When we think of cyberattacks, it’s easy to picture large corporations with vast amounts of sensitive data at stake. However, in 2024, Vodafone found that 35% of UK businesses targeted by cyberattacks were SMEs.

Smaller organisations are often perceived as easy targets because they tend to have smaller IT teams, limited cybersecurity budgets and are more likely to rely on legacy systems. What’s more, SMEs often work with larger companies, so breaching their systems can give hackers a way into bigger enterprises. This makes them a valuable, exploitable link in the supply chain.

The consequences of a cyberattack for an SME can be devastating. On average, a single attack costs an SME £3,398, considering the fallout from data loss, system downtime and reputational damage. So, what steps can SMEs take to protect themselves?

Prioritise data backups In the first quarter of 2025, largely driven by advancements in AI, ransomware attacks surged by 132%. These attacks lock or encrypt business data, demanding a ransom for its release. While antivirus software can offer some protection, it’s not foolproof. To fully protect against such threats, SMEs must implement strong data backup and recovery plans.

SMEs should adopt the 3-2-1 backup rule. This involves keeping three copies of your data, storing them on two different types of media, and ensuring one copy is kept offsite. This strategy helps ensure quick recovery, even if primary data is compromised.

However, a backup system is only useful if it works when needed. Regularly testing backup and recovery plans is essential to ensure they function properly during a cyberattack. A solid backup strategy helps mitigate ransomware impacts, but it’s most effective when supported by a well-trained team ready to act swiftly.

Implement training

Human error remains one of the most significant vulnerabilities for SMEs. Vodafone’s report also states that 52% of UK SMEs haven’t provided cybersecurity training to their employees, leaving them exposed to unnecessary risks.

Regular training is crucial to help employees spot and respond to emerging threats. This training should cover recognising phishing emails, using multi-factor authentication and securely managing passwords. Employees should also be taught about social engineering tactics – like fake tech support calls or fraudulent invoices – that hackers often use to gain access to sensitive information.

In addition to training, SMEs should create clear cybersecurity policy. A well-defined policy sets expectations company-wide, providing guidelines for safe data practices, incident response, and ongoing security measures. This helps ensure that all employees understand their role in protecting the business.

Since many employees access sensitive data on mobile devices, it’s also important to address mobile-specific risks. To further strengthen security, SMEs should combine training with tools like Mobile Device Management (MDM) software.

Leverage software

MDM software provides a comprehensive solution for managing and securing mobile devices, both company-issued and personal, within a company’s network.

It allows SMEs to enforce security policies such as strong passwords, device encryption and app usage restrictions, ensuring the only authorised users and secure apps can

access company data. This adds an additional layer of protection beyond just employee training.

MDM also helps SMEs comply with industry security standards like ISO 27001 and GDPR, safeguarding sensitive data. This is particularly valuable for businesses with remote or hybrid workforces, where personal devices are often used. MDM also offers features like remote tracking and data wiping, helping to prevent unauthorised access in a case a device is lost or stolen.

In today’s evolving threat landscape, SMEs must prioritise cybersecurity. By implementing strong data backups, providing regular employee training and using MDM software, businesses can boost resilience against cyberattacks. Proactively securing data and equipping staff with the right knowledge reduces risks and ensures better protection from emerging threats.