Get started

5 Cybersecurity Myths Small Businesses Still Believe

myths 6 min read Updated 2026-03-23

5 Cybersecurity Myths Small Businesses Still Believe

Every breach starts somewhere. 81% of cyberattacked businesses are SMEs, yet most SMEs still operate under misconceptions that leave them exposed. Here are the myths costing businesses real money.

Myth 1: “We’re Too Small to Be Targeted”

Reality: 81% of cyberattacked businesses are SMEs. Attackers don’t target businesses by name — they scan for vulnerabilities at scale using automated tools. A WordPress website with an unpatched plugin is discoverable and exploitable regardless of whether the business has 5 employees or 5,000.

Attackers use shodan.io and similar tools to identify vulnerable systems. They don’t check your company size. A vulnerability is a vulnerability. An unpatched CMS is money on the floor, and it gets found.

The data backs this up: 35% of micro-businesses (1–9 employees) reported a cyberattack in 2025. Size doesn’t protect you. Vulnerability does.

Myth 2: “Antivirus Software Is Enough”

Reality: Antivirus is one of five Cyber Essentials controls. It does nothing about phishing emails, weak passwords, unpatched software, misconfigured firewalls, or insider threats. It’s necessary but nowhere near sufficient.

Modern threats are layered. A typical attack chain: phishing email (email security failure) → compromised account (weak password, no MFA) → lateral movement (poor access controls) → data exfiltration (weak encryption, no monitoring). Antivirus might catch malware at one point in this chain, but it won’t stop the majority of the attack.

The 2025 data: 93% of attacks are delivered via phishing, not through malware. Antivirus won’t stop phishing. Email security, user training, and MFA will.

Myth 3: “We Don’t Have Anything Worth Stealing”

Reality: Every business has customer data, employee data, financial information, email accounts, and business systems that have value to attackers. Ransomware doesn’t care whether you’re a global company or a 3-person consultancy — it encrypts whatever it finds and demands payment.

Consider what you’d lose if ransomware encrypted your business:

  • Customer data: Email addresses, contact details, purchase history, payment information (if you take payments online). This is sold on underground markets. A list of 1,000 email addresses sells for £50–500 depending on quality.
  • Employee data: Payroll, tax numbers, performance reviews, personal information. It’s valuable to competitors and identity thieves.
  • Business systems: Your CRM, email, accounting software, website. Loss of access costs you customer relationships, revenue, and time to recover.
  • Email accounts: Compromised email is the entry point for supply chain attacks, invoice fraud, and impersonation. An attacker with access to your email can impersonate you to your customers and suppliers.

You don’t need to be a bank for an attacker to target you. You just need to be easier to compromise than your competitors.

Myth 4: “Cybersecurity Is an IT Problem, Not a Business Problem”

Reality: The ICO holds the data controller (the business) responsible for data security — not your IT provider. This is the critical distinction. If your managed service provider has a breach, you have the obligation to notify the ICO and affected individuals. You have the enforcement exposure. The IT provider has the technical failure, but you have the compliance failure.

This isn’t abstract. The ICO’s 2025 enforcement actions make this clear: Capita Group (£14M fine), Advanced Computer Software (£3.07M), 23andMe (£2.31M) — all fined not for being hacked, but for having inadequate security measures in place when they were hacked.

Cybersecurity needs business-level governance: board awareness, budget allocation, policy documentation, vendor management, incident response readiness. An IT manager can implement controls, but only leadership can ensure a security-first culture exists and risk is managed.

Myth 5: “We Use Cloud Services So Our Data Is Secure”

Reality: Cloud services (Microsoft 365, Google Workspace, AWS, Salesforce) provide infrastructure security, but configuration, access control, and user behaviour remain your responsibility. Most cloud breaches result from misconfigured permissions, weak passwords, or compromised user accounts — not infrastructure failures.

Examples:

  • Misconfigured S3 buckets: An AWS customer accidentally exposes millions of records because the storage bucket is set to public-read. AWS provides secure defaults, but if you override them, you’re responsible.
  • Weak admin passwords: Your Microsoft 365 admin account uses “Password123” and has no MFA. An attacker guesses the password, enables forwarding rules, and silently exfiltrates all email for months. You used cloud services, but weak access control was your failure.
  • Overprivileged users: You grant a user Editor access to your entire Google Drive when they only need access to one folder. They leave the company with access still active, or their account is compromised. Cloud services didn’t fail — your access control did.

The cloud provider secures their infrastructure. You secure your configuration and users. Shared responsibility is the model — don’t assume the cloud provider secures everything.

What to Do Instead

  1. Assess beyond antivirus. Evaluate against the five Cyber Essentials controls: firewalls and gateways, secure configuration, user access control, malware protection, security update management. Antivirus is one piece, not the whole game.

  2. Treat cybersecurity as a business obligation. Allocate budget, assign responsibility, document policies, review regularly. Don’t treat it as an IT afterthought.

  3. Implement multi-factor authentication. On email, cloud services, admin panels, remote access. MFA stops the most common attack — account compromise via weak or stolen passwords.

  4. Secure email. Implement SPF, DKIM, DMARC to prevent spoofing. Train staff to recognise phishing. 93% of attacks start with email.

  5. Patch and update. Monthly patching schedule. Unpatched software is the most commonly exploited vulnerability vector.

  6. Control access. Document who has access to what. Remove admin access from people who don’t need it. Disable former employee accounts immediately.

  7. Test your backups. Regular backups are standard, but can you actually restore from them? Test quarterly.

  8. Document an incident response plan. One page: who’s responsible, how to respond, how to notify the ICO (within 72 hours if personal data is compromised), how to recover.

That’s the baseline. Not perfect, but documented and testable.

The Bigger Picture

These five myths are expensive because they lead to inaction. “We’re too small” means no security assessment. “Antivirus is enough” means no patch management. “We don’t have anything worth stealing” means no access controls or backups. “It’s IT’s problem” means no board oversight. “Cloud means we’re secure” means misconfigured services running unsecured for months.

The average cost of a cyber breach to a UK SME is £8,460 — but that’s just the direct cost. Add lost revenue (downtime), customer churn (breach affects trust), and potential ICO enforcement, and the real cost is often 5–10x higher.

Only 3% of UK businesses hold Cyber Essentials certification, despite 43% experiencing a breach in the last year. The certification isn’t hard or expensive — it costs £300–£600 and certifies you against five relatively straightforward controls. The gap between what’s required and what’s implemented is mostly mindset.

Next Steps

If you want a clear picture of where your business stands, Bartram Cyber combines external scanning (what’s publicly exposed) with a questionnaire assessment (what controls you have in place). The deliverable is a risk report and a prioritised action plan mapping your findings against Cyber Essentials controls.

If you’re ready to implement: our guide to where to start walks through the first seven steps (assess, implement MFA, secure email, patch, control access, test backups, write incident plan), and our guide to preparing for Cyber Essentials takes you from baseline to certification.

And remember: the fact that 81% of cyberattacked businesses are SMEs doesn’t mean you’re doomed. It means SMEs that took cybersecurity seriously fared better than those that didn’t. The gap isn’t size — it’s action.

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your cybersecurity →

More from this hub

Common Cybersecurity Gaps in UK SME Infrastructure — What the Data Shows

What UK cybersecurity research shows about common SME vulnerabilities: breach rates, control gaps, and what fixes work.

Read article →

Cybersecurity Compliance for Professional Services — Protecting Client Data

Cybersecurity compliance for law firms, accountants, and consultancies. Protecting client data goes beyond IT — it's a client trust and compliance obligation.

Read article →

Cybersecurity Compliance for UK SMEs — Where to Start

Where to start with cybersecurity compliance: assess, implement MFA, patch, secure email, control access, test backups, and plan incident response.

Read article →