Infosecurity 2025: SMEs really feel on their very own within the face of cyber assaults
Small and medium-sized enterprises (SMEs) make use of a staggering variety of folks within the UK, and are particularly susceptible to cyber assault, typically feeling on their very own.
In a session at this week’s Infosecurity Europe 2025 convention in London, Steven Furnell, professor of cyber safety at Nottingham College, will relay the findings of a analysis challenge known as CyCOS – cyber communities of assist – a collaboration between Nottingham and Queen Mary and Kent Universities, supported by a wide range of companions together with the House Workplace, the Nationwide Cyber Safety Centre, IASME, ISC2, CIISec and three regional Cyber Resilience Centres.
Basing themselves on figures from the Federation of Small Companies, the CyCOS researchers say that 5.5 million SMEs represent 99.9% of UK companies, using 60% of the workforce. Many outsource their safety – 56%, in line with the Cyber Safety breaches survey of 2024.
The CyCOS challenge began in September 2023 and is because of end in February 2026. Its said purpose is to boost the cyber resilience of SMEs by way of “cyber safety communities of assist”.
Its preliminary analysis effort took the type of a survey of 374 UK SMEs. It discovered that 23% had issue discovering cyber safety recommendation and assist, 26% discovered such recommendation onerous to grasp, and 20% discovered it onerous to place it into impact.
One CyCOS respondent stated “it’s very troublesome to search out friends which have an identical mindset to your individual of an identical measurement that then you’ll be able to have dialog with”.
The researchers additionally spoke to over 30 suppliers of recommendation. From these, in addition they elicited some verbatim suggestions. One stated: “Definitely with the SMEs, [engagement] is off the again of an incident. They’re actually not very proactive, as a result of, frankly, they’ve obtained different enterprise pressures”. One other stated: “What we’re truly seeing on the road is a really, very worrying low stage of primary cyber hygiene,” A 3rd said: “This concept of getting some kind of bridge, the place SMEs are capable of finding us, and likewise we will discover them … being extra collaborative with others, is one thing I want was a bit higher.”
Barrier to entry
Within the session at Infosecurity Europe 2025, Furnell will say that whereas a wealth of data is probably obtainable to SMEs, even navigating the panorama can signify a barrier to entry. This has the clear potential to affect them, however it may well even have a cascading affect on bigger organisations the place SMEs kind a part of their important provide chains, as they typically do.
In a pre-conference interview with Laptop Weekly, Furnell stated SMEs “typically thought they have been very a lot alone on this. They didn’t have others that they might speak to, or not less than with out it costing them cash.
“They recognise cyber safety must be on their agenda and is on their radar,” he stated. “However they’ve obtained constraints and challenges that forestall them from coping with it. No large information right here, however they don’t have the identical stage of useful resource when it comes to time, experience and cash.”
The analysis challenge ends in February 2026. Furnell and his co-authors, Neeshe Khan, Maria Bada, Matthew Rand and Jason Nurse, are publishing a paper in computer systems and safety, “investigating the experiences of offering cyber safety assist to small and medium-sized enterprises”.
Within the paper, they conclude: “There’s a huge quantity of cyber safety associated content material aimed toward SMEs, and our findings reveal suppliers are enjoying an assistive position within the understanding, schooling and implementation of cyber safety defences. Regardless of vital efforts being made, cyber hygiene amongst SMEs stays low, and they’re unlikely to proactively attain out for assist.
Moreover, SMEs have low information ranges and are hampered of their efforts resulting from comprehension, functionality, attitudes and sources while suppliers face quite a few inside and exterior challenges when delivering this assist. “Insights from information reveal a number of alternatives for enchancment will be realised by way of the creation of security-focused communities that may present assist, collaboration and studying,” they are saying.
The sensible objective of the CyCOS challenge is to assist set up communities of assist that could possibly be based mostly on geographical location, sector or place in vital provide chains, stated Furnell.
“What we’re making an attempt to do with the communities of assist thought is deliver SMEs and suppliers collectively to make it really feel extra like a peer neighborhood, significantly amongst the SMEs themselves,” he stated.
“So, in the event that they’re desirous to get recommendation from the horse’s mouth of any person else who’s skilled an assault, they’ll ask an SME of their area, or maybe of their sector or SMEs sitting in the identical provide chain.”
Furnell is talking alongside Stephen Bell, head of cyber crime prevention and sufferer assist on the House Workplace, Sapna Chadha, CEO on the Cyber Resilience Centre for London, and Amanda Finch, CEO on the Chartered Institute of Info Safety, at Infosecurity Europe on Wednesday 4 June.
