5 Cyber Security Lessons SMEs Can Learn From Big Cyber Heists

Cyber crime is accelerating at an alarming rate, costing the global economy an estimated £7.9 trillion in 2024. High-profile breaches at large companies like Marks & Spencer make headlines, but the reality is that smaller businesses are just as vulnerable. In Greater Manchester - whether you're in manufacturing, retail, entertainment, engineering, construction, transport, finance or legal services - no organisation is "too small" to be a target. In fact, half of UK businesses suffered a cyber attack in the past year (including 58% of small businesses), with the average breach costing around £8,000 for a small business to recover.

How can local SMEs protect themselves? One way is to learn from the world's biggest cyber heists. These events may have hit big corporations, but the lessons they teach apply to everyone. Below we outline five major cyber incidents and the key takeaways to help Greater Manchester businesses strengthen their cyber defences.

1. Patch and Update Your Systems (Lessons from TalkTalk's Data Breach)

One of the UK's largest telecom breaches - the TalkTalk hack of 2015 - happened because the company failed to patch a known security flaw. Hackers exploited an outdated web database software (for which a fix existed) to steal personal data of 156,000+ customers, including bank details. The Information Commissioner's Office fined TalkTalk £400,000 for not having "the most basic cyber security measures" in place - at the time a record fine under data protection law.

Lesson for SMEs:

Keeping your software, websites, and devices up-to-date is absolutely critical. Many attacks succeed by targeting known vulnerabilities in unpatches systems. Had TalkTalk applied available updates in time, the attack would not have been possible. The same goes for small businesses: whether it's your office computers, servers, or even the plugins on your website, apply security patches promptly. Don't give attackers an easy way in through flaws that vendors have already fixed. Regular updates and a robust patch management plan can prevent breaches that might otherwise cost you heavily in fines, downtime, and reputation.

2. Strengthen Your Human Firewall (Lessons from WannaCry and Phishing Scams)

Technology alone isn't enough - people are often the weakest link. The infamous WannaCry ransomware outbreak of 2017 proved this on a global scale. WannaCry infected over 200,000 computers across 150 countries - including dozens of NHS hospitals in England that had to turn away patients and cancel surgeries. Why was this so devastating? In part because it preyed on organisations using outdated Windows systems that hadn't been updated. But ransomware and many cyber attacks also rely on human error: in WannaCry's case, the malware could enter a network when an employee clicked a malicious email link or attachment. In fact, 84% of cyber attacks on businesses start with a phishing email.

Greater Manchester SMEs are no exception - scammers constantly phish employees in local businesses. For example, a Manchester-based construction SME (around 50 staff) nearly lost £22,000 when an accounts clerk received an email that appeared to be from their MD requesting an urgent payment. The message looked convincing (the tone and signature matched the real boss), so the payment was made - only for the team to discover they had been scammed when the real MD walked in moments later. The company had no internal verification process for payments, making the fraud easy. (They have since implemented a two-step payment sign-off and staff phishing training).

Lesson for SMEs:

Educate your team and instil a security-aware culture. Regularly train employees to recognise phishing emails, suspicious links, and social engineering tricks. Emphasise pause and verify: if an unusual request comes in. (like transferring money or sending sensitive files), staff should double-check by calling the supposed sender or following internal procedures. Simple policies - for example, requiring a second person to approve large payments - can stop fraud in its tracks. Your people are effectively a "human firewall" for your business. Strengthening that human firewall through awareness and cyber hygiene (like using strong passwords, not clicking unknown links, etc.) is often the best defence against cyber heists that technology might miss.

3. Protect Your Accounts with Strong Authentication (Lessons From The Colonial Pipeline Hack)

Sometimes, one weak password is all a hacker needs. In 2021, the largest fuel pipeline operator in the US, Colonial Pipeline, was crippled by a ransomware attack that caused fuel shortages. How did the attackers get in?

Through a single compromised password to an old VPN account - and critically, the VPN had no multi-factor authentication (MFA) enabled. In other words, the hackers only needed a stolen username and password to access Colonial's network; no secondary verification was required. This glaring gap in security "was a sign of poor cyber security hygiene" experts later noted, and enabling MFA could likely have thwarted the attack.

Lesson for SMEs:

Don't rely on passwords alone. For all your important systems - email, remote desktop/VPN, cloud apps, banking - enable MFA (e.g. one-time codes, mobile app prompts) so that a password isn't enough to break in. Also enforce strong, unique passwords (consider a password manager to help staff manage these). Many breaches, big and small, trace back to weak passwords. By using MFA and good password practices, even if credentials are stolen or guessed, attackers will hit a dead end. This is a low-cost step that dramatically improves security for any size of business. In short: lock the front door to your accounts with more than just a key - add a deadbolt (MFA) too!

4. Verify Identities - Don't Get Duped by Deepfakes and Impersonators

Cyber criminals are now leveraging AI to impersonate voices and even faces - so don't take things at face value (literally). One of the wildest recent heists was a $25 million deepfake scam in 2023: criminals created AI-generated video calls where they impersonated a company's CFO and other executives, tricking an employee into transferring funds to the attacker's accounts. The deepfakes were so convincing that the employee believed he was on a legitimate call with his real colleagues - but in fact he was the only human on the line; everyone else was an AI-generated imposter. By the time the fraud was uncovered, the money was gone.

Even here in the UK, similar tactics have been used on a smaller scale. In one case, an employee at a UK energy firm received a call that sounded exactly like their CEO, requesting an urgent £200,000 transfer - it turned out to be AI voice-cloning fraudsters on the phone. These kinds of attacks, using deepfake audio or video, are on the rise as the technology becomes more accessible and realistic.

Lesson for SMEs:

Always verify unusual or high-stakes requests through a secondary channel. If you get an unexpected instruction supposedly from your boss or a client (whether by email, phone, or video), don't solely trust the medium. Call them back on a known number, or confirm in person if possible. Implement strict policies for fund transfers, such as requiring written confirmation and a callback for anything over a certain amount. It's also wise to raise awareness among your staff that deepfakes exist - seeing is not always believing anymore. By fostering a healthy scepticism and verification culture, you can prevent high-tech impersonators from making off with your money or data. When in doubt, check it out via another method.

5. Prepare For The Worst - Some Attacks Just Aim to Destroy (Lessons from NotPetya)

Not every cyber attack is about quick cash - some are about causing maximum damage. The NotPetya malware attack is a sobering example. First unleashed in 2017, NotPetya initially looked like a ransomware similar to WannaCry, but it was actually a data-destroying wiper. It spread rapidly across the globe, crippling companies, governments, ports and infrastructure. The total damage was estimated around $10 billion worldwide. Even though it started as a state-sponsored attack targeting Ukrainian systems, it didn't stop there - major international businesses (shipping giant Maersk, consumer goods company Reckitt Benckiser, law firm DLA Piper, and many others) were collateral damage, their networks wiped clean in minutes. There was no decryption key or ransom that could restore the data; the goal was pure destruction.

Lesson for SMEs:

Plan for worst-case scenarios. Some attacks won't politely ask for a ransom - they'll just knock out your IT and erase data. Every business, no matter the size, should have a disaster recovery and backup strategy. Regularly back up your critical data offline or to secure off-site storage (so a malware infection can't reach it) and test those backups. Develop an incident response plan: if your computers got wiped or locked up tomorrow, how would you restore operations? Who would you call? Having answers to these questions can make the difference between a bad day and the end of your business. Also, recognise that cyber warfare isn't just "someone else's problem". If a supplier or a larger partner you integrate with is hit, it could impact you as well. By learning from events like NotPetya, we see the importance of building resilience: robust data backups, network segmentation, up-to-date security software, and contingency plans to keep the business running if digital systems go down. Hope for the best, but prepare for the worst.

Conclusion: Stay Vigilant and Take Action

The cyber threat landscape is constantly evolving, but the fundamental lessons from these high-profile heists remain consistent: keep your systems updated, educate and verify your people, secure your access points, and prepare for the unexpected. Cyber attacks continue to rise against UK SMEs, yet many breaches are preventable with basic precautions.

The good news is you don't need a Fortune 500 budget to drastically improve your security. By applying the lessons above, Greater Manchester businesses can make themselves a much harder target. Start with the basics - patch your software, turn on MFA, train your staff, back up your data - and you'll already be ahead of most. Cyber criminals often go after the lowest-hanging fruit; a bit of proactivity ensures that fruit isn't yours.

At Apex, we believe in making cyber security accessible, understandable, and achievable for every business. If you're not sure where to start, or if you're worried your current setup might have gaps, we're here to help.

Let's make cyber security one less thing to worry about.