The incident we walk through happened to a real UK SME. The figures, the timeline, and the regulatory consequences are real. Identifying details have been removed; the pain was very much genuine.
Nothing here is theoretical. If you recognise your own processes — your gaps, your habits — that recognition is the most valuable thing you take away today.
This is a conversation, not a lecture. If something applies to your business, or you want to dig deeper — ask now. Q&A starts at the beginning, not at the end.
The Chamber will circulate this to every attendee. Focus on what it means for your business. The most important output today is your own action list.
Attackers do not manually pick their victims. Automated tools scan every IP on the internet, every day. If you are online, you are in scope.
SOURCE — DCMS Cyber Security Breaches Survey 2024 · NCSC Annual Review 2024 · ICO Enforcement Data
Organised criminal networks operating like businesses. SMEs are preferred — large enough to pay, small enough to have weak defences. Typical UK SME ransom demand: £45,000–£200,000. Most victims pay.
Bots probing every internet-connected device around the clock. No human involvement until a vulnerability is found. Your firewall logs record thousands of these probes a day, right now.
Sophisticated crews targeting your finance team. They intercept or spoof invoices and redirect payments. Average UK BEC loss: £137,000. No malware. No antivirus will catch them.
Current staff, contractors, former employees with access they should not have. Triggered by grievance, financial pressure, or coercion. Hardest to detect without proper access controls and audit logging.
Every successful attack exploits one of these vectors. Most SMEs are exposed on multiple fronts at once — and have no visibility of it.
SOURCE — Verizon DBIR 2024 · NCSC Cyber Security Breaches Survey 2024 · CISA Advisories
Your firewall cannot stop a convincing email either. The human layer is the most attacked surface in every small business.
Your finance manager gets an urgent email from "you" requesting an immediate bank transfer. The domain is spoofed convincingly. The tone is right. Average loss: £85,000. Happens to UK SMEs every single day.
An attacker compromises your supplier's email. Sends updated bank details ahead of your next invoice. You pay the correct amount — to the wrong account. Funds typically unrecoverable. Your contractual obligation may still stand.
"This is Microsoft / your IT provider. We've detected a problem with your server. I need you to install this software." Staff who have had no security training will comply. One in four will, even with training.
Automated tools craft convincing emails mimicking HMRC, DocuSign, Royal Mail, or your own bank. One click from one staff member is all it takes. In untrained organisations, 1 in 3 phishing emails gets clicked.
Before the first attack attempt, an attacker knows your staff names, email format, software stack, and key suppliers. All from free, public sources.
Staff profiles reveal job titles and who approves payments. Companies House reveals directors, financials, and registered address. All free. All public. All valuable.
Domain, contact page, email pattern (firstname.lastname@yours.co.uk) — everything needed to craft a convincing personalised phishing email addressed to a named person.
Tools like Shodan catalogue every internet-facing device you expose — routers, RDP, old mail servers. Unpatched systems appear in publicly searchable databases within hours.
Your staff's personal email passwords from old data breaches sell for pennies. If they reuse those passwords at work — and 65% of people do — the attacker already holds valid credentials.
The attacker turns research into access. For most SMEs this moment goes completely undetected. Everything that follows happens while the business runs normally.
A phishing email is clicked. A staff member enters credentials into a fake Microsoft 365 login. Or the attacker logs into RDP with a password from a dark-web database. Either way — they appear as a legitimate user. Nothing alerts.
Malware executes silently and connects out over HTTPS — indistinguishable from normal web browsing. Antivirus rarely catches it. The attacker is now persistent: rebooting changes nothing.
The attacker hunts for admin credentials, shared passwords, misconfigured systems. Many SMEs share a single local admin password across all machines. Domain administrator access is typically acquired in under 30 minutes.
They read your email, map your systems, and access your backups — before they show themselves.
With admin credentials, every mailbox is readable. Months of email — contracts, invoices, bank details, client data — harvested. This data fuels follow-on fraud against your own clients.
Shared drives are explored and catalogued. Client files, HR records, contracts, accounts, IP — everything identified and staged for exfiltration or encryption.
Attackers locate and access your backups. Cloud backup credentials are stolen. Local shadow copies are deleted. This is what makes recovery so expensive — and sometimes impossible.
With your email compromised, attackers impersonate you to clients and suppliers. Payment redirections. Fraudulent invoices. Relationship damage that is often harder to recover from than the ransomware.
Average attacker dwell in an SME network: 47 days before acting. They time the attack for maximum damage — payroll day, year end, your busiest season.
Before acting, the attacker creates multiple routes back in. Removing one does not remove them all. Without specialist forensic work, you cannot be certain the attacker has been fully evicted.
Most SMEs discover a breach when the ransomware screen appears or a client calls to say their bank details have been changed. By that point the damage is already there.
Client personal data (names, addresses) · financial records · client contracts and your pricing · bank credentials · staff personal data (NI, salary, DOB) · supplier lists.
Encrypted archives over normal HTTPS · cloud storage (Mega, Dropbox, OneDrive) · small packets via DNS tunnelling · over days and weeks · via your own compromised cloud backup credentials.
Ransomware encrypts files and backups · double-extortion: pay or we publish · ICO 72-hour clock starts · client notification obligation triggered · invoice fraud against your clients · reputation damage begins online.
"A member of staff tried to open a client file on a Monday morning. Every file had a padlock on it. She thought she had done something wrong."
An untested control is not a control. If you do not know when you are under attack, you cannot respond. Detection is not optional.
"Nobody knew who to call first — the IT company, the insurer, or the bank? Those first two hours were wasted on that question alone."
"The backup we thought would save us had been encrypted too. Three weeks of client work, accounts, and project files was simply gone."
Partial restore from 3-week-old offline backup. Significant work lost. Staff spent three weeks manually reconstructing client records from email history. One client threatened legal action over a missed deadline.
Full forensic imaging of all 38 endpoints and 3 servers. Patient zero: a phishing email to an accounts payable staff member. Attack path fully mapped. Total dwell: 54 days.
1,840 client records confirmed as accessed. 38 staff records (salary, NI, addresses) exposed. Client contract and pricing data exfiltrated. No card data — all tokenised.
Multiple back-doors found and removed. Domain credentials rotated. Endpoints rebuilt. Cloud accounts re-provisioned. No assumption that the attacker was "done."
"We had 72 hours to notify the ICO. We spent the first 24 hours trying to understand what had been taken. We nearly missed the deadline."
| OBLIGATION | DEADLINE | REQUIREMENT | LEGAL COST |
|---|---|---|---|
| ICO (GDPR Art. 33) | 72 hours | Mandatory notification when personal data is breached and risk to individuals is likely. Late notification escalates penalties significantly. | £3,200 |
| ICO (GDPR Art. 34) | Without undue delay | Individual notification to 1,840 data subjects where risk is high. Letters, FAQ, dedicated response channel required. | £4,800 |
| Cyber insurer | Immediate | Policy condition. Delay can void coverage. Approved IR firm must be engaged through the policy. | £0 (covered) |
| Clients | Reasonable promptness | Contractual and moral obligation. 1,840 clients written to. Letter, FAQ, helpline, credit monitoring offer. | £6,200 |
| Banking / finance | Immediate | Finance credentials potentially accessed. Bank notified to review accounts, freeze if necessary, reissue credentials. | £0 (bank-managed) |
| NCSC reporting | As soon as practicable | Voluntary but strongly encouraged. Access to specialist support and threat intelligence. No enforcement consequence. | £0 |
Total notification cost: £14,200 · zero ICO fines issued — prompt notification and full cooperation were the mitigating factors.
This business had cyber insurance. Without it, the total would have been approx. £180K — nearly 6% of annual turnover of £2.1M.
Five pillars. All achievable for any SME. Aligned to NIST CSF 2.0 and UK Government Cyber Essentials.
Asset register of every device. Data audit (GDPR). Crown jewels mapping. Supplier access review. Know what you have before you protect it.
MFA on email and remote access. Patch management. Staff security awareness. Cyber Essentials certification. Least-privilege access.
EDR on all endpoints. Email gateway scanning. NCSC Early Warning (free). Consider managed detection. Test alerts quarterly.
One-page IR plan. Pre-signed retainer with IR firm. ICO notification template. Designate an incident lead. Rehearse once a year.
Immutable offline backups. Test restore monthly. Business continuity plan. Cyber insurance with IR access. Define RTO and RPO.
Cyber Essentials certification starts from £300. NCSC Small Business Guide is free. These are the starting points, not the destination.
Good intentions do not protect businesses. Decisions do. Here's where to start — before the end of this week.
The UK Government and NCSC provide world-class, free guidance for small businesses. No excuse not to start today.
Government-backed certification blocking 80%+ of common attacks. From £300. Often reduces cyber insurance premiums. Start here.
Free, practical, no-jargon guidance on passwords, backups, phishing, devices, updates. Written for non-technical business owners.
Free service notifying you when your IPs or domains appear in threat intel feeds. Sign up today — takes 10 minutes.
Check if your staff email addresses appear in known data breaches. Free. Run every address in your business. 30 seconds each.
Free GDPR guidance for small businesses. Breach notification templates, decision tools, a self-assessment checklist.
Report cyber crime and fraud. Specialist investigation support. Report BEC, ransomware, and phishing incidents here. Always report.