Infosecurity 2025: SMEs feel on their own in the face of cyber attacks

Project findings to be presented at Infosecurity Europe 2025 highlight vulnerability of SMEs to cyber attack

Small and medium-sized enterprises (SMEs) employ a staggering number of people in the UK, and are especially vulnerable to cyber attack, often feeling on their own.

In a session at this week’s Infosecurity Europe 2025 conference in London, Steven Furnell, professor of cyber security at Nottingham University, will relay the findings of a research project called CyCOS – cyber communities of support – a collaboration between Nottingham and Queen Mary and Kent Universities, supported by a variety of partners including the Home Office, the National Cyber Security Centre, IASME, ISC2, CIISec and three regional Cyber Resilience Centres.

Basing themselves on figures from the Federation of Small Businesses, the CyCOS researchers say 5.5 million SMEs constitute 99.9% of UK businesses, employing 60% of the workforce. Many outsource their security – 56%, according to the Cyber security breaches survey 2024.

The CyCOS project started in September 2023 and is due to finish in February 2026. Its stated aim is to enhance the cyber resilience of SMEs through “cyber security communities of support”.

Its initial research effort took the form of a survey of 374 UK SMEs. It found that 23% had difficulty finding cyber security advice and support, 26% found such advice hard to understand, and 20% found it hard to put it into effect.

One CyCOS respondent said “it’s very difficult to find peers that have a similar mindset to your own of a similar size that then you can have conversation with”.

The researchers also spoke to over 30 providers of advice. From those, they also elicited some verbatim feedback. One said: “Certainly with the SMEs, [engagement] is off the back of an incident. They’re certainly not very proactive, because, frankly, they’ve got other business pressures”. Another said: “What we’re actually seeing on the street is a very, very worrying low level of basic cyber hygiene,” A third stated: “This idea of having some sort of bridge, where SMEs are able to find us, and likewise we can find them … being more collaborative with others, is something I wish was a bit better.”

Barrier to entry

In the session at Infosecurity Europe 2025, Furnell will say that while a wealth of information is potentially available to SMEs, even navigating the landscape can represent a barrier to entry. This has the clear potential to impact them, but it can also have a cascading impact on larger organisations where SMEs form part of their essential supply chains, as they often do.

In a pre-conference interview with Computer Weekly, Furnell said SMEs “sometimes thought they were very much alone in this. They didn’t have others that they could talk to, or at least without it costing them money.

“They recognise cyber security should be on their agenda and is on their radar,” he said. “But they’ve got constraints and challenges that prevent them from dealing with it. No big news here, but they don’t have the same level of resources in terms of time, expertise and money.”

The research project ends in February 2026. Furnell and his co-authors, Neeshe Khan, Maria Bada, Matthew Rand and Jason Nurse, are publishing a paper in computers and security, “investigating the experiences of providing cyber security support to small and medium-sized enterprises”.

Read more about SMEs and security

In the paper, they conclude: “There is a vast amount of cyber security related content aimed at SMEs, and our findings reveal providers are playing an assistive role in the understanding, education and implementation of cyber security defences. Despite significant efforts being made, cyber hygiene amongst SMEs remains low, and they are unlikely to proactively reach out for support.

Additionally, SMEs have low knowledge levels and are hampered in their efforts due to comprehension, capability, attitudes and resources whilst providers face numerous internal and external challenges when delivering this support. “Insights from data reveal several opportunities for improvement can be realised through the creation of security-focused communities that can provide support, collaboration and learning,” they say.

The practical goal of the CyCOS project is to help establish communities of support that could be based on geographical location, sector or place in important supply chains, said Furnell.

“What we’re trying to do with the communities of support idea is bring SMEs and providers together to make it feel more like a peer community, particularly amongst the SMEs themselves,” he said.

“So, if they’re wanting to get advice from the horse’s mouth of somebody else who’s experienced an attack, they can ask an SME in their region, or perhaps in their sector or SMEs sitting in the same supply chain.”

Furnell is speaking alongside Stephen Bell, head of cyber crime prevention and victim support at the Home Office, Sapna Chadha, CEO at the Cyber Resilience Centre for London, and Amanda Finch, CEO at the Chartered Institute of Information Security, at Infosecurity Europe on Wednesday 4 June.

Read more on Business applications