Unlocking Cybersecurity for SMEs: Insights from the UK CyCOS Project 

Small and medium-sized enterprises (SMEs) face growing cyber risks, as threat actors recognise the significant value in targeting these organisations.

Just like large businesses, SMEs carry high-value data, and as part of supply chains, can also offer a backdoor to attackers into bigger targets.

SMEs are typically softer targets too because they lack the resources and expertise to deal with high volumes of attacks and sophisticated techniques, compared to their large enterpirse counterparts.

In the UK, the government-backed Cyber Security Communities of Support (CyCOS) project is designed to identify SME cybersecurity support needs and understand how they can be addressed.

This project is split into four phases, occurring between 2023 and 2026.

With the programme now in its second year, researchers involved in the project from the University of Nottingham, Queen Mary University of London and the University of Kent spoke to Infosecurity about the unique SME cybersecurity challenge, updates from the CyCOS project and strategies smaller organisations can use to address cyber threats.

Insights have been provided by Dr Jason Nurse, Reader in Cyber Security at the University of Kent; Steven Furnell, Professor of Cyber Security, University of Nottingham; Neeshé Khan, Research Fellow in Cyber Security, University of Nottingham; Dr Maria Bada, Senior Lecturer in Psychology, Queen Mary University of London; and Matthew Rand, Postdoctoral Research Assistant, Queen Mary University of London. 

Jason Nurse:  The two biggest cybersecurity challenges for SMEs are a lack of focus on security – since their primary concern is business survival and growth – and limited resources, particularly the financial means to invest in security expertise and technologies.

There’s a really important point to note here: SMEs don’t, on average, wilfully disregard cybersecurity; rather, their priorities are often dictated by immediate business needs, leaving security as a secondary concern.

Maria Bada: SMEs face unique cybersecurity challenges compared to large organisations due to limited budgets, lack of expertise and weaker security infrastructure. SMEs might continue using outdated hardware and software due to cost constraints, making them vulnerable to known exploits.

Also, many SMEs struggle to comply with cybersecurity regulations such as GDPR, the Payment Card Industry Data Security Standard (PCI-DSS) or Health Insurance Portability and Accountability Act (HIPAA) due to a lack of knowledge and resources.

Steven Furnell:  Another potential issue is unfortunately awareness and recognition – or rather the lack of it.  Although I agree with Jason that many don’t wilfully disregard it, there are still some out there that don’t appreciate why cybersecurity would be an issue for them. For example, there’s a common misconception that they would be too small for an attacker to target – overlooking the fact that many cyber incidents can happen indiscriminately, and that many breaches can occur for reasons other than attacks.

While they may report fewer incidents than larger organisations, successive results from the UK Department for Science, Innovation and Technology (DSIT) Cyber Security Breaches Survey clearly show that micro, small and medium businesses are not immune to them.

Matthew Rand: In addition to the point Steven highlighted about SMEs being too small for an attacker to target, they may just see themselves as irrelevant, in other words they may not think they have data that would be of interest to an attacker compared to larger organisations. The perception of risk that SMEs have is likely to have a large influence on how they behave, and this could be a challenge in ensuring SMEs do the right things, with it perhaps taking an incident or breach before it 'hits home' how important an area it is for them.

Maria Bada: SMEs face growing cyber threats, including ransomware, phishing, AI-driven attacks and supply chain breaches. Many SMEs are overconfident in their cybersecurity capabilities and employee awareness, making them more vulnerable to these threats, or fail to recognise the severity of these threats, often underestimating both their own risk exposure and the sophistication of modern cybercriminal tactics. This is really what is increasing their risk of data breaches, identity theft and regulatory penalties.

Jason Nurse: Cybercriminals now deliberately target SMEs as entry points to the larger organisations they work with. This has meant that SMEs now face much more capable and intentional threat actors, and it’s often an imbalance that puts them at significant risk.

Steven Furnell:  Against this backdrop of increasing threats, SMEs have also faced additional challenges from the economic climate. We saw many having to go into survival mode to get through the COVID period, and we know from our own discussions with them that things have not been easier since, in terms of having the space to think about cybersecurity, let alone prioritise it, alongside keeping their core business going. The upshot is that while the threats advance, many SMEs are implicitly less prepared to keep up with them.

Steven Furnell: The aim of CyCOS is to offer an accessible means for SMEs to engage with cybersecurity. We are seeking to better understand the challenges that are faced, and then to design and trial a new approach – the Communities of Support from which the project is named – enabling SMEs to engage with the issues in an accessible and collaborative context. 

The project is funded by UK Research and Innovation and linked to the Research Institute for Sociotechnical Cyber Security. The work is led by the University of Nottingham, in partnership with Queen Mary University of London and the University of Kent. We are also happy to be supported by a range of collaborating organisations, including the Chartered Institute of Information Security, the Federation of Small Businesses, the Home Office, IASME, ISC2, the National Cyber Security Centre (NCSC) and three of the regional Cyber Resilience Centres. The work started back in September 2023 and runs until February 2026.

Maria Bada: The motivation for setting up the project is that it’s often difficult for SMEs to seek external guidance, and they often find themselves overwhelmed by the abundance of information and struggle to implement effective security measures.

By fostering community-based support networks and providing targeted resources, the CyCOS project seeks to empower SMEs to better understand and manage their cybersecurity challenges, ultimately contributing to enhanced national resilience against cyber threats.​

Matthew Rand:  Whilst we know that SMEs are at risk of a breach or incident to a similar extent than larger organisations, we also know that they may have some differences, for example SMEs tend to have fairly low awareness and knowledge about it.

Our research started at the point of trying to understand why this is the case, exploring whether there were any factors that could explain the types of controls implemented by SMEs, the levels of awareness, knowledge, attitude and culture in the SME and the impact on the general support routes they make. We were able to run a survey with almost 400 SMEs across the UK to explore this.

Our work showed that SMEs that were 'industry leading' or in the Information Technology sector were establishing levels of awareness, knowledge and processes towards cybersecurity (such as controls) that were a lot higher than other categories of SMEs. Most SMEs are therefore likely to struggle with how to go about implementing the right cybersecurity for their organisation and will likely need to be supported in how they do this.

Neeshé Khan: To improve SME’s engagement with cybersecurity, guides that are best suited to needs should be easily locatable. Guidance documents can be enhanced for their coverage of topics, provide actionable steps and supporting resources to SMEs on how to improve their defences, and improve on their clarity so SMEs can understand and meaningfully engage with information made available to them.

Advising bodies are playing an incremental role in the ecosystem by driving security adoption through proactive engagement and awareness raising initiatives whilst SMEs struggle with low cyber hygiene, knowledge and expertise to aid their efforts. Cross collaborative activities and open communication at micro and macro levels can further the adoption of healthy cybersecurity practices amongst SMEs.

Steven Furnell: The early findings have confirmed that SMEs are certainly not suffering from a shortage of information or places from which to seek guidance. At the same time, they need the capacity and capability to understand and act upon it. Having your awareness raised and being given good practice guidance only gets you so far.

At the same time, we’ve also found that there seems to be a latent appetite for the Communities of Support idea, with both SMEs and cybersecurity providers having independently commented about the lack of peers to talk to, and the desirability of being able to share and discuss experiences.

Neeshé Khan: Yes, some findings have been unexpected. For instance, when evaluating online cybersecurity guidance for coverage, completeness and clarity, we found that content is widely communicated without the use of technical jargon.

However, it varies considerably depending on the source SMEs end up going with which can result in confusion, frustration and discouragement in their efforts to become secure. Advice is also slightly outdated given the rapid advancements in adopted technologies and there is a lack of accessibility in the information being provided. This is surprising given the amount of content targeted at SMEs on this topic.

Another surprising aspect that emerged from our study examining experiences of advice providers has been that SMEs engage with cybersecurity reactively. This means they often seek advice or help after an incident, or a breach has occurred rather than proactively strengthening their defences and improving their resilience to attacks.

Matthew Rand: In our discussions with SMEs, it was interesting to find that their experiences with cybersecurity providers were mixed and quite often, not overly positive. Although many cybersecurity providers are 'experts' in their field, it was surprising to hear that they are not always meeting the needs of the SME.

For example, SMEs often found that support from providers was generic in nature, with providers not always fully understanding the context within which the SME was operating in.

More generally when working with SMEs in our studies, it has been noticeable that when thinking about cybersecurity, they very much focus on incidents or breaches as the points in which that they should seek cyber security support, rather than the many proactive activities that we know are required to keep an organisation secure. 

Matthew Rand: We have moved into a phase in which SMEs are giving us insight about their journey when they are seeking cybersecurity support.

Essentially, we want to know what happens when they seek support (e.g. do they use purely online resources, a specific provider or a mix of the two?) and for them to describe how that experience was for them.

This gives us insights into the overall experience – from start to finish – from the SME perspective. These will also be complemented by providers sharing their experience of the interactions they have with SMEs, providing us with insight on what has worked well and what they believe the challenges have been.

Neeshé Khan: As we move towards the Community of Support pilots later in the year, we are currently offering SMEs free access to an entry-level cybersecurity certification.

This will enable individuals to upskill themselves in some core cybersecurity areas and develop fundamental in-house expertise desperately needed in many organisations. Subsequently, we will be conducting the pilots of the Cybersecurity Communities of Support themselves.

These will enable collaborations that enhance the level and availability of support available to SMEs before scaling them up at regional levels. Anyone interested in engaging with the community pilots is encouraged to contact us via our website (www.cycos.org).

The topic of SME security support will be discussed on the keynote stage during Infosecurity Europe 2025 on Wednesday 4 June from 11.45-12.20, in the session ‘Enabling Cyber Security Communities of Support for SMEs.’

Register today to secure your place at the event, which is taking place from 3-5 June at the ExCel, London.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?