Small and medium-sized enterprises (SMEs) which think they won’t be targeted by cyber-attacks are wrong and should take action to defend against rising cyber threats, the head of the National Cyber Security Centre (NCSC) has warned.
NCSC CEO Richard Horne recently described how SMEs are aware of how threat of cyber-attacks is increasing, but few have taken action to protect their businesses against them because they don’t think they will be targeted by cybercriminals or other malicious threat actors.
“That assumption is wrong,” Horne said in a LinkedIn post.
SMEs might think that they are not attractive targets for cybercriminals, in the belief that attackers would rather go after big, well-known organizations. But Horne insisted that this is not the case.
“In reality, most cyber attackers don’t care about company size or brand recognition. They look for opportunity and weaknesses, not logos. If your defenses are poor and your systems are exposed, your business is vulnerable, and the consequences can be devastating,” he said.
Horne urged SMEs to protect themselves against cyber threats with the aid of Cyber Essentials certification.
Developed by the experts at the NCSC, the Cyber Essentials certification scheme is designed to defend businesses of all sizes against the most common cybersecurity threats. The five key tenets behind the scheme are:
- Secure configuration: Set up computers securely to minimize ways that a cyber-criminal can find a way in
- User access control: Control who can access your data and services and what level of access they have
- Malware protection: Identify and immobilize viruses or other malicious software before it has a chance to cause harm
- Security update management: Prevent cyber criminals using vulnerabilities they find in software as an access point to your systems
- Firewalls: Create a security filter between the internet and your network
Horne warned that “too many” SMEs haven’t taken these initial steps to help protect themselves against the most common forms of cyber-attacks. He called for that to change.
“Your organization wouldn’t operate without physical security or insurance and leaving basic cyber protections undone is no different. I urge all SMEs to put Cyber Essentials controls in place to help reduce their chances of falling victim to attackers,” he said.
“No business is out of reach. It is time to act,” Horne concluded.
The NCSC recently issued a warning over ‘severe cyber-attacks’ which could target critical national infrastructure.
Meanwhile, the NCSC Annual Review 2025 also warned about the rising threat of cyber-attacks to the UK after the agency was called in to aid with a record number of incidents with ‘national significance’.
