60% of Small Businesses Don’t Survive Cyberattacks. Are You Listening Yet?
Let’s stop pretending for a second.
Sixty per cent of UK small businesses never reopen after a cyberattack. Not “struggle for a bit.” Not “take a while to recover.” Gone. Finished. Out of business.
And it’s not because hackers have some personal grudge against small firms. It’s because small businesses are easy targets. Easier than the big boys. Cheaper to exploit. And far more likely to pay up or collapse quietly without making the news.
Still think you’re too small to matter? Ask the last 60%.
The Comfortable Lie
Business owners love to tell themselves they’re invisible. That criminals are going after banks, government agencies, or giant retailers.
It’s comforting. It’s also rubbish.
Hackers aren’t handpicking victims. They’re running automated scans across the entire internet looking for weaknesses. That’s it. No drama. No Bond villain sitting in a lair deciding who to hit next. Just software running 24/7, testing firewalls and email servers until it finds a crack.
If your system is outdated, unpatched, or misconfigured, congratulations, you’ve just been selected.
It’s not about who you are. It’s about how sloppy your defences are.
What a Breach Really Looks Like
Let’s pull the curtain back. Here’s what happens when a “too small to hack” business gets nailed:
Day 1. Payroll stops working. The server won’t boot. Nobody can log in.
Day 2. Phones ring constantly. Clients can’t access their data. Staff panic.
Day 3. Someone finally reads the ransom note. The criminals want £30,000 in Bitcoin. Pay now or lose everything.
Day 7. The insurer says “claim denied” because MFA wasn’t in place.
Day 10. Clients start leaving. Regulators start asking questions.
Day 30. The directors are wondering how to explain the collapse to staff, customers, and creditors.
And by the six-month mark? Statistically, the business is probably gone.
The Cost Nobody Talks About
The money is brutal. A ransomware hit costs £25,000 to £100,000 just to recover systems. That’s before you even count lost revenue, ICO fines, or reputation damage.
But the real killer is trust. Once clients realise you lost their data, good luck getting them back. Nobody wants to gamble their finances, legal case, or child’s school record on a business that’s already been breached once.
Your competitors won’t sympathise either. They’ll scoop up your clients while you’re still dusting off the server room.
The MSP Mirage
Here’s where it gets ugly. A lot of small businesses think their Managed Service Provider (MSP) has them covered. After all, you’re paying a monthly fee for “security.”
Except what you often get is theatre. Glossy reports, buzzwords, and backups that wouldn’t survive a real-world disaster.
I’ve seen MSPs leave Remote Desktop wide open to the internet. I’ve seen five-year-old firewalls with factory settings still intact. I’ve seen backups stored on USB drives in someone’s drawer.
That’s not security. That’s malpractice.
If your MSP can’t pass Cyber Essentials Plus (CE+), they shouldn’t be looking after your systems. And if they tell you it’s unnecessary, what they mean is they’d fail it.
The Basics That Actually Work
Here’s the part nobody likes hearing: fixing this is neither expensive nor complicated.
The UK Government’s Cyber Essentials scheme is designed to stop the most common attacks. Do it properly, and you block 95% of what criminals throw at you.
That means:
Firewalls and routers configured and patched.
Strong passwords and MFA everywhere.
Secure configuration, not “default admin.”
EDR instead of consumer-grade antivirus.
Patch management so your systems aren’t running on Windows fossils.
Add in proper staff training — phishing tests, simulated attacks, practical awareness — and suddenly your biggest weakness becomes your strongest defence.
Supply Chain Roulette
Even if you’re convinced your business isn’t “valuable,” the companies you connect to probably are.
Small firms are favourite stepping stones into bigger ones. If hackers can’t get into the multinational, they’ll happily go through the local supplier.
That makes you a liability to your clients. And if you’re the reason they get breached, don’t expect them to forgive you. They’ll cut ties, and you’ll be the villain in their story.
You’re not just protecting yourself. You’re protecting everyone you’re connected to.
People: The Weakest Link
Let’s be blunt. Technology rarely fails first. People do.
The accounts clerk who reuses their cat’s name as a password.
The receptionist who opens a dodgy invoice attachment.
The director who authorises a fake bank transfer on their phone.
Hackers rely on this. They don’t need zero-days when they have human error.
If your staff aren’t trained, your business isn’t secure. Full stop.
Stop Waiting for the Breach
The most common phrase I hear from directors? “We’ll sort it next quarter.”
That’s music to a hacker’s ears.
Every month you delay patching or enabling MFA is another month you’re exposed. Every day you don’t train staff is another chance for someone to click the wrong link.
Cybercriminals aren’t waiting. They’re already scanning. They’re already knocking. The only question is whether your door is locked.
Final Word
Let’s bring this home.
96% of cyberattacks hit small businesses.
60% of those businesses never reopen.
That’s not fearmongering. That’s the reality of doing business in 2025.
You don’t get to decide whether you’re a target. That decision has already been made for you.
What you do get to decide is whether you’re an easy target or a hard one.
So stop telling yourself you’re too small to hack. Stop outsourcing responsibility to an MSP who can’t pass their own exams. Stop waiting for a breach to teach you a lesson you won’t survive.
Because denial isn’t a defence. And hope isn’t a strategy.