Yes. They’re a favourite target because they’re easier to shake down. The UK Government’s Cyber Security Breaches Survey 2025 found 43% of UK businesses identified a cyber security breach or attack in the previous 12 months. For micro and small businesses, phishing is still the main problem: 35% of micro businesses and 42% of small businesses identified phishing attacks (both down year-on-year, but still very common). The NCSC’s own small business guidance is even more blunt: it says SMEs have “around a 1 in 2 chance” of experiencing a cyber security breach. What are the chances of a small business being in real trouble if hacked? “Real trouble” usually means business interruption, cash loss, and a messy recovery tail The Breaches Survey doesn’t publish a single “collapse probability” (thankfully, because that would be nonsense), but it does show what “trouble” typically looks like: time lost, recovery effort, knock-on disruption, and costs. Advertisement AVG TuneUp 2026 – Cleaner+Update+Maintenance+Speed Up | 1 PC | 1 year Update old software Speed up & tune up your PC Fix problems automatically £24.49 Buy on Amazon A practical way to think about it: High chance of disruption if your core systems are hit If attackers get into your email, accounts, devices, or cloud files, the usual outcomes are: loss of access to systems (email, accounting, stock/order systems) fraud risk (invoice changes, payment diversion) data loss or data theft reputational damage if customers/suppliers are affected Higher chance of “real trouble” if you have any of these traits You can’t operate without IT (POS tills, bookings, manufacturing scheduling, online sales) You have no tested backups or backups connected to the same network You rely on one person for IT and they’re… busy running the business You hold personal data (customers/staff) and a breach creates legal/notification duties A grounded cost sense (UK numbers) The NCSC’s small business guide notes that for micro/small firms a breach can mean costs around £900 (typical costs, not worst-case). The Breaches Survey also reports costs for the “most disruptive breach” (with averages and “if there were costs” figures), showing how quickly even “small” incidents become expensive once you add downtime and recovery. So the honest answer is: Chance of being attacked: material (roughly two in five businesses report something each year; more if you include “unrecognised” incidents). Chance of serious trouble if hacked: strongly driven by preparedness. If you can’t restore operations quickly (especially email and files), it escalates fast. What small English businesses should do immediately if they’re hacked Use an “hours not days” playbook (contain first, then clean up) The NCSC’s Small Business Guide: Response & Recovery is designed exactly for this situation. Step 1: Confirm what’s happening and start a log Write down what you saw, when, and on which device/account Take screenshots of ransom notes/emails and keep suspicious messages Don’t start deleting everything in a panic (panic is not an incident response strategy) Step 2: Contain the incident Isolate affected devices (disconnect from Wi-Fi/ethernet, don’t power off unless instructed, but do stop spread) Disable compromised accounts and force password resets If email is compromised: stop auto-forwarding rules, check mailbox rules, revoke suspicious sessions/tokens Advertisement Bestseller #1 NORTON 360 PREMIUM PLUS 150GB IN 1 USER 10 DEVICE 12MO AMAZON ENR DVDSLV PRE-PAID SUBSCRIPTION WITH SIGN UP AND ACTIVATION ONLINE: A payment method (credit card or PayPal) must be saved in your… SUBSCRIPTION WITH AUTOMATIC RENEWAL: No service disruption since this subscription automatically renews annually. If you… Protect multiple devices, including PCs, Mac, smartphones and tablets, against malware, phishing and ransomware with add… £34.99 Buy on Amazon Bestseller #2 Norton 360 Deluxe + Utilities Ultimate, Antivirus software for 5 Devices and 1-year subscription with automatic renewal, Includes Secure VPN, PC/Mac/iOS/Android – Activation Code by Post Buy on Amazon Step 3: Get help and report properly If it’s a live attack on a business, the UK reporting service advises calling 0300 123 2040 immediately. Report cybercrime/fraud via Report Fraud / Action Fraud. If you use an IT provider/MSP, pull them in early (but don’t assume they’re unaffected if they manage multiple clients). Step 4: Check whether personal data is involved If personal data may be at risk, assess whether you must notify: The ICO says you must report a notifiable personal data breach without undue delay and within 72 hours of becoming aware (if it meets the reporting threshold). You may also need to inform affected individuals if there’s a high risk to them (ICO guidance covers this). Step 5: Recover operations safely (don’t re-infect yourself) Restore from known-good backups (and scan before reconnecting) Patch exploited systems, rotate credentials, re-issue MFA, and review admin access Bring services back in a controlled order: identity/email first, then finance/ops systems The NCSC’s backup guidance puts it plainly: if you can restore quickly, you “can’t be blackmailed by ransomware” in the same way. Step 6: Clean-up and prevent a repeat Identify the entry point (phishing, exposed remote access, unpatched system) Remove persistence (new accounts, scheduled tasks, remote tools) Implement baseline controls (see below) and run a quick post-incident review The minimum defences that stop most small-business disasters Make the “easy wins” non-negotiable Use the NCSC’s small business guidance as your baseline: Backups (separate, offline/immutable where possible, and tested) MFA on email, admin accounts, finance tools Patch management (especially internet-facing systems) Device security (supported OS, anti-malware, sensible admin rights) Staff awareness focused on phishing (because that’s still the front door) If you do nothing else, protect email + backups + admin access. That’s where most small businesses either survive… or spend months untangling a mess. Post navigation Inside Hackers or Foreign Hackers: Who is the Bigger Cyber Threat to Company Networks in England? AI in UK Cyber Security: How Many Firms Will It Wipe Out?