60% of Small Businesses Die After Cyberattacks – Are You Next?

Cyber Security for Small BusinessesPodcast
Written By Noel Bradford
60% of Small Businesses Die After Cyberattacks – Are You Next?

Did you know that 60% of UK small businesses shut down permanently within six months of a cyberattack? Sixty bloody per cent. Gone. Forever. That’s not a scare tactic, that’s the reality.

And here’s the other inconvenient truth: 96% of cyberattacks target small businesses. Not the giant banks, not the household brands with shiny SOC teams, but you. The hairdresser down the high street. The local solicitor. The regional accountants. The SME manufacturing widgets for someone bigger.

Still think you’re “too small to be hacked”? Think again.

This post is your wake-up call. If you run a small business and think cybersecurity is an IT problem, or worse, someone else’s problem, you’re lining up to be part of that 60%.

The Lie That’s Killing UK Small Businesses

Here’s the lie: “Cybersecurity is primarily an enterprise problem.”

It’s bullshit. The sort of thinking that keeps accountants, IFAs, schools, manufacturers, and law firms locked in outdated systems and ticking “yes” on compliance forms without ever facing reality.

Attackers don’t care about your turnover or how many staff you have. They care about two things:

  1. Ease of entry.

  2. Potential value of your data.

And SMBs are a perfect combination of low defences and high-value information.

That “free” WiFi router you’ve never patched? That’s their open front door. The ten-year-old server running unsupported Windows? That’s the welcome mat.

Real Costs: Not Just IT Bills

Let’s put this in business terms, not tech jargon.

A single ransomware incident can cost a UK small business £25,000 to £100,000 in immediate recovery. That’s before reputational damage, customer loss, fines, and regulatory fallout.

Carpet Rite, once a household name, went under in 2023 after a cyberattack they couldn’t financially recover from. They weren’t a global bank. They were retail. Just like M&S, Co-op, and Harrods, all of which have been in the headlines this year for being breached.

But here’s the key difference: those giants had reserves and lawyers. You don’t.

When your customer database is plastered across the dark web and your phones are dead, your choices are stark:

  • Pay the ransom and hope criminals are honest (spoiler: they’re not).

  • Rebuild from scratch and bleed cash while you’re offline.

  • Close the doors and tell your customers, “Sorry, we’re finished.”

The Myth of “My MSP Handles That”

Let’s talk about Managed Service Providers (MSPs).

Too many small businesses outsource IT to a so-called MSP who charges £20 a seat and promises “we’ll take care of everything.” Sounds great, right?

Except what you often get is:

  • Backups running to dusty USB drives.

  • Firewalls left in factory default settings.

  • Remote Desktop Protocol (RDP) wide open to the internet.

  • Compliance reports doctored for the board.

If your MSP doesn’t have Cyber Essentials Plus (CE+) certification, they’re a walking liability. And if they tell you certification “isn’t needed,” what they mean is “we can’t pass it.”

Cybersecurity is not checkbox theatre. It’s not a PDF you shove in a drawer. It’s real, continuous work. If your MSP isn’t proving their worth in audit-ready compliance dashboards, proper patch management, and proactive security training, you’re paying for theatre, not security.

The Free (and Cheap) Fixes That Block 95% of Attacks

Here’s the good news: cybersecurity doesn’t have to bankrupt you.

The UK Government’s Cyber Essentials scheme exists for exactly this reason. It’s defensive by design and has been proven to prevent over 95% of common attacks. Not “maybe,” not “if you’re lucky.” Proven.

The five core areas of Cyber Essentials:

  1. Firewalls & routers — Properly configured, updated, and audited.

  2. Secure configuration — Ditch the defaults, lock down systems.

  3. Access control — Use MFA, strong passwords, and least privilege.

  4. Malware protection — EDR, not just consumer-grade antivirus.

  5. Patch management — Stop running end-of-life software like Windows 7 or Server 2012.

Combine those with mandatory security awareness training and phishing testing, and you’ve just raised the drawbridge against 95% of attackers.

Add in continuous compliance monitoring, and you’ll know instantly when something drifts out of line. No guesswork, no “we’ll check next quarter.”

Supply Chain: Why Hackers Love You

Even if you think your business isn’t a target, your clients are.

Hackers don’t need to storm the castle if they can walk in through the tradesman’s entrance. And for most supply chains, that entrance is the small business providing services to bigger fish.

That’s why schools, colleges, law firms, and finance firms are under constant assault. You hold data that connects to something more valuable. You’re the weak link in someone else’s chain.

And guess what? If you become the attack vector that takes down a bigger partner, you won’t just lose your own business. You’ll lose your reputation, your contracts, and possibly face legal liability.

The Human Factor: Still the Weakest Link

Technology can only go so far. The majority of breaches happen because someone, somewhere, clicked something they shouldn’t.

  • The accounts clerk who reuses their dog’s name as a password.

  • The receptionist who opens a dodgy invoice attachment.

  • The director who approves a fraudulent bank transfer from their phone on holiday.

Training is not optional. It’s not “once a year, tick the box.” It’s ongoing. Simulated phishing. Real-time feedback. Making security part of company culture, not an afterthought.

Wake Up Before You’re a Statistic

You don’t get to decide whether you’re a target. Criminals already made that decision for you.

What you do get to decide is whether you’re going to be an easy target or a hardened one.

If your plan is “hope it doesn’t happen to us,” you’re gambling with your livelihood. If your strategy is “our MSP said it’s fine,” you’re outsourcing responsibility, not risk.

The businesses that survive cyberattacks don’t get lucky. They prepare. They invest. They treat cybersecurity as a board-level risk, not an IT line item.

Final Thought

Sixty per cent of small businesses don’t survive a cyberattack. That’s not a statistic. That’s a death sentence for companies who thought they were too small to matter.

So the question isn’t “will you be attacked?” — it’s “what are you doing today to make sure you don’t join that 60%?”

Because once the breach happens, it’s too bloody late.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

The UK Government's Ransomware Gambit: Why Your SMB Just Became a Bigger Target