyber risk into the boardroom

Cyber risk should be treated like any financial, operational, or reputational risk. Leaders must ask: Do we have a security roadmap? Are we monitoring metrics (e.g. number of incidents, phishing click rate, patch lag)? Is someone accountable? Making cybersecurity part of governance changes the tone.

2. Focus on basic cyber hygiene first

You don’t need to build a fortress overnight. Start with essentials:

  • Enforce MFA/2FA on all sensitive systems
  • Apply patches promptly (operating systems, firmware, applications)
  • Lock down admin accounts, limit privileges
  • Use endpoint protection, firewall, intrusion detection
  • Ensure regular, tested backups, stored offline or immutable
  • Segregate networks (guest, operations, administrative)

The National Cyber Security Centre (NCSC) offers guidance aimed at smaller organisations on implementing these fundamentals. 

3. Train, test, and retain awareness

Even the best tech fails if staff are tricked. Build a programme of:

  • Mandatory quarterly phishing training
  • Simulated phishing exercises
  • Clear policies on password use, device usage, external access
  • Incident-response rehearsals (tabletop exercises)
  • A culture that encourages reporting of suspected anomalies without blame

Over time, your “human firewall” becomes a frontline defence rather than a weakest link.

4. Penetration testing, red teaming & audits

Regular external reviews, even by smaller boutique security firms, can uncover hidden vulnerabilities. For critical systems or sensitive data, a red team exercise (ethical hacking) can show how far an attacker could penetrate.

5. Prepare an incident response & recovery plan

Containment, communication, and continuity matter. A robust plan should include:

  • Defined roles (who will lead, who notifies, who recovers)
  • Isolation protocols (how to segment networks)
  • Communication templates (for customers, regulators, press)
  • Backup restoration procedures
  • Legal and forensic support
  • Insurance (cyber liability)

If a breach happens, the speed and clarity of response can determine whether it becomes a crisis or a managed event.

  1. Treat suppliers and third parties as potential threats

Vetting, auditing, and contractually enforcing security standards of your vendors is essential. Consider “zero trust” architectures: don’t implicitly trust any connection, internal or external. Monitor vendor activity and be ready to sever access if anomalies arise.

The business upside of being cyber resilient

Many SMEs see cybersecurity as a cost, but I see it as an enabler:

  • Competitive advantage: Clients (especially in regulated sectors) increasingly vet vendors for security posture. Being able to show maturity is a differentiator.
  • Trust & brand protection: Losing customer data undermines trust, which is harder to fix than systems.
  • Financial control: The cost of an incident often dwarfs the investment in prevention.
  • Growth readiness: As businesses scale or seek partnerships, investors and larger firms will demand evidence of cyber maturity.

Urgency, not risk avoidance

For many SMEs, the window to act is now. The cyber threat curve is steep, and adversaries are evolving quickly, often leveraging AI, automation, and modular attack kits that reduce barriers to entry.

To SME leaders, here is what I encourage:

  1. Commit: Include cyber resilience in your business plan, budgeting, and board oversight.
  2. Audit: Conduct a gap analysis. Where are we weak?
  3. Prioritise: Don’t try to fix everything at once; implement the fundamentals first.
  4. Partner: Engage external expertise (cyber consultancies, MSSPs). Many are now offering SME-friendly packages.
  5. Train & embed: Make security awareness part of onboarding and ongoing culture.
  6. Review constantly: Cyber threats evolve and your defences must too.

At Skipton Business Finance, we view this as part of the fiduciary duty we owe to clients and partners. We frequently ask our clients whether their systems, data, and customer information would stand up to a determined adversary. For many, the honest answer is: “I don’t know.” That is no longer acceptable.

Let the lessons of JLR, M&S, Co-op and others be a catalyst, not just a warning. The small business sector is the backbone of our economy. Its resilience is national resilience.