Cyber security professionals working across UK SMEs are under mounting pressure on multiple fronts. Clearly, the threat landscape continues to be extremely challenging, but at the same time they must balance their efforts to protect networks and data with the day-to-day realities of managing limited resources, securing board-level support, and keeping pace with new technologies.
But how do these issues manifest themselves across the SME ecosystem? Recently published research from Six Degrees gathered data from 350 IT security professionals working in organisations employing between 250 and 1,000 people.
Looking at the issues that caused the biggest cyber security frustration for SMEs last year, the cost of implementing cyber security services came out on top at 43%. Closely behind, however, are the problems associated with how long it takes to implement services (35%), insufficient levels of communication around best practice (35%) and, for a third, their inability to fully utilise existing cyber security protection solutions. In this context, it’s clear that organisational frustrations can exacerbate each other, adding to the challenges IT teams face.
Despite these challenges, 88% of SMEs believe their security posture has improved over the past 12 months, with 34% reporting significant progress. For instance, increased tool adoption has been a major factor, while 73% say that cloud migration has enhanced their ability to protect against attacks. But internal IT infrastructure remains a weak link, with 42% naming it their biggest challenge during incidents, especially when combined with skills shortages and out-of-hours attacks.
This is an interesting juxtaposition and raises a question over whether this shared sense of optimism is misplaced. While AI-generated attacks dominate the list of concerns for the rest of this year, the nature of these threats is still rooted in familiar territory. AI is not yet unleashing entirely new forms of attack, but it is dramatically enhancing the speed, scale, and precision of existing tactics, from spear-phishing to impersonation scams.
Also, while investing in cyber security tools may offer reassurance, it doesn’t guarantee resilience. Many SMEs assume that purchasing a solution means the problem is solved, yet without the in-house skills to deploy, manage, and test those tools effectively, their value is often left unrealised, as demonstrated by the third of respondents frustrated by their inability to fully utilise existing solutions. Instead, true protection demands more than a budget – it requires a combination of ongoing monitoring, regular testing, and a readiness to adapt as attackers evolve their methods.
On the horizon
Given this situation, what can SMEs expect from the security landscape going forwards? For over a third (35%), AI-generated cyber-attacks top the list of concerns for 2025. At the same time, however, most believe AI will be a net positive for security teams, particularly when integrated into SIEM and SOC tooling. There’s also growing momentum behind managed services: 66% of SMEs expect to become more reliant on them in the next 12 months, and more than 80% see this as a positive development. While threat intelligence is the most widely used cyber security service today, only a third of SMEs currently consume it as a managed solution.
Looking more closely at the security landscape SMEs expect to face, not all threats are treated equally, but that doesn’t mean they pose less risk. Impersonation token attacks, for example, represent one of the most dangerous and underappreciated threats facing SMEs today. These attacks can bypass multi-factor authentication by hijacking access tokens, effectively handing over control to bad actors. They are especially prevalent in Microsoft 365 environments, yet fall near the bottom of the priority list for most respondents (a top concern for just 10%). That gap between perception and reality should be a cause for concern.
It’s a similar story with deepfakes and zero-day vulnerabilities, both identified as lower-level worries despite their potential to cause serious disruption. Whether through convincingly falsified video content or the exploitation of previously unknown weaknesses, these threats should be given greater attention. As attackers get smarter and better resourced, SMEs must ensure their defences are built on real-world threat awareness, not outdated assumptions.
Bring all these factors together, and they offer SMEs a balanced perspective on the nature of the risks they face. Yes, they should be concerned about AI-generated cyber-attacks, but that concern must also be proportionate. For now, AI is an enabler for existing threats rather than a facilitator of new kinds of attacks. So, it’s essential to keep focused on familiar cybercriminal tactics and maintain a vigilant approach.
The bottom line is that the welcome levels of confidence in improved cyber security posture must be matched by a dispassionate assessment of operational readiness. To strike the right balance, organisations that can draw on all the expertise and experience at their disposal, both internal and external, will be well placed to deliver on their security objectives.
Join our LinkedIn group Information Security Community!
