The Cyber Threat to Small Businesses Just Got Real

Three days ago, the head of the UK's National Cyber Security Centre stood up at CYBERUK 2026 and said something that most small business owners will never hear: your business is a target for state-backed cyberattacks.

Not "might be." Not "could eventually become." Is.

That sounds dramatic. It is not. And the reasoning is simpler than you think.

Why small businesses are in the crosshairs#

The NCSC's 2026 communications are unusually blunt about this. Previous years focused on large enterprises, critical infrastructure, defence contractors. This year, they explicitly named small and medium businesses as being in scope.

The reason is supply chains.

If you are a plumber who works on MOD housing, you are part of a defence supply chain. If you run a cleaning company that services a hospital, you are part of a healthcare supply chain. If you do bookkeeping for a firm that does bookkeeping for a council, you are two steps from government data.

State-backed attackers do not always go for the front door. They go for the smallest, least protected link in the chain. For a lot of organisations, that link is a small business with no IT department, a shared Wi-Fi password from 2019, and a website admin login that is still set to "password123."

The numbers are not reassuring#

The government's own Cyber Security Breaches Survey found that 43% of UK businesses experienced a cyber attack in the past year. For small businesses specifically, the figure was 42%.

Phishing, where someone sends a fake email pretending to be your bank, a supplier, or a customer, accounts for 93% of all cyber attacks on businesses. Not sophisticated hacking. Not someone in a hoodie cracking firewalls. An email that looks real, with a link that is not.

The average cost of a breach for a small business sits somewhere between £3,400 and £8,000, depending on which survey you read. That covers lost data, downtime, recovery work, and sometimes paying someone to fix the mess. For a business making £100,000 a year, that is a significant hit.

And those are the reported numbers. Plenty of small businesses get breached and never realise it, or realise it months later when customer data turns up somewhere it should not be.

What most attacks actually look like#

Forget the Hollywood version. Most cyberattacks on small businesses are boring. They look like this:

Someone on your team gets an email that looks like it is from your web hosting provider, your bank, or a delivery company. They click a link. They enter a password. That password gets harvested and used to log into your real account.

Or: someone finds an old login to your website's admin panel, your email, or your accounting software. Maybe it was a default password you never changed. Maybe it was reused from another site that got breached years ago. They get in, and either steal data, redirect payments, or install something that quietly does the same thing over time.

Or: someone sends an invoice that looks like it came from a real supplier. The bank details are different, but nobody checks. The money goes to the wrong account.

None of this requires technical skill on the attacker's side. It requires inattention on yours.

What you can do this week#

The NCSC publishes a Small Business Guide to cyber security. It is free, it is written in plain English, and most of the steps take five minutes. Here is the short version.

Turn on two-factor authentication everywhere. Your email. Your website admin panel. Your accounting software. Your social media accounts. Two-factor authentication means that even if someone gets your password, they cannot log in without a code from your phone. It is the single most effective thing you can do, and it costs nothing.

Stop reusing passwords. If you use the same password for your email, your website, and your Amazon account, a breach on any one of those compromises all three. Use a password manager. Plenty of good ones are free for personal use, and business plans are cheap. The NCSC recommends three random words as a password strategy if you do not want a password manager.

Update your software. If your website runs on WordPress, or if you use plugins, themes, or any software that has not been updated in six months or more, you are running known vulnerabilities. Updates exist because someone found a hole. If you do not install the update, the hole stays open.

Back up your data. If you got locked out of everything tomorrow, could you recover? Do you have a recent backup of your website, your customer data, your accounts? If the answer is "probably" or "I think so," that is not good enough. Automated backups that run daily and store copies separately from your main system are the minimum.

Know who has access to what. Does your old web designer still have admin access to your site? Does a former employee still have your social media login? Does your accountant log in with a shared password? Every old login that still works is a door you forgot to lock.

What your website has to do with it#

Your website is one of the most exposed parts of your business. It is on the internet, it has an admin panel, and it probably connects to your email, your payment provider, or your customer database.

If someone compromises your site, they can redirect your contact forms to their own inbox. They can inject malicious code that steals your customers' information. They can put up a fake payment page. They can use your domain to send phishing emails to other people, which gets your email address blacklisted and your site flagged by Google.

A lot of small business websites are built on platforms that need regular maintenance: security patches, plugin updates, SSL certificate renewals. If nobody is doing that maintenance, the site is slowly becoming less secure every month.

This is one of the reasons we include ongoing maintenance, hosting, and security updates in every ctrl.alt.elite plan. It is not glamorous work, but it is the difference between a site that is quietly kept secure and one that is quietly becoming a liability.

The NCSC has a free tool for this#

If you want a baseline check, the NCSC runs a service called Cyber Action Plan. You answer a few questions about your business, and it gives you a prioritised list of actions tailored to your situation. It takes about ten minutes and it is genuinely useful.

They also run the Cyber Essentials certification scheme, which is a baseline standard for cyber security. It is not free, but it is not expensive either, and increasingly it is required if you want to work with government or larger organisations. Given that the government just announced £7.4 billion in SME procurement targets, having Cyber Essentials could open doors.

The bottom line#

You do not need to become a security expert. You do not need to hire an IT team. You need to do the basics, and the basics are genuinely basic: strong passwords, two-factor authentication, software updates, backups, and knowing who has access to your accounts.

The NCSC warning this week was not aimed at FTSE 100 companies. It was aimed at businesses like yours. The ones that think they are too small to be a target, right up until they are not.

Spend an hour on this. It is a better use of your Friday than most things in your inbox.