How Hackers Actually Get Into Small Businesses
If you run a business of 10–200 people in the UK, you probably think a burglar needs fancy kit and a cape to get in. Spoiler: they don’t. Cyber‑criminals use old-fashioned opportunism, sloppy habits and a few clever technical tricks. This piece explains, plainly, how hackers actually get into small businesses and — more importantly — what stops them before the phone starts ringing with bad news, fines or lost customers.
Why this matters for UK SMEs
A successful breach isn’t just an IT problem. It hits invoices, payroll, supplier trust and your reputation on the high street or in the boardroom. You could face reporting to the ICO under UK GDPR, disruption to services, ransom demands or extended downtime while systems are rebuilt. For a business of 10–200 staff, those consequences quickly become very expensive and very visible.
The common entry routes (and how to block them)
Most attackers don’t bother with cutting-edge zero‑days. They use simpler techniques that work because organisations leave obvious doors open. I’ve seen this in manufacturers in the Midlands, legal firms in London and retail chains outside Manchester — the patterns repeat.
1. Phishing and fraudulent messages
How it works: An employee receives a convincing email or text that looks like it’s from a supplier, bank or colleague. They click a link, enter credentials, or open a malicious attachment. The attacker then uses those credentials to log in and move laterally.
How to reduce risk: Make multi‑factor authentication (MFA) standard across email, cloud services and remote access. Train staff with short, frequent exercises rather than one annual lecture. Simulate phishing and follow up with coaching, not public shaming.
2. Weak or reused passwords
How it works: People use the same password across systems, or choose weak passwords that are easy to guess. Attackers buy leaked credentials on the dark web and try them on business accounts.
How to reduce risk: Use a reputable password manager and enforce passphrases or long, unique passwords. Couple that with MFA and you’ve eliminated a huge slice of the problem.
3. Unpatched software and exposed systems
How it works: Servers, routers and software with known vulnerabilities are left unpatched. Internet-facing services like RDP or poorly configured VPNs provide a direct path in.
How to reduce risk: Keep an inventory of devices and the software they run. Patch on a regular schedule and prioritise critical fixes. Where possible, avoid exposing management interfaces to the internet; use a secure jump host or zero‑trust approach.
4. Third‑party and supplier access
How it works: An accountant, supplier or outsourced IT company has credentials or remote access to your systems. Their security is weaker than yours, and attackers use that route to reach you.
How to reduce risk: Audit who has access, revoke unused accounts and require suppliers to meet minimum security checks. Contractual promises are not enough; verify with basic penetration testing or security questionnaires.
5. Poorly protected backups and ransomware
How it works: Attackers encrypt live systems and then discover backups are available on the same network or accessible with the same credentials. You lose both live data and the ability to restore.
How to reduce risk: Keep offline or immutable backups, test restores regularly, and separate backup credentials from standard user accounts. Assume you’ll need to recover quickly and plan for it.
6. Social engineering and physical access
How it works: An attacker convinces reception to grant access, plugs in a device, or steals a laptop from an unlocked office. They don’t always need to be technically skilled — persuasion is often enough.
How to reduce risk: Lock screens, enforce clean desk policies, use full disk encryption and control physical access. Train staff to politely verify visitors and escalate anything unusual.
7. Insider risk (malicious or negligent)
How it works: A current or former employee keeps access, or someone intentionally exfiltrates data. Negligent behaviour such as copying customer lists to personal accounts also creates exposure.
How to reduce risk: Apply least privilege — give people only the access they need. Revoke credentials promptly when employees leave and monitor for unusual data transfers.
How to prioritise limited budget and time
Most small businesses can’t afford an army of security folk. Prioritise the basics that give the biggest return on effort:
- Enforce MFA and strong passwords — quick win, huge impact.
- Inventory your assets and critical data — know what you must protect.
- Patch regularly and reduce internet‑exposed services.
- Ensure backups are separate and tested.
- Run short, role‑specific security training and simulated phishing.
These steps are practical, affordable and will stop the majority of attacks you’re likely to face.
What to do if you suspect a breach
Stay calm and move deliberately. Disconnect affected systems where it’s safe to do so, preserve logs and evidence, and bring in technical help if you don’t have the skills in‑house. Notify the ICO if personal data has been compromised and communicate clearly with customers and suppliers — honesty limits reputational damage.
Local business groups and trade associations often offer advice and checklists tailored to your sector; don’t treat incident response like an ad hoc activity. Practice a simple plan so you’re not inventing it under pressure.
Costs versus outcomes — a business view
Security spending is often framed as a cost. I prefer to think of it as insurance against loss of time, money and credibility. A small investment that prevents a week of downtime or a damaged reputation is money well spent. For most UK firms of your size, the right controls pay back quickly by avoiding disruption and protecting customer trust.
FAQ
How common are attacks against small UK businesses?
They’re more common than people expect. Attackers gravitate towards easy targets, and small businesses often have the weakest controls. You don’t need to be large or famous to be worth attacking.
Will cyber insurance cover any breach?
Insurance can help with some costs, but it’s not a substitute for good security. Policies have exclusions and require evidence of basic protections. Treat insurance as part of a broader risk management plan.
How long does it take to improve security?
You can make meaningful improvements in weeks — for example, rolling out MFA and a password manager — but mature security is ongoing. Plan for continuous improvement, not a one‑off fix.
Should I handle security in‑house or hire external help?
If you have an IT person with security experience, they can handle many tasks. For specialist work—risk assessments, audits or incident response—external experts often provide faster, more cost‑effective results. Many owners find a hybrid approach works best.
What about GDPR and reporting?
If personal data is exposed, you may need to notify the ICO and affected individuals. Prompt action and clear documentation make regulatory conversations easier; hiding a breach makes outcomes worse.
Running a business in the UK means balancing growth with sensible protection. Cyber‑security doesn’t have to be a mystery or a drain on resources. By focusing on the predictable ways attackers get in — phishing, weak passwords, exposed systems and supplier access — you can dramatically reduce your risk and protect the things that matter most.
If you’d like to reduce the chances of expensive downtime, save staff hours, protect customer trust and sleep better, start with the basics: MFA, patched systems, tested backups and short, practical staff training. Those steps deliver practical outcomes: less disruption, lower recovery costs, preserved credibility and a calmer inbox.
