If you’re like most SMB leaders, you might think cyber criminals aren’t interested in you. This is not the case. The recent arrests following the attacks on M&S, Co-op, and Harrods may seem like stories for the bigger Organisations, but the same tactics used against those household names are already being turned on smaller businesses. The reality is you don’t have to be the richest person on the street to get burgled — just the one who left the door unlocked.
In this article, I’ll unpack what’s happening beneath the headlines: who’s behind these attacks, how their tactics work, and most importantly, what SMBs like yours can do now to protect your business, your customers, and your reputation. Because being small is no longer a shield, it’s a risk.
In a recent article, Callum Archer explained why the recent cyber attacks on the NHS and M&S aren’t just headline news – they’re a wake-up call for SMBs. This is a message worth repeating, because one of the biggest misconceptions amongst small businesses I still come across is that they’re too small, too niche, or too under-the-radar to attract the attention of threat actors.
But that couldn’t be further from the case. The reality is that attackers are actively seeking smaller businesses as entry points into larger supply chains, or as easy wins with low risk and high return. In other words, SMBs are the low-hanging fruit for hackers simply because many don’t take cyber security as seriously as they should (and therefore don’t have the preventative measures firmly in place). So, as you can imagine, believing that your business is “too small to get hit” only exacerbates the issue.
Check out this article for a deeper dive into why SMBs are primary targets.
I get it, you might understand the risks, but without a dedicated IT team – whether internal or external to your organisation – there’s only so much you can do. We’ve seen attackers exploit default credentials, unpatched systems, and basic email weaknesses that are common in smaller organisations without having an IT manager. But this is where working with a trusted managed service provider (MSP) comes in: I’m sure we can all agree that keeping your business protected is a non-negotiable.
Whether you’re managing a 20-person agency or running a global empire, the attack surface looks the same:
As powerful as these platforms may be, they become vulnerable when they’re poorly secured. One UK logistics company, operating for 158 years, was brought to its knees by a simple email breach. It wasn’t a lack of resources that shut them down, but a lack of preparedness. Something as simple — and inexpensive — as better email security and human awareness could have made all the difference.
Sometimes, hackers simply have personal vendettas and take matters into their own hands. Something as small as poor service to a disgruntled customer can turn into a cyber incident. Moreover, with ransomware-as-a-service now available on the dark web, anyone with a grudge and a little money can launch a targeted attack against your business. They might not even hack you directly, but simply upload all your data onto the dark web for other bad actors to do as they please.
The name Scattered Spider has become synonymous with some of the most high-profile cyber attacks in recent months. They’re not just your average ransomware gang: they’re strategic, calculated, and frighteningly effective.
Their primary weapons of choice are:
We’re seeing a shift where these attackers aren’t just executing attacks; they’re selling the means to execute attacks. This includes ransomware kits, login credentials, and access to compromised infrastructure. Last year the World Economic Forum ranked cyber crime 4th in the top five global risks over the next two years. It’s a lucrative business: threats are scalable, industrialised and becoming more automated.
All of this is emphasised in Human Risk Management, but cyber security training isn’t just about creating user awareness, it’s about knowing your people. Who consistently clicks phishing tests? Who ignores MFA prompts? Do you run simulations to identify these patterns? Because if you do, you can intervene early — before a real attacker gets in.
If you take one thing away from the news about M&S or Harrods, let it be this: no one is too small to be a target.
Hackers aren’t just after your money: they’re looking for any weaknesses that will lead them to a bigger target or just give them bragging rights on the dark web. And that means every SMB has a responsibility — to themselves and to their customers — to build a secure foundation.
As someone who lives and breathes cyber security every day, I’ve seen how fast things can unravel when protection isn’t prioritised. Let’s put an end to the idea that SMBs are “too small to matter.”
The threats may be growing, but so are your options for staying ahead of them. Whether it’s endpoint management, backup, cloud monitoring or user awareness training, we’re here to help – talk to our team about how we can help you stay protected.