You lock your office doors at night, right? Yet there’s a good chance you’re leaving your business’s digital doors wide open – and not even realising it.
Here’s the uncomfortable truth: 43% of UK businesses experienced some form of cybersecurity breach or attack in the last 12 months. If you’re running a company with 10 to 250+ staff, you’re exactly the kind of target cybercriminals love. Not because you’re doing anything particularly wrong, but because you’re doing what most businesses do – overlooking the warning signs.
Let’s talk about the five red flags that could be putting your business at risk right now. No jargon, no lecture, just straight talk about what matters.
Red flag 1: Your team still thinks “Password123” will do
We know, we know. You’ve heard this one before. But stick with us, because the numbers are genuinely alarming.
A recent UK survey found that 80% of people admit to reusing passwords1 in some form. Even more concerning, 12.45% of respondents use a single password across all their online accounts. When you extrapolate that nationally, it suggests over six million people in the UK could be relying on just one password for everything.
Why this matters to you:
Your finance director uses the same password for your accounting software as they do for their gym membership. The gym gets breached (it happens), and suddenly someone has access to your company’s bank details. This isn’t theoretical – reports of social media and email account hacking in the UK increased to 35,434 in 2024, up from 22,500 the previous year2.
What you can do:
Implement a password manager across your organisation (they’re not as complicated as they sound)
Set a minimum password length of 12 characters
Encourage staff to use passphrases – something like “CoffeeTuesdayBlue42!” is both memorable and secure
The reality is that password fatigue is real. Your staff aren’t being deliberately careless – they’re just overwhelmed. Understanding that is the first step to fixing it.
Red flag 2: You think multi-factor authentication is “too much hassle”
Here’s a statistic that should make you sit up: only 40% of UK businesses use any form of two-factor authentication (2FA). Among larger businesses, that figure jumps to 92%, but if you’re a smaller outfit, chances are you’re leaving yourself vulnerable.
Yet more than 99.9% of the accounts that end up being compromised do not have MFA enabled3. Let that sink in. If you’re not using multi-factor authentication, you’re in the group that’s getting hit.
Why this matters to you:
MFA is that extra step where you receive a code on your phone after entering your password. Yes, it adds a few seconds to logging in. But those few seconds could save you from a breach that costs UK businesses an average of £1,600, or £3,550 when you exclude the lucky ones who reported zero costs.
What you can do:
Start with your most critical systems—email, banking, and cloud storage
Use authenticator apps rather than SMS codes (they’re more secure)
Make it mandatory for anyone who can access customer data or financial information
MFA adoption in UK businesses
Percentage4
All UK businesses
40%
Large businesses (250+ staff)
92%
Medium businesses (50-249)
74%
Small businesses (10-49)
47%
The good news? Once your team gets used to it, MFA becomes second nature. Think of it like wearing a seatbelt – initially feels awkward, then you don’t even notice it.
Red flag 3: Your staff haven’t had security training since they joined
Pop quiz: When was the last time you talked to your team about cybersecurity? If you’re drawing a blank, you’re not alone – but you are at risk.
Only 19% of UK businesses have provided staff training or awareness sessions on cybersecurity in the last 12 months5. Yet phishing attacks, those fraudulent emails designed to trick your staff, were experienced by 85% of businesses that suffered any kind of breach or attack.
Your staff aren’t incompetent. But without regular training, they simply don’t know what modern threats look like.
Why this matters to you:
Phishing emails no longer look like poorly written requests from Nigerian princes. They’re sophisticated, personalised, and designed to look exactly like emails from your bank, your suppliers, or even your CEO. In fact, 65% of UK businesses that experienced a breach said phishing was their most disruptive type of attack6.
What you can do:
Run quarterly security awareness sessions (30 minutes, not all day)
Share real-world examples of recent scams targeting your industry
Create a simple reporting system for suspicious emails – no blame, just “flag it”
Consider running simulated phishing tests to keep awareness high
Training frequency vs breach prevalence
Medium businesses (training)
Large businesses (training)
Overall businesses (training)
Provided training in last 12 months
54%
76%
19%
Experienced breach/attack
67%
74%
43%
Source: UK Government Cyber Security Breaches Survey 20256
The goal isn’t to turn your team into cybersecurity experts. It’s to help them spot the obvious red flags and know what to do when something feels off. Interestingly, larger businesses that invest more in training still experience high breach rates – but they’re better at identifying and containing them quickly.
Red flag 4: You’re dismissing those annoying software updates
Be honest, how many update notifications are you dismissing right now?
We get it. Software updates are annoying. They always seem to pop up when you’re in the middle of something important. But here’s why this matters: only 32% of UK businesses have a policy to apply software security updates within 14 days7.
Those updates aren’t just about new features. They’re patching security holes that hackers are actively exploiting. Ransomware attacks in the UK have doubled – from less than 0.5% of businesses in 2024 to 1% in 20258. That translates to approximately 19,000 UK organisations affected.
Why this matters to you:
When software companies release updates, they’re often responding to newly discovered vulnerabilities. The longer you wait to update, the longer your business sits exposed. It’s like leaving a window unlocked after being told burglars are in the area.
What you can do:
Enable automatic updates for all systems where possible
Schedule monthly “patch days” for critical business software
Create a prioritised list: operating systems and security software first, everything else after
Don’t forget your website and any plugins you’re using
The National Cyber Security Centre managed 20 significant ransomware incidents in 2024, with 13 classified as nationally significant – a threefold increase from the previous year.
Red flag 5: You’re confident “it won’t happen to us”
This is perhaps the most dangerous red flag of all. The belief that your business is too small, too boring, or too insignificant to be a target.
Let’s address this head-on: 67% of medium-sized UK businesses and 74% of large businesses experienced a breach or attack in the last 12 months. Even among micro businesses, 41% were hit6. You’re not too small.
Cybercriminals aren’t specifically targeting you because of what you do. They’re using automated tools that scan thousands of businesses looking for easy wins. Weak passwords, no MFA, unpatched software – these are what they’re after.
Why this matters to you:
The average cost of a cybersecurity breach for UK businesses is £1,600, but this rises to £3,550 when you exclude those who reported zero costs. For charities, the average is even higher at £3,240 (£8,690 excluding zero-cost responses).
More worrying still: UK businesses experienced approximately 8.58 million cybercrimes in the last 12 months. The average business suffering from cybercrime experienced 30 such crimes in the year.
What you can do:
Conduct a simple security audit (we can help with this)
Back up your critical data regularly, and test those backups
Create an incident response plan (even a basic one)
Consider cyber insurance, currently only 45% of UK businesses have any form of cyber insurance9
Impact of breaches on UK businesses
Statistics
Businesses experiencing breaches annually
43% (612,000 businesses)
Medium businesses hit
67%
Large businesses hit
74%
Average cost of breach
£1,600 (£3,550 excluding £0 responses)
Phishing attacks (of those breached)
85%
Businesses with cyber insurance
45%
Source: UK Government Cyber Security Breaches Survey 20256
Ransomware is a particular concern. While only 1% of UK businesses experienced ransomware in 2025, that’s double the rate from 2024. And when ransomware hits, it hits hard, organisations often face demands for financial ransom and significant operational disruption.
Where to go from here
Look, we’re not going to pretend that cybersecurity is simple. It’s not. The threat landscape changes constantly, and keeping up with it whilst running a business is genuinely challenging.
But here’s what we know from working with businesses just like yours: you don’t need to fix everything overnight. You just need to start.
Pick one thing from this list. Maybe it’s implementing MFA on your email accounts. Maybe it’s finally running that security training session you’ve been putting off. Maybe it’s just having a conversation with your team about password managers.
Small steps add up. And every improvement you make moves your business out of the “easy target” category and into the “too much effort” pile for cybercriminals.
The good news? UK businesses are getting better at cybersecurity. Small businesses in particular have shown impressive improvements6:
48% now conduct cyber risk assessments (up from 41% in 2024)
62% have cyber insurance (up from 49% in 2024)
59% have formal cyber security policies (up from 51% in 2024)
53% have business continuity plans covering cyber security (up from 44% in 2024)
These improvements matter. They show that when businesses take action, they can meaningfully reduce their risk.
Your IT doesn’t have to be a source of stress or confusion. That’s exactly what we’re here for.
At ERGOS, we understand that you’ve got a business to run. You don’t have time to become a cybersecurity expert, and frankly, you shouldn’t have to. Our job is to take the complexity out of IT and give you straightforward solutions that actually work for your business.
We’ve helped hundreds of businesses, from 10-person startups to 100+ employee companies – strengthen their security without it becoming a massive headache. We’re not here to blind you with science or make you feel inadequate. We’re here to help.
If any of these red flags rang true for you, let’s have a chat. No pressure, no sales pitch, just a friendly conversation about where you are now and how we can help you sleep better at night.
We recognise that smaller businesses face the same threats as larger companies, often with fewer resources. To help bridge that gap, we’re excited to introduce a FREE Security Posture Reviewfor our small and medium-sized customers. Because in 2025, good cybersecurity isn’t about having the most expensive tools or the biggest IT team. It’s about making smart, practical choices that protect what you’ve built.
And that’s something we can definitely help with.
Get in touch with ERGOS
Ready to address these red flags? Visit us at www.ergos.uk/contact to get in touch with our team. We’re here to help you navigate IT complexity in a friendly, approachable way.
Sources
All UK statistics are from official UK Government sources and recent UK studies:
