The Soft Underbelly: How UK SMBs Are Screwing the Nation on Cybersecurity

Let’s not piss about: if you’re a UK small or medium-sized business and you think no one would ever target you in a cyberattack, you’re not just wrong — you’re a liability. In fact, you might be the liability. The one that lets a state-backed group from Russia or China stroll straight through your firewall and into something vastly more important.

You’re not too small to matter. You’re small enough to not know that you matter. That’s what makes you dangerous.

Wake up. You’re the target now.

Just this week, the CEO of Cisco, Chuck Robbins, sat on stage and bluntly said the quiet part out loud: the threat landscape is as bad as it’s ever been. The UK's own National Cyber Security Centre (NCSC), part of GCHQ, came out swinging in full agreement. Their outgoing chief, Lindy Cameron, didn’t mince her words either: AI is now being used by hostile states to supercharge their attacks. Reconnaissance is automated. Vulnerability scanning is instant. You get breached before your cheap-as-chips MSP has even rolled out of bed.

That same week? M&S, Co-op, and Harrods got smashed. Coincidence? Don’t bet on it.

Let me say this slowly for the folks at the back: those were not direct attacks on mega-brands. They were attacks via their suppliers. The small guys. The forgotten backups. The third-party APIs. The piss-poor email systems with SPF and DKIM but no DMARC. The ancient NAS boxes running 6-year-old firmware.

The supply chain is the battlefield

Still think you're not part of the problem? Let me guess, you're the outsourced IT provider for a facilities management firm that services hospitals. Or maybe you build custom SharePoint apps for a county council. Or you run a logistics operation that integrates directly with a retailer's warehouse platform. That makes you an attack vector. Not in theory. In practice.

And here’s the kicker: the bad actors know your name. Volt Typhoon, the Chinese state-backed group named in US and UK joint advisories, literally specialises in slipping through supply chains. They’re not kicking down doors. They’re walking through unlocked ones. Usually labelled "Accounts-Desktop".

But we have antivirus...

Great. So do toddlers with iPads. That won't stop:

• MFA fatigue attacks

• Credential stuffing

• Remote code execution via unpatched printers

• Phishing emails written by AI that would fool Alan bloody Turing

• Your own IT provider forgetting to patch your Fortinet firewall again

Cyber Essentials is not a sticker

If you support critical infrastructure — and you probably do even if you don’t realise it — Cyber Essentials Plus should be the bare minimum. It's not just a badge. It's a line in the sand that says, "We give a shit."

It's laughable how many MSPs and small vendors still don't have it. Or worse: they do, but only the basic level, and it expired last year. Newsflash: if your CE cert is out of date, you are out of spec. That means you’re actively increasing the risk to your partners, your customers, and the country.

You want a business case? Here's one.

Let’s say you don’t upgrade. You don’t patch. You don’t even invest in proper EDR. One day, your compromised credentials are used to deploy ransomware across a nationwide food distribution company.

Suddenly, people in hospitals can’t get meals. Schoolchildren can’t be fed. Supermarket shelves sit empty. That’s what happens when you’re the weak link.

And when the story breaks? You’re not a plucky underdog. You’re Patient Zero.

This is a war, and you are not neutral

Russia doesn’t care about your invoice templates. China doesn’t want your QuickBooks file. They want access. Routes. Exploitable footholds into national infrastructure.

And the UK is playing catch-up. Fast. The NCSC is finally calling it what it is. We’re under siege. The front lines aren’t data centres or ISP backbones anymore — they’re you. Your Sage server. Your dodgy remote access tool. Your lazy IT team who hasn't rotated passwords since 2019.

Fix it or get out of the way

If you’re in the supply chain and you’re not:

• Mandating Cyber Essentials Plus for yourself and your subs

• Enforcing MFA across all systems

• Running EDR backed by a real SOC (not some dashboard you check once a month)

• Keeping assets up to date with actual patching and reboot cycles

• Training your people not to click on “View Invoice” from h0t-babe99@aol.com

...then you're not just vulnerable. You're negligent.

And when (not if) your sloppy setup gets someone else breached? The fingers will point. The lawsuits will come. And if you think cyber insurance will save you, I have bad news: claims are being denied left, right, and centre. Ask anyone who’s tried to collect on a ransomware policy post-2023.

Final thought

You are not too small. You are not out of scope. You are either part of the solution or part of the next big breach.

So grow up, lock it down, and start acting like you matter. Because you bloody well do.