In the past few weeks, we've witnessed a series of high-profile cyberattacks targeting some of the UK's largest retailers, including Co-op, Harrods, and Marks & Spencer. These incidents have dominated headlines, highlighting the vulnerabilities even the biggest and well-resourced companies face. However, while the spotlight often shines on these corporate giants, small and medium size businesses shouldn’t be lulled into a false sense of security. SMBs might not make the headlines, but the reality is that they are just as vulnerable, if not more so, to cyber threats.
“Cyber criminals don’t attack small businesses”
A common myth we hear is that SMBs won’t be attacked because their size makes them less attractive to cybercriminals. Why would they attack a small business when they could attack Harrods, right? This misconception leads to complacency, leaving businesses wide open for cyber attacks, which in turn makes them more attractive to cybercriminals…
SMBs are often seen as low-hanging fruit by attackers. They typically have less knowledge and awareness as well as fewer resources to devote to cybersecurity, making them easier targets. The Cyber Security Breaches Survey 2025 from the Government shows that 42% of UK small businesses had experienced a phishing attack in 2024 and 67% of medium businesses had as well.
In addition to this, cyberattackers see smaller businesses as a way of executing supply chain attacks. This is a type of attack where hackers target insecure elements within a supply chain in order to compromise larger organisations. Smaller businesses that have weaker security measures in place are an ideal entry point for a supply chain attack; Cyber criminals can enter their systems, then once successfully in their network, use them as a stepping stone to gain access to larger and more lucrative targets. Supply chain attacks not only cause a wave of destruction on the way to the larger targets, but are also much harder to detect as the breach may have happened long before the attack was executed.
So whilst a smaller business may not on the surface be an attractive target, they still hold value for cyber criminals as low hanging fruit and an entry point for supply chain attacks. They're certainly not immune.
The wave of retail cyberattacks
The recent attacks on retailers serve as a stark reminder of the impact cyber attacks can have.
M&S customers reported issues with click and collect services and contactless payments on April 21st. Later that day M&S officially confirmed a cyber incident. Within a few days they had suspended all online orders – a revenue stream that brings in £3.8 million a day – and over £700 million was wiped off Marks and Spencer’s market value. Finances aren’t the only burden – they paused all recruitment and suffered considerable stock shortages. Although the attack came to light at the end of April, it’s thought that the breach began in February when hackers stole passwords enabling movement across their networks. M&S have said that there is no evidence that the data that has been stolen has been shared, and the stolen data does not include usable payment details. This cyber attack continues to take a huge toll on their business and will take a considerable amount of time to recover from – financially, logistically, and regaining the trust of their customers.
Similarly to M&S, Co-op disclosed a cyberattack on May 1st. It caused huge disruptions in back-office and call centre functions. You’ll notice if you’ve been into a Co-op recently, that the shelves are empty; like M&S it resulted in stock shortages which they still haven’t recovered from. The Co-op has admitted that customer and employee data has been stolen, but again like M&S, it hasn’t been shared. Although the Co-op haven’t disclosed the number of customers and employees affected, the hackers themselves have claimed they’ve stolen more than 20 million records. Again, this is a huge toll on their business and will take a long time to recover from.
When high profile cyber attacks like this happen, it unfortunately opens up even more opportunities for cybercriminals. Worried and frenzied customers and employees can easily click on links in phishing emails claiming to reset their passwords following the cyber attack. Spoof phone calls are common too and is something the National Cyber Security Centre has warned about in the aftermath of the attacks. Unfortunately, these attacks are just the tip of the iceberg and the impact ripples out quickly.
The takeaway is clear: we cannot underestimate the severity and impact cyber attacks have on businesses.
The Cost of Complacency
We’ve spoken about the financial implications of M&S and Co-op. Although it’s significant, they’re big businesses and have the resources to recover, albeit slowly. For SMBs though, the financial implications of a cyber attack can be catastrophic. The costs associated with a breach – ranging from immediate expenses like investigation and recovery to long-term impacts such as reputational damage and customer churn – can be overwhelming. On average, cyberattacks cost SMBs more than £200,000, with some incidents costing up to £5.6 million. For many small businesses, this amount of financial strain can be insurmountable.
Proactive Measures for SMBs
To mitigate these risks, SMBs must adopt a proactive approach to cybersecurity. Here are some essential steps:
1. Invest in a Strong Cybersecurity Strategy: Treat cybersecurity as an essential business investment rather than an optional expense. Implement robust security measures tailored to your specific needs.
2. Adopt a Zero-Trust Security Model: Assume that threats exist both inside and outside your network. This approach minimises the risk of internal and external breaches.
3. Regular Backups and Incident Response Planning: Ensure that you have regular backups of critical data and a well-defined, and tested, incident response plan to quickly address any breaches.
4. Security Awareness and Employee Training: Educate your employees about the latest cyber threats and best practices for avoiding them. Human error is often the weakest link in cybersecurity.
5. Invest in Cyber Insurance: Cyber insurance can help mitigate the financial impact of a breach, covering costs such as legal fees, customer notification, and recovery efforts.
Conclusion
The recent spate of cyberattacks on large organisations should serve as a wake-up call for all businesses including SMBs. By taking cybersecurity seriously and implementing robust protective measures, SMBs can safeguard their operations, protect their customers, and ensure their long-term viability in an increasingly digital world.
If you’re concerned about the recent cyber attacks and how they might impact your business, feel free to reach out to us.