Common Cybersecurity Gaps in UK SME Infrastructure — What the Data Shows

The UK Cyber Security Breaches Survey 2025 and recent enforcement data paint a clear picture: 43% of UK businesses experienced a breach or attack in the past year. For medium-sized businesses, 70% were hit. For large organisations, 74%.

But the vulnerabilities behind those breaches aren’t sophisticated zero-day exploits. They’re consistent, preventable gaps: missing multi-factor authentication, unpatched software, weak access controls, and lack of incident response procedures.

Organisations that address these ten common gaps see dramatic improvements in breach risk.

What This Research Covers

UK Cyber Security Breaches Survey 2025:

• 3,500+ UK businesses surveyed
• Official government-backed survey (Department for Business and Trade, DCMS, NCSC collaboration)
• Represents UK business population by size and sector

Cross-reference data:

• ICO enforcement fines (2025)
• Industry vulnerability reports
• Cyber insurance data

The Ten Most Common Vulnerabilities

1. No Formal Cybersecurity Policy

What we see: Most SMEs under 50 employees have no written cybersecurity policy. Security practices exist informally (“we know not to click suspicious links”) but nothing is documented, assigned, or enforced.

CSBS 2025 finding: 59% of small businesses have formal cybersecurity policies (up from 51% in 2024). This means 41% have none.

What this means: When something goes wrong, there’s no documented process for response or recovery. No one is assigned responsibility for patches, backups, or access control. Security is everyone’s job, which means it’s no one’s job.

How to fix it: Write a one-page cybersecurity policy. Include: acceptable use (what employees can/can’t do), password requirements (minimum 12 characters, unique accounts, no sharing), MFA requirements (which systems require it), patch schedule (monthly, or automatic updates), incident response (who to contact, escalation path, ICO notification timeline), access control (who can have admin access, review frequency).

2. Multi-Factor Authentication Not Enabled on Critical Systems

What we see: Email accounts and cloud services (Microsoft 365, Google Workspace, admin panels) are accessed using password only. No multi-factor authentication.

CSBS 2025 finding: Only 40% of businesses have MFA enabled on critical systems. 60% are password-only.

What this means: If an employee’s password is weak or compromised, an attacker gains full access to email, business data, and customer information. Email compromise is the #1 attack vector in 2025 because password-only authentication is insufficient.

The CSBS 2025 also found: “84% of organisations experienced an identity-related breach in 2023, with missing MFA often the enabling factor.”

How to fix it: Enable MFA on email accounts and all critical systems (cloud services, CMS admin panels, hosting control panels, financial systems). For most cloud services, MFA takes an afternoon to deploy. For on-premise systems, ask your IT provider whether MFA can be enabled. If not, upgrade or replace the system.

3. Unpatched Software and CMS Platforms

What we see: WordPress, Joomla, and other CMS platforms are running 6–12 months out of date. Known vulnerabilities remain open.

What this means: Automated attackers scan the internet for websites running vulnerable versions. A site running WordPress 6.3 from several months ago has discoverable exploits. No active targeting needed — the vulnerability is advertised in the CMS version number.

How to fix it: Monthly patching. Set a reminder for the first Tuesday of the month, review available updates, test critical patches on a non-production environment if necessary, then deploy. Enable automatic updates where possible (most cloud hosting makes this simple). Most CMS platforms support automatic updates for non-major releases.

4. Weak or No Access Controls

What we see: Access control issues include: shared passwords for business accounts, admin access given to users who don’t need it, former employees retaining access, no documented access review process.

CSBS 2025 finding: Only a minority of small businesses have documented access control policies or regular access reviews.

What this means: Current and former employees have excessive access. A junior staff member can access the entire company financial system or all customer data. If someone leaves or their credentials are compromised, you don’t know what they had access to or how long to revoke it.

How to fix it: Everyone gets a unique username and password (stored in a password manager, not shared). Admin access is restricted to users who actually need it (typically one or two people). Accounts are disabled immediately when someone leaves. Access is reviewed annually — “does this person still need access to this system?“

5. No Backup Testing

What we see: Backups are in place (often through hosting providers), but organisations have never tested whether they can actually restore.

What this means: When you need your backup, you discover it’s corrupted, incomplete, or impossible to restore. The backup that doesn’t work when you need it is as useful as no backup.

How to fix it: Quarterly backup restoration test. Restore a backup to a test environment, verify the data is complete and usable, document the test results. Make this a routine process, not an emergency.

6. Email Authentication Not Configured (SPF, DKIM, DMARC)

What we see: SPF, DKIM, and DMARC records are not configured. This means email from your domain can be spoofed — attackers can send emails appearing to come from your company without actually using your email server.

What this means: Attackers impersonate your company in phishing emails to your customers, suppliers, and partners. Your reputation and their trust are exploited. Your domain becomes an attack vector.

Data: Only 7.7% of the top 1.8M email domains have the strictest DMARC policy configured. Most have none or weak policies.

How to fix it: Configure DNS records (SPF, DKIM, DMARC) to authenticate email from your domain. This is usually a 30-minute job done through your DNS provider or email provider. Most email providers (Google Workspace, Microsoft 365) have wizards to set this up.

7. Website Exposes Sensitive Directories or Admin Panels

What we see: Scanning finds: publicly accessible admin login pages (WordPress /wp-admin, Joomla /administrator), backup files (.bak, .backup, .sql), configuration files with credentials or database details, directory listings exposing file structures.

What this means: Attackers find these easily with automated tools. Once they find the admin panel, they can attempt password attacks. Configuration files may contain credentials. Directory listings expose your application structure.

How to fix it: Block admin panels from public access (restrict to known IP addresses, use basic HTTP authentication, move admin URLs to non-standard paths). Remove backup files from public directories. Disable directory listings (set Options -Indexes in Apache, or equivalent in your server). Remove sensitive files from web-accessible directories.

8. SSL/TLS Certificate Issues

What we see: Issues include: expired SSL certificate (website shows “not secure” warning), self-signed certificate, certificate with mismatched domain, weak cipher configuration.

What this means: Users see security warnings when visiting your site (damages trust). Data in transit can be intercepted. Your site appears untrustworthy to browsers and users.

How to fix it: Install a valid SSL certificate (free through Let’s Encrypt if using supported hosting). Check certificate expiration date and set renewal reminders (most providers automate this now). Verify certificate matches your domain name. Configure strong ciphers (most hosting providers do this automatically).

9. Weak Access Control on Cloud Services (Microsoft 365, Google Workspace)

What we see: Microsoft 365 and Google Workspace configured at factory defaults. No password complexity requirements, no MFA, overprivileged user accounts, shared credentials between staff.

What this means: User accounts are easily compromised. Once compromised, attackers have access to email, calendar, documents, and shared resources.

How to fix it: Configure security settings: enforce strong passwords (minimum 12 characters, complexity requirements), require MFA on all accounts, remove unnecessary admin permissions, review user accounts and remove inactive ones, configure data retention and deletion policies, enable audit logging.

10. No Incident Response Plan

What we see: No documented process for what to do if a breach occurs. When something happens, the response is ad-hoc and ineffective. ICO notification deadline (72 hours) is often missed.

CSBS 2025 finding: 36% of all businesses have formal incident response procedures. 32% have business continuity plans. For small businesses, these figures are lower.

What this means: Breaches take longer to contain, damage spreads, recovery takes longer, regulatory notification is delayed or missed, enforcement exposure increases.

How to fix it: Document a one-page incident response plan. Include: contact list (IT support, management, ICO), initial response steps (contain the incident, don’t investigate yourself unless trained, preserve evidence), notification timeline (ICO within 72 hours if personal data is affected), recovery process (restore from clean backup, verify systems are clean). Review and update annually.

Sector-Specific Patterns

Professional services (law, accounting, consulting):

• Weak client data controls. Client documents stored in shared folders with excessive access, little encryption, no formal data retention policy.
• Data access is too permissive and not monitored.
• High regulatory risk because client data often includes sensitive personal information.

E-commerce and retail:

• Payment system security gaps. Websites accepting credit card payments without proper PCI DSS controls (encryption, secure transmission, minimal storage).
• Admin access to payment systems too broad.
• Phishing attack susceptibility high because staff handle customer payment data.

SaaS and digital services:

• API security gaps. APIs exposing internal data through incorrect authentication or over-permissive access, insufficient rate limiting (allowing mass data download), no logging of API access.
• Credentials hardcoded in client-side code.
• High impact if compromised because APIs often access customer data at scale.

Healthcare and regulated sectors:

• Staff training gaps. Healthcare businesses have stricter requirements but often lack documented training on HIPAA/GDPR/sector-specific obligations.
• Compliance exists in principle but not in practice.
• Enforcement risk highest in this sector because regulatory bodies actively monitor.

What Organisations See After Addressing These Gaps

Research from cyber insurance providers and NCSC guidance shows:

• Breach risk: Organisations addressing the top 10 vulnerabilities see measurable reductions in breach probability and impact
• Insurance premiums: Cyber insurance premiums stabilise or reduce once basic controls are in place (MFA, incident response, policy documentation)
• Customer confidence: Formal security practices increase customer trust and support sales in security-sensitive sectors
• Compliance certification: Cyber Essentials and ISO 27001 become achievable once these gaps are closed

The investment is modest: most fixes are process and configuration changes, not expensive technology. The payoff is substantial.

Recent Enforcement Data

ICO fines (2025):

• £19.6M in total fines from 7 cases
• Average fine: £2.8M (up significantly from £150K average in prior years)
• Two-thirds of fines were for security/breach failures
• Capita fined £14M for cybersecurity failures that exposed 6.6 million people

Trend: Fines are increasing, enforcement is accelerating, and security gaps are now treated as serious regulatory failures.

Methodology

UK Cyber Security Breaches Survey 2025:

• 3,500+ UK businesses, representative sample by size and sector
• Quantitative survey + qualitative interviews
• Official government collaboration (DBT, DCMS, NCSC, FSA)
• Conducted by Ipsos MORI
• Findings validated against industry benchmarks

Limitations: Self-reported survey responses (reliability depends on respondent knowledge), no independent verification of security posture, focuses on reported breaches and stated practices rather than measured vulnerability.

Next Steps

If you want to understand where your business stands against these common vulnerabilities, Bartram Cyber conducts an external scan plus questionnaire assessment. Deliverable is a risk report identifying which of these vulnerabilities apply to your infrastructure and a prioritized remediation roadmap.

If you want to fix them systematically, our step-by-step guide to cybersecurity readiness walks through implementation in priority order, and our checklist tracks progress against these common gaps.

The good news: none of these vulnerabilities are sophisticated to fix. Most are process and configuration changes. The gap between vulnerable and resilient SMEs isn’t budget or technical complexity — it’s attention and documentation. The businesses that move ahead are those that write down what they need to do and then do it methodically.