Recent cyberattacks on major UK retailers like Marks & Spencer (M&S), Co-op, and Harrods have sent shockwaves through the businesses and consumers alike. If these retail giants – with their extensive resources and dedicated cybersecurity teams – can fall victim to such breaches, it’s understandable that you might feel vulnerable as an SME.
A cyber wakeup call
Back in April, M&S experienced a significant cyberattack. Hackers accessed customer data, and the financial repercussions were substantial, with M&S anticipating a cyber insurance claim of up to £100 million to cover losses and liabilities.
Similarly, a ransomware attack on the Co-op crippled its supply chain systems, leading to empty shelves across many stores. Customer and employee data were compromised, and the company had to implement emergency measures to restore operations.
The top cyber threats your SME faces
While large corporations make headlines, SMEs are increasingly targeted by cybercriminals. Our own research found that nearly half (49%) of UK SMEs with revenues between £2 million and £50 million have experienced a cyberattack in the past five years.
Phishing and social engineering
These attacks trick users into clicking harmful links or sharing sensitive info by posing as trusted contacts. And they’re getting more and more convincing, with criminals using targeted, sophisticated tactics to bypass defences.
Ransomware and malware
Malware is malicious software used to access, steal, or destroy data—often spread through dodgy downloads or phishing emails. Ransomware, a fast-growing threat, locks businesses out of their own data and demands payment for access.
More recently, attackers have begun threatening to leak stolen data, adding even more pressure to already tough decisions. This “double extortion” tactic can be devastating for SMEs.
Weak passwords
Poor password habits—like using “Password123”, reusing passwords, or sharing them across teams—can leave sensitive data exposed. With many SMEs relying on cloud services, weak or recycled passwords make it easier for attackers to break in and cause damage.
Poor patch management
Failing to keep devices and software updated leaves known security gaps open for attackers. SMEs often rely on staff to install updates manually, which can result in missed patches and widespread vulnerabilities.
Supply chain vulnerabilities
Many SMEs overlook the cyber risks posed by their suppliers. Only 14% of businesses review the potential cyber risks from immediate suppliers, leaving a significant blind spot.
AI: a double-edged sword
AI can be especially helpful for SMEs. AI tools can save time and money, performing tasks you wouldn’t normally be able to do such as coding or data analysis.
But just as AI can help you spot and stop threats; it’s also creating new risks. A 2024 NCSC report found that over 78% of UK organisations faced AI-related security incidents. As people rush to use new tools, they often overlook the risks—like feeding sensitive data into AI systems without knowing where it ends up.
Hackers are also now using AI to make their attacks smarter and more targeted. AI being so accessible has lowered the barrier, helping even low-skilled cybercriminals to launch sophisticated attacks and craft highly convincing phishing emails. It’s becoming even harder for employees to distinguish between legitimate and malicious communications.
How can you protect your business?
Given all these threats, it’s crucial to be proactive:
- Employee training: Regularly educate staff about cybersecurity best practices, including recognising phishing attempts and the importance of strong passwords.
- Regular backups: Maintain up-to-date backups of critical data in secure, offline locations to ensure business continuity in case of an attack.
- Implement Multi-Factor Authentication (MFA): Adding an extra layer of security can prevent unauthorised access, even if credentials are compromised.
- Update and patch systems: Ensure all software and systems are regularly updated to protect against known vulnerabilities.
- Assess supply chain risks: Evaluate the cybersecurity measures of your suppliers and partners to mitigate potential risks.
What is cyber insurance?
And our biggest piece of advice would be to get insured against cyber threats. Cyber insurance (AKA cyber security or liability insurance) is essential protection, no matter how robust your IT security is.
Cyber incidents can impact businesses of any size or sector, leading to downtime, financial loss, reputational harm, and even legal consequences. A strong cybersecurity strategy helps reduce these risks and often includes:
- Incident response support to include IT forensics, Legal and PR services.
- Business interruption cover, providing protection for income
- Digital and data asset loss, including the cost of repair, restoration or replacement
- Information Security and Privacy Liability
- Cyber terrorism and extortion
- Cyber Crime cover to help you recover lost funds from financially motivated attacks such as funds transfer fraud
- Multimedia Liability (Defamation/IP Infringement)
- Defence costs, civil fines and penalties, where insurable by law
To help you plan for and reduce risk, at Howden we develop risk management procedures, provide seminars, tools and training – to get the most of your policy before an incident happens.
It may sound daunting or complicated, but that’s why an insurance broker such as Howden can really help. An insurance expert can help you navigate the complexities of insurance policies, while also accessing a variety of policies not typically available on comparison websites. Essentially, they do the heavy lifting for you!
To find out more about cyber insurance, talk to our expert teams.
Sources: UKGI Insight, Business Live, The Times, ITV News, Expert Insights
You could also read:
- Will you ignore the diesel ban?
- Boomers vs millennials – who found house buying harder?
- Is car insurance finally going down?
- Making Tax Digital: everything you need to know
- The most iconic on-screen number plates
This is a marketing blog by Howden Insurance.