Published:
Cyber security risk is not just about hackers, malware or technical tools.
For a small business, cyber risk usually shows up as something more practical:
Lost access to email or files.
Interrupted operations.
Payment fraud.
Customer concern.
Insurance questions.
Weak evidence when someone asks what is protected.
Uncertainty about whether backup or recovery will work.
The UK Cyber Security Breaches Survey 2025/26 found that 43% of businesses identified a cyber breach or attack in the previous 12 months. Phishing affected 38% of businesses overall and 88% of businesses that identified a breach or attack. Impersonation affected 12% of businesses overall, while ransomware affected 1% overall.
Those figures show that the most visible risks are often familiar. The issue is whether the business has maintained baseline conditions that reduce exposure.
This article is not a scare list. It is a plain-English risk register for owner-managed SMEs that want to know where to look first.
A risk register for SMEs, not a scare list
A risk is not just a threat.
A risk is a business exposure.
For example, phishing is a threat. The business risk is that a staff account gives someone access to email, files, finance conversations, customer data or cloud systems.
Ransomware is a threat. The business risk is downtime, recovery pressure, inaccessible data and customer confidence loss.
An unmanaged laptop is not dramatic. But if it can access Microsoft 365 without the same controls as every other device, it becomes part of the exposure.
The most important cyber security risks for small businesses in 2026 are usually the places where baseline conditions are missing, unclear or not maintained.
1. Phishing and credential theft
Phishing remains the most common visible cyber attack affecting UK businesses.
For SMEs, the exposure is simple: staff accounts become the route into email, files, systems or customer data.
A successful phishing attack may allow an attacker to:
Read or forward emails.
Access shared files.
Reset passwords.
Impersonate a member of staff.
Monitor supplier or finance conversations.
Use the account to target others.
The missing baseline condition is usually a combination of weak account protection, limited monitoring and inconsistent staff awareness.
At minimum, the business should know whether multi-factor authentication is enabled where available, whether Microsoft 365 and other cloud accounts are monitored, whether email security settings are maintained, and whether staff know how to report suspicious messages.
First question to ask: Are all staff cloud accounts protected with MFA where available, and do we know who is reviewing suspicious sign-in activity?
2. Email impersonation and payment redirection
Impersonation is especially dangerous because it often looks like ordinary business.
A supplier asks for bank details to be changed. A director appears to request an urgent payment. A customer conversation is copied. A finance process is pressured.
The exposure is not only technical. It is operational.
If payment-change processes rely on trust, speed or email alone, a convincing message can create a real financial risk.
The missing baseline condition is usually weak mailbox security, unclear payment-change verification, poor finance controls, or old accounts that should have been removed.
This is where cyber security and business process overlap. Better email security helps, but so does a clear rule that payment changes must be verified using a known channel outside the original email thread.
First question to ask: Do we have a clear payment-change verification process that does not rely on email alone?
3. Ransomware disruption
Ransomware appeared at a lower frequency than phishing in the 2025/26 GOV.UK survey, affecting 1% of businesses overall. But the operational impact can be severe.
The exposure is downtime.
An SME may face:
Inaccessible files.
Interrupted customer service.
Staff unable to work.
Pressure to recover quickly.
Uncertainty over what data is affected.
Reputational concern.
Supplier or customer questions.
The missing baseline condition is usually weak patching, unsupported software, poor endpoint protection, excessive admin access, unclear backup coverage or untested recovery.
The important question is not only “Could ransomware happen?” It is “Could we restore the systems and data we rely on?”
First question to ask: Do we know what is backed up, how often it is backed up, and when recovery was last tested?
4. Unmanaged or secondary devices
Many SMEs have devices that sit outside the normal IT picture.
Examples include:
Old laptops still used by directors.
Personal devices used to access Microsoft 365.
Unmanaged phones.
Spare machines.
Contractor devices.
Home PCs used occasionally.
Devices kept after staff role changes.
The exposure is that business data can be accessed from devices without the same security, patching, malware protection or management controls.
This is not just a device issue. It becomes a Microsoft 365 and cloud access issue.
The missing baseline condition is a known device inventory, compliance rules, supported software, clear access policy and no long-term unmanaged devices in scope.
For a small business, unmanaged devices are often the result of convenience. Over time, convenience becomes drift.
First question to ask: Can we list every device that can access business email, files or systems, and do we know whether each one is managed?
5. Excessive admin access
Admin access is powerful. That is why it needs discipline.
The exposure is that one compromised privileged account can cause disproportionate damage.
It may allow an attacker to:
Create new users.
Change security settings.
Access mailboxes.
Disable protections.
Install software.
Change backup or retention settings.
Escalate further into the environment.
The missing baseline condition is usually least privilege, separate admin accounts, admin review, and removal of unnecessary admin rights.
In many SMEs, admin access accumulates quietly. Someone needed it once. A supplier was given it. A director kept it. A previous provider set it up. Nobody reviewed it.
First question to ask: Who has administrator access today, why do they need it, and when was that last reviewed?
If you are unsure whether users, devices or admin accounts are under control, start by getting the baseline into view.
6. Leaver and access-removal failures
Leavers are one of the simplest areas to overlook.
The exposure is that ex-staff, old contractors, previous suppliers or unused accounts retain access after they no longer need it.
That access may include:
Email.
Shared files.
Cloud applications.
Finance systems.
Customer records.
Supplier portals.
Remote access.
Admin rights.
The missing baseline condition is a joiner/leaver workflow, account reviews, disabled accounts, and ownership of role changes.
This is not only about bad intent. Dormant accounts can also be compromised because nobody is watching them.
For SMEs with small teams, access removal can feel informal. But informal processes are hard to evidence when a customer, insurer or auditor asks.
First question to ask: When someone leaves, who is responsible for removing every account and device access they had?
7. Unsupported software and patch drift
Unsupported software and patch drift create exposure because known vulnerabilities stay open.
This can include:
Old operating systems.
Outdated applications.
Unpatched browsers.
Unsupported routers or firewalls.
Old line-of-business software.
Devices no longer receiving updates.
Inconsistent update routines.
The NCSC’s May 2026 patch-wave warning highlighted active exploitation affecting multiple major technology vendors and reinforced the need for update-by-default thinking.
For SMEs, the practical lesson is not to track every vulnerability headline manually. It is to have clear ownership of supported systems and patching.
The missing baseline condition is software inventory, update ownership, supported systems and a maintained patching process.
First question to ask: Do we know which devices, applications and network equipment are unsupported or not patching reliably?
8. False confidence in Microsoft 365 backup
Microsoft 365 is central to many SMEs. It may hold email, calendars, Teams chats, SharePoint files, OneDrive data and business documents.
The exposure is assuming that because data is in Microsoft 365, data protection and recovery are fully understood.
Microsoft’s shared-responsibility model makes clear that customers retain responsibility for their data, identities, endpoints, accounts and access management. Microsoft also states that Microsoft 365 customers are responsible for data management and protection, including recovery from customer-side events such as ransomware or mistaken deletion.
That does not mean every business needs the same backup setup. It does mean the decision cannot be assumed.
The missing baseline condition is defined backup coverage, a third-party or native backup decision, retention clarity and restore testing.
First question to ask: If a user deletes critical files, a mailbox is compromised, or ransomware affects synced data, what can we restore and how do we know?
For more detail, the Backup & Business Continuity hub explains why backup and recovery need to be treated as part of the operating baseline, not as an afterthought.
9. Supplier and third-party access blind spots
Suppliers often need access to systems, data or portals. So do contractors, outsourced finance teams, software providers, consultants and support partners.
The exposure is that risk enters through accounts, integrations and shared data outside the direct employee team.
The GOV.UK Cyber Security Breaches Survey 2025/26 found that only 15% of businesses reviewed the cyber security risks posed by their immediate suppliers, and only 6% reviewed risks in the wider supply chain.
For SMEs, this does not need to become a complex procurement programme. But supplier access should not be invisible.
The missing baseline condition is supplier access review, named owners, MFA where available, least privilege and removal of access when no longer required.
First question to ask: Which suppliers, contractors or third parties can access our systems or data, and who owns that access?
10. Weak evidence when customers or insurers ask questions
This risk is easy to underestimate.
The business may believe controls are in place, but it cannot prove what is protected, backed up, patched or controlled.
The exposure appears when someone asks:
Do you have Cyber Essentials?
Are devices managed?
Is MFA enabled?
Do you have a backup policy?
When was recovery last tested?
Who has admin access?
Are systems patched within a defined period?
How do you remove leaver access?
What cloud services are in scope?
The GOV.UK survey shows a baseline gap. Only 24% of businesses reported having technical controls across all five Cyber Essentials areas. Only 5% reported Cyber Essentials certification, and 2% reported Cyber Essentials Plus.
The missing baseline condition is documentation, review cadence, named ownership and Cyber Essentials-style evidence.
The risk is not only whether the control exists. It is whether the business can show the control exists when asked.
First question to ask: Could we evidence our users, devices, backup, patching, access controls and Microsoft 365 security without relying on assumptions?
Risk summary table
Risk | Missing baseline condition | First question to ask |
|---|---|---|
Phishing and credential theft | MFA, account monitoring, secure email, staff awareness | Are all cloud accounts protected and monitored? |
Email impersonation and payment redirection | Mailbox controls, finance verification, payment-change process | Do payment changes require verification outside email? |
Ransomware disruption | Patching, endpoint protection, backup, restore testing | Do we know what we can restore and when it was last tested? |
Unmanaged or secondary devices | Device inventory, compliance rules, access policy | Can we list every device accessing business data? |
Excessive admin access | Separate admin accounts, least privilege, admin review | Who has admin rights and why? |
Leaver and access-removal failures | Joiner/leaver workflow, account reviews | Who removes all access when someone leaves? |
Unsupported software and patch drift | Software inventory, update ownership, supported systems | Which systems are unsupported or inconsistently patched? |
False confidence in Microsoft 365 backup | Defined backup coverage, retention, restore testing | What can we restore from Microsoft 365 and how do we know? |
Supplier access blind spots | Supplier access review, named owners, MFA | Which third parties still have access? |
Weak evidence | Documentation, review cadence, Cyber Essentials-style evidence | Could we prove our baseline controls if asked? |
What this means for small businesses in 2026
The main cyber security risks facing small businesses are not always exotic.
They are often practical failures of ownership, maintenance and evidence.
A business may have Microsoft 365, antivirus, a firewall and an IT supplier, but still lack a maintained baseline across users, devices, patching, malware protection, backup and cloud services.
That is the real risk.
The answer is not to chase every headline or buy tools in isolation. It is to make the baseline clear, reviewed and enforced.
For owner-managed SMEs in Sussex and Kent using Microsoft 365, Infinite Cloud IT helps bring that baseline into view through a Security Triage Call and, where appropriate, a deeper Security Baseline Review.
No baseline can remove risk completely.
But a maintained baseline can reduce avoidable exposure and give the business clearer answers when customers, insurers, suppliers or staff ask, “How do we know this is under control?”
Cyber Security
Top 10 Cybersecurity Risks Facing Small Businesses in 2026
Backup & Disaster Recovery
How a Maintained Cyber Security Baseline Reduces SME Exposure in 2026
Managed IT Services
When More SMEs Are Changing How They Choose an MSP in 2026
Cyber Security
Common Microsoft 365 Security Weaknesses in SMEs (and How to Close Them)
Managed IT Services
