Cyber Security – Are You A Target?

Cyber Security – Are You a Target?

In the UK today, the question for businesses is increasingly not whether you might be attacked — but when. While headlines tend to focus on large organisations, smaller companies are often just as exposed.

 

Big-name attacks: reminders that no one is immune

Consider the case of Marks & Spencer (M&S). In April 2025, the retailer suffered a major cyber-incident: hackers gained access via a third-party vendor and deployed ransomware, enforcing online-order shutdowns and emptying shelves in some stores.

The cost? Estimates suggest up to £300 million in operating profit losses for the year.

 

Small and medium firms: you are at risk too

A common myth is that only large corporations are targets. In fact, smaller businesses are increasingly in the firing line.

• Studies suggest that the UK’s small businesses face a cyber attack every 19 seconds
• Over the last five years, UK businesses lost an estimated £44 billion to cyber-crime.
• And a government survey found only 83% of small businesses (and 91% of medium‐sized ones) say cyber-security is a high priority — meaning many may still be under-prepared.

In short: your size does not guarantee your safety — indeed, smaller organisations can be “sweet spot” targets, seen as less defended or easier to compromise via supply‐chain links.

 

Automated attacks: how the bad guys work

Cyber-criminals increasingly rely on automation and scale, meaning you don’t need to be “famous” to be attacked. Some common automated threats include:

• Phishing campaigns: mass-sent emails designed to trick users into clicking links or entering credentials, often at scale, then moving laterally inside networks.
• Brute-force or credential-stuffing attacks: automation is used to try many username/password combinations, often exploiting reused credentials.
• Automated scanning & exploitation tools: bots scan for exposed services (weak RDP, outdated software, open ports) and exploit known vulnerabilities automatically.
• Ransomware as a Service (RaaS): ransomware operators supply automation, kits and ransom-encryption tools to less-skilled actors who carry out widespread attacks.
• Supply-chain / third-party vendor attacks: automated scripts probe vendor networks, then pivot into connected clients. The M&S incident was via a third-party vendor that was socially engineered.

Because many of these attacks are automated, they don’t always require the attacker to pick on you specifically — rather your business may simply be one of thousands scanned and probed.

 

Why smaller firms can be vulnerable

• You may have fewer dedicated IT/security resources, making detection slower and response weaker.
• Smaller budgets or legacy systems can leave you with un-patched software, missing multi‐factor authentication (MFA), weak asset-management or less monitoring.
• You may be connected via supply-chains or service-providers to larger organisations: if your vendor is compromised, you might be exposed.
• Automated attacks lower the barrier to entry for attackers — meaning the cost to them is low, so many targets are tried.

 

What to do: key steps to reduce risk

Here are some practical steps your business can take:

• Ensure you have MFA enabled for all remote access, administrative accounts and critical systems.

• Patch and update software regularly — ensure critical systems are not left with known vulnerabilities.

• Review your vendor/third-party relationships: assess how they access your systems, what their cyber-posture is, and ensure you have clear controls.

• Backup and recovery plan: automate backups, test restoration, and ensure backups are isolated (so they cannot be encrypted by ransomware).

• Monitor logs & detect anomalies: set up alerts for unusual behaviour (logins at odd times, suspicious network flows).

• Cyber-security awareness training: help users recognise phishing, social-engineering attempts, unauthorised access.

• Incident response planning: have a documented plan for breaches, know who is responsible, how communications will happen, how you’ll recover.

 

Why choosing the right MSP matters

You need an MSP partner who:

• Understands the threat landscape in the UK: sector-specific, SME focused.
• Provides proactive monitoring, not just reactive fixes.
• Takes supply-chain risks seriously (vendor-access, third-party) and helps you build resilient systems.
• Has experience with compliance and frameworks (such as Cyber Essentials) to build security-by-design.

 

Conclusion

Whether you’re a local trades business, a mid-sized firm or a large enterprise, the risk is real: automation, supply-chain vulnerabilities and skilled cyber-actors mean that no one is off the radar. The big names like Marks & Spencer show what’s possible — but you don’t need to be headline news to suffer significant disruption. Acting early, investing in proper controls and choosing the right security partner can make the difference between a manageable incident and a catastrophic one.

 

If you’d like help assessing your cyber-security, building resilience or working towards certification like Cyber Essentials, we’re here to help.