This year we conducted research looking at SME adoption of security.
We expected to hear founders talking about struggling with budget constraints and technical complexity, but what caught us off guard was simpler and more frustrating.
A lot of small firms didn't believe they're real targets for major threats. However, when we presented case studies and data showing ransomware attacks doubling year-on-year, we saw the lightbulb moment happen.
Then came the immediate response: "How do we afford this?"
The Real SME Cyber Problem
The real SME cyber problem in 2025 isn't "we can't afford the tech." It's "we don't actually run the tech we already bought."
The Detection Problem
Fewer UK businesses report detecting attacks this year. That sounds positive until you realise nationally significant incidents increased 50% and ransomware doubled.
SMEs aren't more secure. They're less likely to spot what's happening.
Meanwhile, 40% of business email compromise attempts now use AI-generated content. Attackers scrape LinkedIn and Companies House, feed it into language models, and produce emails referencing real purchase orders and customer names.
Traditional secure email gateways let these through because the writing is good and the domains look legitimate.
When AI Catches What Humans Trust
A 40-person engineering firm in Yorkshire nearly lost nearly £19,000 to an AI-written payment scam in September 2025.
The attacker knew the finance director's name, their OEM customer, and referenced a real project with a real purchase order number. The email asked to fast-track payment to a new account because the customer had "rolled into the new quarter."
Classic fraud, but written so well it bypassed human suspicion.
What stopped it was an AI-powered email security tool the firm had switched on six months earlier. The tool learned normal email behaviour for that organisation, then scored every incoming message against that baseline.
It flagged three anomalies:
- Unusual sender-recipient relationship
- High-payment language with urgency
- Style mismatch
The finance director got an inline warning, queried IT, and no payment was made.
The AI did the hard bit. The human simply approved the block.
Quick Wins for SMEs
We then asked “the experts” what are some quick wins for SMEs and here is what we got back:
The Configuration Gap
Most small firms already pay for Microsoft 365 or Google Workspace. Those subscriptions include:
- multi-factor authentication
- device controls
- basic data loss prevention
- logging
- safe-linking
Properly switched on, those features would stop most attacks we see in breach surveys.
But in most SMEs, the secure defaults aren't enabled. Admin accounts have too much power. Staff can set up shadow SaaS. Nobody checks the logs.
The gap isn't money or even awareness. It's configuration and ownership.
Until someone in the business is clearly responsible for "we are actually using the security we already have," reports and toolkits don't change the risk.
Two Actions Under An Hour
First: Raise awareness with one behaviour change.
Pick the thing that would have stopped the last scam you saw. Usually it's:
- "phone to confirm if bank details change"
- "don't click password reset links in emails"
Run a 15-minute team session. Tell a real story. Show the actual email if you have one. End with "from now on we do this."
Point staff to the NCSC's Small Business Guide. It's short, plain English, and free.
Do 10 minutes once a month, not one hour once a year. Rotate themes:
- invoices
- passwords
- AI-generated emails
- data leaving the business
Second: Turn on multi-factor authentication for all email and admin accounts.
Nearly every serious attack on small firms starts with someone getting into Microsoft 365 or Google Workspace. MFA blocks the vast majority of those attempts.
Log into your admin centre. Go to security settings. Switch on MFA for:
- Admin accounts first
- Staff with access to finance or customer data
- Then everyone else
Choose the authenticator app over text codes.
If you're non-technical, ask your IT provider to do it this week. It's admin work, not strategy.
Finding The Help That Actually Helps
We're doing extensive work in this space to bridge the gap between SME cybersecurity challenges and practical solutions.
At Climb26, we're launching a dedicated Cyber Café featuring sessions from experts, founders and thought leaders who understand the SME reality. You'll find:
- drop-in clinics for quick questions
- masterclasses on specific threats
- networking opportunities with others facing the same challenges
The goal is simple: make cybersecurity support as accessible as grabbing a coffee.
Choosing Your Timeline
You're not choosing between running the business and doing cyber.
You're choosing between doing a small, controlled bit now or doing a big, messy bit later when it's on someone else's timetable.
The quickest actions are genuinely quick:
- Turning on MFA
- Tightening who can approve payments
- Telling staff to phone before changing bank details
All are under an hour total.
If you're flat out, you really can't afford:
- Days of downtime
- Customers being emailed from your account
- Explaining to your accountant why £000’s left the business
You don't have to become "the cyber person." Your job is to say: "We will do these three things this month."
Then point your IT provider at the NCSC guidance and let them do it.
The tools are already there. You're probably already paying for them. Someone just needs to switch them on.