Yes. They’re a favourite target because they’re easier to shake down.
The UK Government’s Cyber Security Breaches Survey 2025 found 43% of UK businesses identified a cyber security breach or attack in the previous 12 months.
For micro and small businesses, phishing is still the main problem: 35% of micro businesses and 42% of small businesses identified phishing attacks (both down year-on-year, but still very common).
The NCSC’s own small business guidance is even more blunt: it says SMEs have “around a 1 in 2 chance” of experiencing a cyber security breach.
What are the chances of a small business being in real trouble if hacked?
“Real trouble” usually means business interruption, cash loss, and a messy recovery tail
The Breaches Survey doesn’t publish a single “collapse probability” (thankfully, because that would be nonsense), but it does show what “trouble” typically looks like: time lost, recovery effort, knock-on disruption, and costs.
A practical way to think about it:
High chance of disruption if your core systems are hit
If attackers get into your email, accounts, devices, or cloud files, the usual outcomes are:
- loss of access to systems (email, accounting, stock/order systems)
- fraud risk (invoice changes, payment diversion)
- data loss or data theft
- reputational damage if customers/suppliers are affected
Higher chance of “real trouble” if you have any of these traits
- You can’t operate without IT (POS tills, bookings, manufacturing scheduling, online sales)
- You have no tested backups or backups connected to the same network
- You rely on one person for IT and they’re… busy running the business
- You hold personal data (customers/staff) and a breach creates legal/notification duties
A grounded cost sense (UK numbers)
The NCSC’s small business guide notes that for micro/small firms a breach can mean costs around £900 (typical costs, not worst-case).
The Breaches Survey also reports costs for the “most disruptive breach” (with averages and “if there were costs” figures), showing how quickly even “small” incidents become expensive once you add downtime and recovery.
So the honest answer is:
- Chance of being attacked: material (roughly two in five businesses report something each year; more if you include “unrecognised” incidents).
- Chance of serious trouble if hacked: strongly driven by preparedness. If you can’t restore operations quickly (especially email and files), it escalates fast.
What small English businesses should do immediately if they’re hacked
Use an “hours not days” playbook (contain first, then clean up)
The NCSC’s Small Business Guide: Response & Recovery is designed exactly for this situation.
Step 1: Confirm what’s happening and start a log
- Write down what you saw, when, and on which device/account
- Take screenshots of ransom notes/emails and keep suspicious messages
- Don’t start deleting everything in a panic (panic is not an incident response strategy)
Step 2: Contain the incident
- Isolate affected devices (disconnect from Wi-Fi/ethernet, don’t power off unless instructed, but do stop spread)
- Disable compromised accounts and force password resets
- If email is compromised: stop auto-forwarding rules, check mailbox rules, revoke suspicious sessions/tokens
Step 3: Get help and report properly
- If it’s a live attack on a business, the UK reporting service advises calling 0300 123 2040 immediately.
- Report cybercrime/fraud via Report Fraud / Action Fraud.
- If you use an IT provider/MSP, pull them in early (but don’t assume they’re unaffected if they manage multiple clients).
Step 4: Check whether personal data is involved
If personal data may be at risk, assess whether you must notify:
- The ICO says you must report a notifiable personal data breach without undue delay and within 72 hours of becoming aware (if it meets the reporting threshold).
- You may also need to inform affected individuals if there’s a high risk to them (ICO guidance covers this).
Step 5: Recover operations safely (don’t re-infect yourself)
- Restore from known-good backups (and scan before reconnecting)
- Patch exploited systems, rotate credentials, re-issue MFA, and review admin access
- Bring services back in a controlled order: identity/email first, then finance/ops systems
The NCSC’s backup guidance puts it plainly: if you can restore quickly, you “can’t be blackmailed by ransomware” in the same way.
Step 6: Clean-up and prevent a repeat
- Identify the entry point (phishing, exposed remote access, unpatched system)
- Remove persistence (new accounts, scheduled tasks, remote tools)
- Implement baseline controls (see below) and run a quick post-incident review
The minimum defences that stop most small-business disasters
Make the “easy wins” non-negotiable
Use the NCSC’s small business guidance as your baseline:
- Backups (separate, offline/immutable where possible, and tested)
- MFA on email, admin accounts, finance tools
- Patch management (especially internet-facing systems)
- Device security (supported OS, anti-malware, sensible admin rights)
- Staff awareness focused on phishing (because that’s still the front door)
If you do nothing else, protect email + backups + admin access. That’s where most small businesses either survive… or spend months untangling a mess.
We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.
