top of page

What does good cyber security look like for SMEs?

  • Writer: Innovec
    Innovec
  • Apr 23
  • 2 min read

We have found that 43% of UK businesses experienced a breach or attack in the past 12 months.


Text on a dark gradient background reads: "More than 50% of Scottish SMEs 'vulnerable' to cyber-attacks." Notable colors: blue and lime green. Includes "Silvercloud 2025."

For small and medium-sized businesses, the consequences of getting it wrong are serious, and the question most owners are sitting with is not really "could this happen to us?" It is "are we doing enough, and how would we know?"


Good cyber security for an SME is not about having every tool on the market.


It is about having the right layers in place: enforced MFA, tested backups in at least two locations, mail filtering, endpoint protection that goes beyond standard antivirus, and a basic plan for when something goes wrong. None of that technically requires a dedicated IT team, but all of it requires consistent management, because gaps will appear and are usually only discovered after an incident.


Part of the problem for a lot of growing businesses is that cyber security tends to sit low on the agenda until something goes wrong. The data reflects that.


Extent to which cyber security is seen as a high or low priority for directors, trustees, and other senior managers

Organisation

% Very High

% Fairly High

% Fairly Low

% Very Low

% Don’t Know

Businesses

34

38

19

8

1

Charities

32

35

20

11

1

Over a quarter of businesses consider it a low or very low priority. That figure is hard to reconcile with the scale of the risk.


What most small businesses have in place

Most SMEs have made a start. MFA and automated backups are now fairly common, but the picture gets patchier beyond those basics.

Security measure

Typical SME adoption

Multi-factor authentication (MFA)

~67%

Automated data backups

~62%

Encrypted storage and transmission

~43%

Endpoint detection and response (EDR)

~40%

Formal ransomware response policy

~12%

Scottish SME Cyber Security Survey, April 2026


The measures in the table above all protect your systems. What they cannot fully protect is your people, and that is where most attacks find a way in.


Why phishing still works

Among businesses that experienced a cyber incident last year, 85% identified phishing as the root cause. Not a sophisticated technical exploit, not a firewall failure. Someone clicked something they should not have.


AI has made this significantly worse. Phishing emails are now generated at mass scale, personalised, and convincing in a way they simply were not two years ago. New variants emerge faster than training alone can keep up with, which is why awareness training, while genuinely valuable and one of the lowest-cost interventions available, is not sufficient on its own.


The problem with phishing is that it targets behaviour, and behaviour is hard to make consistent. EDR addresses the gap that human error leaves open. Unlike traditional antivirus, it watches how your systems are actually behaving in real time, so it can catch something unfamiliar before it spreads, regardless of whether anyone recognised the threat in advance. For a business without a dedicated security team, it is the closest thing to having eyes on your network around the clock.


Text "Your new local IT partner has arrived" on a blue gradient background; "IT partner" is highlighted in a lighter blue.

Talk to us

If you are not sure whether your current setup is adequate, get in touch. Reach us at hello@innovec.co.uk or on 01292 427 420.


 
 
 

Comments

bottom of page