Government urges SMEs to ‘lock the door’ on cyber criminals

The UK government announced a new initiative aimed at strengthening cyber resilience among enterprises, particularly small businesses.

The Cyber Essentials checklist, which urges small and medium enterprises (SMEs) to “lock the door” on cyber criminals comes as SMEs are increasingly targeted, with half of all small businesses having suffered a cyber attack or breach in the last 12 months.

Data from Yubico’s 2025 Global State of Authentication Report supports the finding that SMEs are firmly in the crosshairs of cyber criminals. According to the report, small businesses are facing a new wave of vulnerability, driven by a lack of resources and dangerous misconceptions about their appeal to attackers.

Key findings regarding the small business threat landscape include:

• The training gap: A staggering 57 percent of employees at small businesses (1-99 staff) received no cybersecurity training in 2025, leaving them defenceless against AI-driven social engineering
• The MFA lag: Despite the rise in credential theft, only 36 percent of small business employees reported that their company uses multi-factor authentication (MFA) across all applications

Niall McConachie, regional director (UK & Ireland) at Yubico, comments on the risks facing small businesses and the protections these firms must act now to implement.

Niall said,“Small businesses are currently operating under a dangerous misconception: believing they’re too small a target for attackers. In the age of AI-driven cyber crime, automated tools target all employees and businesses the same. Every unsecured entry point is a target, and our data confirms that SMEs are leaving the front door wide open by neglecting basic training and not implementing multi-factor authentication (MFA).

“For small businesses – which represent the backbone of our economy – the key to ensuring resilience against cyber threats is the widespread adoption of enterprise-grade security. We need to abandon the idea that robust authentication is ‘too expensive’ or ‘too complex’ for smaller teams. In reality, it’s too expensive not to protect systems and data. Implementing phishing-resistant MFA, such as device-bound passkeys like hardware security keys, is the only scalable way to level the playing field and immunise small businesses against the commercialised threat landscape they now face.”