10 Cyber Security Mistakes Every UK SME Is Making in 2026

Cyber attacks on UK small and medium-sized enterprises have surged dramatically. According to the UK Government's Cyber Security Breaches Survey 2025, 43% of UK businesses identified a cyber attack in the previous 12 months, with the average cost of the most disruptive breach for small businesses reaching approximately £3,400. For many SMEs, the issue isn't a lack of awareness — it's a gap between knowing the risks and actually addressing them.

Here are the ten most common cyber security mistakes we see UK SMEs making — and practical steps to fix each one.

1. Relying on Weak or Reused Passwords

It sounds basic, but weak passwords remain the single biggest vulnerability in most small businesses. According to the National Cyber Security Centre (NCSC), the password "123456" still appears in millions of breached accounts every year. When staff reuse the same password across multiple services — their email, CRM, accounting software, and personal social media — a single breach can cascade across your entire business.

Fix it: Enforce a company-wide password policy with a minimum of 12 characters. Better yet, deploy a business password manager such as Keeper, 1Password Business, or Bitwarden. These tools generate unique, strong passwords for every account and auto-fill them so staff don't need to remember anything. Pair this with multi-factor authentication (MFA) on every service that supports it.

2. Not Enabling Multi-Factor Authentication (MFA)

MFA adds a second layer of verification beyond a password — typically a code from an authenticator app or a push notification to a phone. Microsoft reports that MFA blocks 99.9% of automated account compromise attacks. Despite this, many SMEs still haven't enabled it, even on critical services like Microsoft 365, banking, and cloud platforms.

Fix it: Start with your email (it's the keys to the kingdom), then cloud storage, accounting software, and any remote access tools. Microsoft Authenticator and Google Authenticator are free. For businesses on Microsoft 365, Conditional Access policies can enforce MFA company-wide without relying on individual users to enable it.

3. Ignoring Software Updates and Patches

Unpatched software is one of the most exploited attack vectors. When vendors like Microsoft, Adobe, or Google release security patches, they're publicly disclosing the vulnerabilities those patches fix — giving attackers a roadmap. The WannaCry ransomware attack that hit the NHS in 2017 exploited a vulnerability for which a patch had been available for two months.

Fix it: Enable automatic updates on all workstations. For servers and line-of-business applications, implement a monthly patch management schedule. If you're on a managed IT support plan, your provider should be handling this proactively. Check that firmware on firewalls, routers, and access points is also kept current — these are frequently overlooked.

4. No Formal Security Awareness Training

Phishing remains the number one attack method against UK businesses. The 2025 Breaches Survey found that 84% of businesses that identified attacks experienced phishing attempts. Your staff are your first line of defence, but without regular training, they're also your weakest link.

Fix it: Run security awareness training at least quarterly — not just an annual tick-box exercise. Use simulated phishing campaigns to test how staff respond to realistic attack emails. Platforms like KnowBe4 and Proofpoint Security Awareness offer affordable programmes designed for small businesses. Make it practical: show staff real examples of phishing emails targeting businesses in your sector.

5. No Tested Backup and Recovery Plan

Having backups is not the same as having a recovery plan. Many SMEs back up data to a single location (or worse, the same server), never test restores, and have no documented process for what to do when disaster strikes. Ransomware attackers specifically target backup systems — if your backups are connected to the same network, they'll be encrypted alongside everything else.

Fix it: Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite (cloud or physically separate). Test your restore process at least quarterly. Document your recovery procedure so any member of your team can initiate it. If you're using Microsoft 365, remember that Microsoft's native retention is limited — consider a dedicated backup solution like Veeam, Datto, or Acronis.

6. Using End-of-Life Software

Windows 10 reaches end of life in October 2025, meaning Microsoft will stop issuing security patches. Businesses still running Windows 10 after this date are running systems with known, unpatched vulnerabilities. The same applies to older versions of Office, SQL Server, and industry-specific software.

Fix it: Audit your software estate now. Identify any end-of-life operating systems or applications and create a migration plan. Windows 11 requires TPM 2.0, which means some older hardware may need replacing. Budget for this — it's cheaper than recovering from a breach. If legacy applications require older operating systems, isolate them on a separate network segment.

7. No Network Segmentation

In many small businesses, every device sits on the same flat network. This means a compromised laptop in reception has the same network access as a finance server. Once an attacker gains access to any device, they can move laterally across the entire network.

Fix it: Implement VLANs (Virtual Local Area Networks) to segment your network. At minimum, separate guest WiFi from your corporate network, keep IoT devices (printers, cameras, smart TVs) on their own VLAN, and restrict access to sensitive systems. A properly configured firewall with internal rules can enforce this without a large infrastructure investment.

8. No Endpoint Detection and Response (EDR)

Traditional antivirus that relies on signature-based detection is no longer sufficient. Modern threats use fileless malware, living-off-the-land techniques, and zero-day exploits that legacy antivirus simply cannot detect. The NCSC recommends behaviour-based detection as a baseline control.

Fix it: Deploy an EDR solution such as Microsoft Defender for Business, SentinelOne, or CrowdStrike Falcon Go. These tools monitor endpoint behaviour in real time, detect anomalies, and can automatically isolate compromised devices. For SMEs on Microsoft 365 Business Premium, Defender for Business is included in the licence at no additional cost.

9. No Incident Response Plan

When a breach occurs, every minute counts. Yet most SMEs have no documented incident response plan. Staff don't know who to contact, what to disconnect, or how to preserve evidence. This leads to delayed responses, greater data loss, and higher costs.

Fix it: Create a simple, one-page incident response plan covering: who to call (IT provider, senior management, ICO if personal data is involved), immediate containment steps (isolate affected systems, change compromised credentials), and communication protocols (who informs staff, clients, and regulators). The NCSC provides a free small business incident response template. Keep printed copies — if your systems are encrypted by ransomware, a PDF on the server won't help.

10. Assuming You're Too Small to Be a Target

This is perhaps the most dangerous mistake of all. The majority of cyber attacks are automated and indiscriminate. Attackers aren't specifically targeting your business — they're scanning the internet for any system with known vulnerabilities. If your RDP port is open, your email isn't protected by MFA, or your firewall firmware is three years out of date, you'll be found.

Fix it: Accept that every internet-connected business is a target. The NCSC's Cyber Essentials scheme is specifically designed for SMEs and covers the five technical controls that prevent the majority of common attacks. Certification costs from as little as £300 and demonstrates to clients and partners that you take security seriously.

The Bottom Line

Cyber security doesn't need to be expensive or complicated for a small business — but it does need to be deliberate. Most breaches we see at Farsight Tech stem from the basics being overlooked, not from sophisticated nation-state attacks. Nail the fundamentals, train your people, and have a plan for when things go wrong.