– Gareth Shaw, MD Pera Prometheus
Have you ever thought that “it won’t happen to me” when it comes to cyberattacks? In 2024-25, UK businesses are being hit harder than ever. The UK Government’s Cyber Security Breaches Survey 2025 found that phishing remains the most common cyber crime, with an estimated 8.58 million cyber crimes affecting businesses over the past year. If you’re running a small firm in Manchester or a defence contractor in London, you’ve probably heard the same old reassurances about cybersecurity. You know, the ones that make you think, “We’re too small to worry” or “Our antivirus has got this.” But let me tell you, in today’s fast-moving digital world, those ideas can leave you wide open to disaster.
Just last year, a ransomware attack hit the Co-op Group, one of the UK’s major retailers, disrupting operations and forcing them to take systems offline after hackers stole customer data. Stories like that aren’t rare. According to the Cyber Security Breaches Survey 2025 from the UK government, 43% of businesses experienced a cyber breach or attack in the past year, down slightly from 50% the year before, but still affecting hundreds of thousands of firms. That’s over 612,000 UK businesses hit, with phishing leading the pack at 84% of cases. And for small and medium enterprises (SMEs), the stakes are higher than ever, with ransomware doubling to affect 1% of businesses, that’s around 19,000 organisations facing demands for cash to unlock their data.
Why does this matter? Because debunking these cybersecurity myths isn’t just about scaremongering; it’s about empowering you to protect what you’ve built. When myths lead to complacency, it’s your business, your clients, and possibly national security (in the case of defence supply chain partners) that are at risk.
In this blog, I’ll endeavour to bust four common cybersecurity myths that are putting UK business cybersecurity at risk, share real stats, and give you straightforward steps towards modern cybersecurity solutions.
Myth 1: Small and Medium Businesses Aren’t Targets for Cyberattacks
Have you ever thought your small business isn’t worth a hacker’s time? I hear this all the time from clients – “We’re just a local supplier with 20 staff, why would anyone bother?” It makes sense on the surface. Big names like banks or government agencies grab the headlines as they are ‘obvious’ targets, so it’s easy to assume SMEs fly under the radar. But here’s the truth: cybercriminals love easy wins which can enable moving on to bigger fish, and smaller businesses often provide just that, an initial opening to higher value opportunities.
According to Verizon’s 2025 Data Breach Investigations Report, small and medium businesses (SMBs) are targeted nearly four times more often than large organisations. Why? Because you’re seen as low-hanging fruit, fewer resources for fancy defences, and quicker payouts if ransomware hits.
In 2024, KNP Logistics, a Northamptonshire-based transport firm with around 700 employees, was hit by a ransomware attack by the Akira group after hackers guessed a weak password. The attack encrypted critical data, and despite paying the ransom, the company was unable to recover, leading to its closure after 158 years in business.
So, how do you flip this? Firstly, start with the essentials for cybersecurity for SMEs and roll out regular employee training which can massively reduce the success rates of phishing attacks, for example, as well as raising general awareness to support the development of your business security culture. Second, implement multi-factor authentication (MFA) on all accounts. This is a game-changer, blocking 99% of account takeover attempts as per Microsoft statistics which are echoed in NCSC reports. And don’t skip a basic risk assessment; At Pera Prometheus services we offer affordable Business Impact Analysis tailored for UK SMEs. Why are small businesses targeted by cyberattacks? Opportunity. But with these steps, you can make yourself a harder one.
Myth 2: Antivirus Software Is Enough to Keep You Safe
Ah, the trusty antivirus, that little icon in your system tray that scans away. Many business owners I chat with have a misconception, “If I’ve got that installed, we’re good.” It’s a comforting myth, born from the early days of computing when viruses were the main baddie. But in 2025, threats have evolved into sophisticated beasts like ransomware and zero-day exploits that slip right past basic scans or disable your antivirus protection.
The NCSC’s Annual Review 2024 highlights that while antivirus is a start, it’s no silver bullet. They dealt with 430 cyber incidents in the year, many bypassing traditional tools because attackers use social engineering or unpatched vulnerabilities. Verizon’s report agrees: In 44% of breaches analysed (over 12,000 cases), ransomware was involved, often starting with something antivirus misses, like a malicious email attachment. Is antivirus enough to protect my business? Short answer: No.
In early 2024, British engineering firm Arup was tricked by a deepfake phishing scam where fraudsters used AI-generated voices and visuals to impersonate executives during a video call, leading to a £20 million bank transfer. Basic antivirus couldn’t detect the social engineering layer.
Modern cybersecurity essentials demand layers. Build a defence-in-depth approach: Pair antivirus with endpoint detection and response (EDR) tools that watch for unusual behaviour in real-time and enable automatic updates for all software. Unpatched systems were behind 60% of exploits in Cisco’s 2024 trends and most importantly train your team on spotting phishing. If you have doubts contact us for a quick chat to understand the basic requirement for security, it’s simpler and can be the most important chat for your business.
Myth 3: Cybersecurity Is Just an IT Department Issue
“Cyber what? That’s for the tech team to handle.” For many, cybersecurity seems like a technical matter: something the IT department handles with software and hardware. Leaders often don’t get involved until something goes wrong, viewing security as a back-office chore rather than a boardroom priority. The myth persists because Cyber feels technical and remote but in truth, breaches often start with a mouse click, not a server glitch.
The UK’s Cyber Security Breaches Survey 2025 reveals that 20% of businesses fell victim to cybercrime, mostly via phishing that tricked staff outside IT. Cisco’s 2025 Readiness Index notes only 3% of organisations are “mature” in cybersecurity and Verizon’s investigation reports 68% of the crimes are associated with human error. That is everything from finance sending dodgy invoices to HR sharing unsecure files.
In May 2024, the UK Ministry of Defence’s third-party payroll contractor was hacked, exposing personal data of 270,000 serving personnel, reservists, and veterans. The breach stemmed from a supply chain vulnerability, but it resulted in leakage of sensitive data.
To tackle this, cybersecurity should be everyone’s business. Start from board-level oversight, assign a security champion and review risks quarterly, as per NCSC guidelines. Run company-wide simulations like phishing tests and penetration testing. Integrate security into policies, like secure remote work rules and business impact analysis. It is not just IT, it is your entire team guarding the fort.
Myth 4: Moving to the Cloud Means You’re Automatically Secure
Cloud services are everywhere, promising scalability and backups. Many see cloud providers (AWS, Azure, Google Cloud, etc.) or SaaS solutions as having top-tier security. There’s often a belief that offloading infrastructure to the cloud automatically means security is handled. The myth stems from assuming the provider handles everything, like a full-service hotel. But cloud security is a shared dance and if you make a wrong step, you’re exposed.
The NCSC’s Cloud Security Shared Responsibility Model clarifies this clearly. Providers secure the infrastructure, but you own your data, access, and configurations. Missteps here led to 15% of breaches via supply chain flaws according to Verizon’s 2024 data.
In November 2020, a misconfigured AWS S3 bucket owned by UK-based Prestige Software, a hospitality platform serving major booking sites like Expedia and Booking.com, exposed over 10 million guest records, including names, credit card details, and national IDs. The leak, discovered by Website Planet, wasn’t AWS’s fault but rather Prestige’s failure to secure the bucket properly.
To prevent such incidents, follow NCSC’s 14 Cloud Security Principles. Encrypt data in transit and at rest, use least-privilege access, and audit configurations regularly. Tools like Azure Sentinel or AWS GuardDuty offer affordable monitoring for SMEs. UK firms must also ensure GDPR compliance but in essence, you still have a responsibility to take the right action to stay secure.
Don’t Let Myths Derail Your Security
There you have it, four cybersecurity myths unpacked, from assuming SMEs are invisible to cyber criminals to relying on cloud magic.
‘Complacency costs, but knowledge empowers’.
Falling for these myths exposes your business to real risk because the threats are real, persistent, and increasing. The good news is that many of the countermeasures are practical, affordable, and scalable, even for smaller businesses or for those in tightly regulated sectors like defence.
You’re not alone, resources from NCSC and Gov.uk are golden, when it comes to providing guidance and we’re here too. Let’s make your business security a priority.
Stay Safe, Stay Secure
