Why UK Businesses Are Being Targeted by Cyber Attacks

The UK has been ranked as the third most targeted country globally for cyber attacks. Yet one of the most common things I still hear from SMBs is: “We’re too small to matter.”

That misconception is dangerous. If you’re operating on that assumption, there’s a good chance you’re underestimating where your real exposure sits. This is not due to neglect, but because the way cyber attacks work today doesn’t quite match how most people think about risk.

As the Product Director of Secure Cloud and AI at Babble, I spend a lot of time working with SMB customers who have made sensible decisions. They’ve got tools in place. They’ve taken steps. But when you look a bit closer, there’s often a gap between what they think is covered and what actually is.

So we’ll unpack that in this article. Specifically, why the UK is such a consistent target, why the “too small to matter” mindset doesn’t hold up anymore, and where the real risks tend to sit for SMBs today, so you can start to see where you might be more exposed than you think.

–

What This Article Covers:

• The UK isn’t weak, just highly targetable  
• Why “too small to matter” is a dangerous assumption
• Where the security gaps tend to sit
• How the threat landscape has fundamentally changed
• What happens after the breach matters most
• The first step isn’t buying more tech
• You can’t fix what you can’t see 

The UK isn’t weak, just highly targetable

We have to remember from the attacker’s point of view, cyber crime is a business. It’s not someone in a hoodie randomly “having a go” at being an agent of chaos. These are organised groups making rational decisions about where to focus their effort.

So they look at things like:

• Where is the money?
• Where is it easiest to operate?
• Where can we scale?

And the UK ticks a lot of those boxes. We’re a relatively wealthy economy. We’re highly connected in every sense (i.e., businesses, consumers and supply chains). And we’re English-speaking, which matters more than people realise.

If you’re running phishing campaigns at scale, English is the easiest language to operate in globally. Add AI to that, and suddenly you can generate convincing content faster, cheaper, and in much higher volume than ever before.

So from a purely commercial perspective, the UK is a good market to target. Not because it’s weak, but because it’s efficient.

Watch the full episode here.

Why “too small to matter” is a dangerous assumption

Now, many SMBs we speak to firmly believe that they’re “too small to target”. In fairness, it makes sense if you think about it in physical terms.

Let’s say you’ve got a florist on a high street next to a bank and a jewellery shop. It’s reasonable to assume you’re not the main target. Someone breaking in is going to go for the higher-value option.

But that logic doesn’t apply in the digital world, because attackers aren’t choosing one building to break into. They’re running automated attacks across thousands, sometimes millions, of businesses at the same time. Once they’ve built the method, like a phishing email, the cost of repeating that attack is basically zero.

So it doesn’t matter whether you’re a 10-person business or a 500-person enterprise. Often you’re not being singled out. You’re just part of the dataset.

However, in some ways, SMBs are much more attractive targets:

• They may form part of a supply chain attack for a bigger business;
• There’s typically less time and budget for security;
• The defences are often lighter because they lack the internal expertise;
• They’re usually more likely to pay smaller ransom demands to avoid the downtime; and
• Incidents are less likely to be made public.

From an attacker’s perspective, that’s a pretty good model.

Where the security gaps tend to sit

Many SMBs are doing the right things and genuinely trying to protect their people and data. The issue is rarely intent, it’s how security has evolved over time.

In most cases, security has been built bit by bit: a tool here, a policy there, something added after an incident or audit. Each step makes sense on its own, but it hasn’t been designed as one joined-up system.

Over time, you end up with something that feels like it should work, but it doesn’t quite join up.

That’s where the gaps creep in.

1. People: Still the biggest cyber risk

If you had to pick one area that causes the most issues, it’s people. For the most part, they won’t be doing anything intentionally wrong; they’re just busy and keeping IT security isn’t high on their list of priorities. And most importantly, they haven’t necessarily been trained to spot the risks.

Clicking on a link. Reusing a password. Missing an update. Leaving a device unlocked somewhere. Those behaviours all contribute to why 95% of cyber breaches start with people.

2. Identity: Where things have really shifted

As I mentioned earlier, the attacks today aren’t about breaking in anymore. They’re about logging in. In fact, IBM X-Force confirms this: nearly one in three incidents in 2024 resulted in credential theft, with attackers increasingly capitalising on identity gaps rather than breaking through perimeters.

A typical phishing attack may try to get hold of your Microsoft 365 account credentials, for example. Once an attacker has that, they’re not fighting your perimeter. They’re using your access (and moving in undetected). And because of things like single sign-on (SSO), that one identity often unlocks multiple systems: email, file storage, CRM, and finance tools all linked to your account.

That makes the blast radius much bigger than it used to be.

Password reuse makes this worse. If you’re using the same email and password combination across multiple platforms (please don’t), a breach in an insecure platform can lead to access somewhere much more important.

That’s not a technical failure; it’s how people tend to behave.

3. Endpoints: Everything is an entry point now

Laptops, phones and tablets are all doors into your environment. Hybrid and remote work are the norm, so people are working everywhere now: from home, the office, or on the train. This means those devices aren’t sitting behind a single, controlled network anymore.

So instead of protecting one perimeter, you’re protecting dozens or hundreds of individual endpoints. Many devices aren’t company devices, which means more risk from what’s installed on them.

4. Backups: Not to be confused with recovery

Backups are one of those things that people feel quite confident about. “We’ve got backups, so we’re covered.” From a recovery perspective, they’re essential. But things get interesting when you think about whether they’re secure, because a backup is essentially a complete copy of your data, stored somewhere else.

Instead of trying to break into your primary environment, an attacker might just go after wherever that backup lives, particularly if it’s with a third-party provider. If stealing data is the intended goal, this is the perfect solution.

5. Supply Chain Attacks: When you’re not the real target

This is something becoming increasingly common. You might not be the organisation an attacker is aiming for, but you could be the easiest route in.

Remember the Marks & Spencer attack in 2025? M&S lost an estimated £300 million and had its online ordering taken down for weeks. The attackers didn't walk through M&S's front door; they got in through a third-party supplier. If you're part of a larger business's supply chain and if your security is weaker, you become the easiest route in. This is what we call 'island hopping': moving through smaller organisations to reach a bigger target.

We’ve seen plenty of examples where the initial breach happens in an SMB, but the impact is felt much further up the chain.

How the threat landscape has fundamentally changed

Going back a few years, cyber security used to be much more about the perimeter. You had an office, a network, and you controlled who came in and out. The thinking was like that in the physical world: if we secure the perimeter, we’re broadly okay. But that’s no longer the case.

Now, people are working from anywhere; systems are in the cloud; and access is happening across multiple platforms. In other words, there isn’t a single perimeter to defend.

The focus has shifted to:

• Identity: your login is effectively your access point.
• Endpoints: every device needs to be secure, wherever it is.
• Context: you start looking at behaviour.

If I log into my Microsoft 365 account from Belfast at 10am, and the same account logs in from South Africa at 10:15am, something is clearly wrong. Modern security tools can catch that automatically, before any damage is done.

This is the principle behind what's known as zero trust, don't assume anyone is who they say they are, even if they're already inside your network. Every login gets verified, every time. It sounds complex, but the idea is simple: trust nothing by default.

Then add AI into the mix. Attackers are using it to write better phishing emails, fake voices, and run campaigns at a scale that wasn't possible a few years ago. It makes the attacks faster, cheaper, and harder to spot.

This widens the gap between what’s happening out there and what most SMBs are equipped to deal with.

What happens after the breach matters most

When a business gets hit, the immediate concern is usually operational: systems go down; people can’t work; and there’s disruption.

But in most cases, that’s not the hardest part. That comes next: if data has been compromised, you often have a legal obligation to tell your customers. Once that’s out there, you can’t take it back and say, “Actually, forget about that breach, everything’s fine now.”

Trust is much harder to recover than systems. And it’s not just your customers. Employees start asking questions and begin to feel unsafe (especially if their personal data is involved). This could spread to your partners and suppliers, who may reassess their relationship with you.

That’s why cyber security has shifted from being an “IT issue” to a business risk.

The first step isn’t buying more tech

This is where people often go slightly wrong. The instinct is to go and buy something that promises to “solve” the problem, like a new tool or platform. Sometimes that is the right answer.

But often, it shouldn’t be the first step. Because if you haven’t taken the time to understand your current position, you don’t actually know what you need.

You might already have the right tools, but just using them incorrectly. Or you might have gaps that no tool will fix on its own.

The starting point is about stepping back and getting a clear picture of:

• What you have;
• How it’s being used;
• Where the gaps are;

And then deciding what matters most to fix.

 Watch the full episode here.

You can’t fix what you can’t see

The aim here isn’t to make things feel more overwhelming than they already are. It’s the opposite, because most of what we’ve talked about is solvable. It starts with being honest about where you are, and recognising that cyber security isn’t something you “set and forget”. It either improves over time or it quietly drifts.

That’s the real risk, as the issue for most SMBs isn’t a complete lack of security. It’s the gaps. The things that sit between the tools, decisions, and assumptions: the things you can’t easily see that leave your business exposed.

I’ve spent years working with businesses in exactly this position. Sensible decisions have been made. Good tools are in place. But there isn’t a clear, joined-up view of how secure the business is, or where to focus next.

Before you think about buying anything new or adding another layer of technology, take a step back. Get a clear picture of where you stand today: across your people, access, devices, data, recovery, and environment.

That’s exactly what our Cyber Security Snapshot is designed to do.

It gives you a simple, structured view of your security: where you’re strong, where you’re exposed, and what to prioritise next.

Because once you can see that clearly, you’re no longer guessing. You’re making decisions based on something real. That’s when cyber security starts to feel a lot more manageable.