The Massive Lie That’s Killing UK Businesses: Cybersecurity is NOT Just an Enterprise Problem

Cyber Security for Small BusinessesPodcast
Written By Noel Bradford

When six out of ten UK small businesses don’t survive a cyberattack, we’re not talking about a theoretical risk. We’re talking about a survival issue.

And yet, most boards still cling to a dangerous misconception: that cybersecurity is primarily an enterprise problem. Something for banks, government, and multinationals. Not for a regional law firm, a local retailer, or a small manufacturing firm.

It’s a lie. And it’s killing British businesses every single day.

The Statistics That Should Keep Every Director Awake at Night

  • 60% of small businesses close within six months of a cyberattack.

  • 96% of attacks are aimed at small and medium-sized businesses, not large corporates.

These aren’t abstract figures. They are the cold reality facing SMEs across the UK.

Attackers don’t care about your balance sheet. They care about how easy you are to compromise. For many small businesses, with outdated systems, no proper patch management, and minimal training, you’re the easiest target in the room.

Cybersecurity as a Business Risk, Not an IT Problem

Here’s the uncomfortable truth: cybersecurity is no longer something to delegate to “the IT team.” It is a board-level responsibility.

Just as directors are responsible for financial governance and health and safety, they are responsible for ensuring the organisation is resilient against cyber threats. Regulators and insurers already treat it this way. Increasingly, so do courts.

Every breach is more than a technical incident. It’s a business crisis that can:

  • Shut down operations for weeks.

  • Trigger data protection investigations and fines.

  • Cause reputational collapse with clients.

  • Lead to contract terminations and litigation.

This is why cybersecurity belongs in the boardroom. Not buried in the IT department.

Real-World Examples: It’s Happening Here, Not “Over There”

Think of Carpet Rite. Once a household name, it collapsed in the wake of a cyberattack. Or the recent breaches at Marks & Spencer, Co-op, and Harrods. These are not “tech companies.” They are retail brands, every bit as dependent on IT systems as any law firm or accountancy practice.

The difference? A multinational can take the hit, hire lawyers, and absorb the reputational blow. For smaller firms, one breach can mean the end of the business.

This isn’t scaremongering. It’s case history.

The Managed Service Provider Problem

Many small businesses assume their IT provider has this handled. Unfortunately, far too often, that confidence is misplaced.

There are excellent MSPs out there. But there are also “cheap and cheerful” providers who are effectively malpractice in motion. They may:

  • Fail to patch critical systems on time.

  • Leave insecure remote access exposed.

  • Use weak backup strategies.

  • Provide glossy reports without substance.

The result? A false sense of security.

If your IT provider cannot demonstrate Cyber Essentials Plus (CE+) certification and cannot show you real-time compliance reporting, you are exposed. Certification isn’t bureaucracy. It’s the minimum bar for competence.

The Economics of Prevention

There is a persistent myth that good security is unaffordable for small businesses. The reality is the opposite.

The cost of implementing basic, proven controls is trivial compared to the cost of a breach.

  • Cyber Essentials certification starts from a few hundred pounds.

  • Endpoint Detection and Response (EDR) is often cheaper than the insurance premium rise after a breach.

  • Regular training and phishing simulations cost less than a single lost client.

Contrast that with the tens of thousands of pounds in recovery costs, fines, and lost revenue after an attack. Prevention isn’t expensive. Neglect is.

Supply Chain: You’re a Target Because of Who You Serve

Even if you believe your data isn’t valuable, your connections are.

Attackers increasingly use small businesses as stepping stones into larger organisations. Law firms hold sensitive client data. IFAs hold financial data. Schools and colleges hold personal records. Hackers know breaching you is often easier than breaching your larger partners.

Which means, whether you like it or not, you are part of your clients’ and partners’ security posture. Fail there, and you risk losing more than your own systems. You risk losing every contract.

The Human Layer

Technology isn’t the only weak point. People are.

Directors authorise payments. Staff click on phishing links. Poor password practices are endemic. The human layer is where many attacks succeed, because criminals know it’s easier to fool someone than to beat a firewall.

This is why training must be regular, engaging, and mandatory. Not once a year. Not optional. Cybersecurity awareness is as essential as fire drills.

Practical Steps for Directors

What does this mean in practice for the board?

  1. Treat cyber risk as business risk. Discuss it at board level.

  2. Insist on Cyber Essentials or Cyber Essentials Plus. Make it a baseline.

  3. Demand transparency from your IT provider. Ask for compliance dashboards and reporting.

  4. Mandate staff training and testing. Build security into culture.

  5. Invest in incident response planning. Know what you will do when an attack happens.

These are not technical items. They are governance responsibilities.

The Takeaway

Cybersecurity is not just an enterprise problem. It never was.

The majority of attacks target small businesses precisely because they are perceived as weaker. The majority of victims never recover. The majority of boards only act after a crisis, when the cost is at its highest.

For directors and business leaders, the message is clear: cybersecurity is survival. Not a technical extra. Not something to “delegate and forget.”

The lie that cybersecurity only matters to large organisations is costing small businesses their existence. Don’t let yours be next.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

60% of Small Businesses Die After Cyberattacks – Are You Next?