Cyber Attacks: Prepare & Protect Your Business

Cyber Attacks: Prepare & Protect Your Business

Cyber attacks remain one of the most significant risks facing any business today, and the threat continues to grow year on year. More organisations than ever are investing in cyber security to protect themselves, and for good reason.

Cyber attacks can come from outside or inside an organisation. It’s not only cyber criminals who present a risk, employees can also compromise security, either accidentally or intentionally. Whatever the source, businesses need a specific plan for when something goes wrong, not just an assumption that it won’t happen to them.

Cyber security threats are continuously on the rise

The numbers, drawn from the most current research available, make the scale of the problem clear.

Phishing remains the dominant threat. The Anti-Phishing Working Group recorded roughly 3.8 million phishing attacks across 2025, the highest sustained volume on record. Verizon’s 2025 Data Breach Investigations Report attributes 16% of confirmed breaches directly to phishing as the initial access vector, with the human element — phishing, social engineering, and stolen credentials combined — involved in 60% of all breaches.

Ransomware has become an SMB-specific problem. Verizon’s 2025 DBIR found ransomware involved in 88% of breaches at small and medium-sized businesses, compared with 39% at large enterprises — attackers specifically favour smaller businesses because they typically have weaker defences and slower recovery capability.

Users click faster than security teams can respond. The median time for a user to click a phishing link is just 21 seconds after receiving it, while it takes an average of 28 minutes for that same email to be reported. No human-driven process can outpace a 21-second decision window, which is exactly why technical controls matter as much as training.

AI has changed the economics of phishing. Generative AI has cut the time needed to write a convincing phishing email from roughly 16 hours of manual effort down to minutes, removing many of the spelling and grammar errors that used to make phishing easier to spot. IBM’s 2025 Cost of a Data Breach Report puts the average cost of a phishing-initiated breach at $4.88 million, taking an average of 254 days to detect and contain.

Training works, but only with the right approach. Untrained employees fail simulated phishing tests at a baseline rate of around 33%, according to KnowBe4’s 2025 benchmarking data. With consistent, ongoing training, that figure can fall to under 4% within 12 months for smaller organisations. One-off annual training sessions have far less impact — frequency matters more than format.

Types of cybersecurity threats

Malware and ransomware

Malware and ransomware remain among the most damaging categories of attack. A successful ransomware infection can completely disrupt how a business operates, alongside the reputational damage and financial loss that follows. We deploy and manage both antivirus and advanced threat detection (EDR) as standard — antivirus catches known threats, EDR catches the unknown ones that haven’t been seen before. See our Antivirus & Security page.

Phishing attacks

Phishing remains the most widely used method attackers use to trick people into clicking a malicious link or handing over sensitive information. Spear phishing, where a specific person or group is targeted using their name or role to appear more legitimate, has grown significantly more common, and AI-generated phishing emails are now harder to distinguish from genuine messages than ever before. We filter phishing attempts before they reach the inbox and block malicious links at the network level even if one gets through. See our Email Defence Services and DNS Security pages.

Vishing and smishing

Voice phishing and SMS phishing have grown substantially — vishing attacks on professionals rose by 28% in 2024, and smishing volumes rose by around 35% in a single quarter of 2025. Increasingly, these attacks use AI voice cloning to impersonate a real, trusted person. See our mobile phishing page for more detail.

Other cybersecurity threats

Cybersecurity threats are wide-ranging, but commonly include attacks on third-party vendors and partners, zero-day attacks (exploiting vulnerabilities before a fix exists), DDoS (distributed denial-of-service) attacks, social engineering, and credential theft via unmanaged or personal devices connecting to business systems.

What makes a business an easy target

Businesses of every size are potential targets, but some are easier targets than others. Small and medium-sized businesses are now disproportionately targeted precisely because ransomware groups know they’re less likely to have layered defences or a tested recovery plan in place.

The common factors that make a business an easier target: employees who haven’t been trained to recognise a phishing attempt, weak or reused passwords without multi-factor authentication enforced, unpatched software, no central antivirus or threat detection, and no proper backup or disaster recovery plan to fall back on if something goes wrong.

How to prevent cyber attacks

Employee education. Educate your team on what different attacks look like and how to respond. Frequent, focused training significantly outperforms a single annual session. We deliver this as a dedicated service, including phishing simulations. See our Cybersecurity Awareness Training page.

Firewalls and managed antivirus. A firewall protects your network perimeter; antivirus and advanced threat detection protect every device. Both need to be kept current and properly managed, not installed once and left alone. See our Security page.

Access control, strong passwords, and MFA. Every account should have its own login, strong unique passwords, and multi-factor authentication enforced with no exceptions. This remains the single most effective control against account compromise. See our MFA vs 2FA page for our full position on this.

Encryption. Encrypting data converts it into a form unreadable without the correct key, protecting it even if a device is lost or intercepted in transit. See our Encryption as a Service page.

Backup and disaster recovery. No prevention strategy is complete without a tested plan for what happens if something still gets through. See our Backup and Disaster Recovery page.

One monthly fee. One number to call. The day-to-day risk of cyber attacks becomes our job, not yours.

Book your free site survey   or call +44 (0) 207 403 4031

FAQ

Common questions

How common are cyber attacks against small businesses?

Very common, and increasingly targeted specifically at smaller businesses. Verizon’s 2025 Data Breach Investigations Report found ransomware involved in 88% of breaches at small and medium-sized businesses, compared with 39% at large enterprises — attackers favour smaller businesses because they typically have fewer defences in place.

How quickly do people click on phishing links?

The median time for a user to click a phishing link is around 21 seconds after receiving it. This is far faster than any human-driven detection process can respond, which is why technical controls like email filtering and DNS-level blocking matter as much as staff training.

Has AI made phishing more dangerous?

Yes, significantly. AI tools have cut the time needed to write a convincing phishing email from around 16 hours of manual effort to minutes, and have removed many of the spelling and grammar mistakes that used to make phishing easier to spot. The defence against this isn’t a new category of tool — it’s making sure the existing fundamentals (MFA, email filtering, DNS filtering, training) are properly in place.

Does staff training actually reduce phishing risk?

Yes, but the approach matters. Untrained employees fail simulated phishing tests at a baseline rate of around 33%. With consistent, ongoing training rather than a single annual session, that figure can fall below 4% within 12 months for smaller organisations.

What’s the single most effective thing a business can do to prevent cyber attacks?

There isn’t one single control that’s sufficient alone — effective protection comes from layering several controls together: multi-factor authentication, managed antivirus and threat detection, email and DNS filtering, regular patching, and staff training. If forced to pick the highest-impact single control, multi-factor authentication is generally considered the most effective per pound spent, since it’s included in most existing licences and blocks the vast majority of account takeover attempts.

Is Network Fish’s cyber security service relevant for a very small business?

Yes. Smaller businesses are now disproportionately targeted by attackers precisely because they’re statistically less likely to have proper defences in place. The full security stack — antivirus, EDR, MFA, DNS filtering, email defence, patching, and backup — is included for every Network Fish managed support client regardless of business size.