Cyber crime is accelerating at an alarming rate, costing the global economy an estimated £7.9 trillion in 2024. High-profile breaches at large companies like Marks & Spencer make headlines, but the reality is that smaller businesses are just as vulnerable. In Greater Manchester - whether you're in manufacturing, retail, entertainment, engineering, construction, transport, finance or legal services - no organisation is "too small" to be a target. In fact, half of UK businesses suffered a cyber attack in the past year (including 58% of small businesses), with the average breach costing around £8,000 for a small business to recover.
How can local SMEs protect themselves? One way is to learn from the world's biggest cyber heists. These events may have hit big corporations, but the lessons they teach apply to everyone. Below we outline five major cyber incidents and the key takeaways to help Greater Manchester businesses strengthen their cyber defences.
Keeping your software, websites, and devices up-to-date is absolutely critical. Many attacks succeed by targeting known vulnerabilities in unpatches systems. Had TalkTalk applied available updates in time, the attack would not have been possible. The same goes for small businesses: whether it's your office computers, servers, or even the plugins on your website, apply security patches promptly. Don't give attackers an easy way in through flaws that vendors have already fixed. Regular updates and a robust patch management plan can prevent breaches that might otherwise cost you heavily in fines, downtime, and reputation.
Greater Manchester SMEs are no exception - scammers constantly phish employees in local businesses. For example, a Manchester-based construction SME (around 50 staff) nearly lost £22,000 when an accounts clerk received an email that appeared to be from their MD requesting an urgent payment. The message looked convincing (the tone and signature matched the real boss), so the payment was made - only for the team to discover they had been scammed when the real MD walked in moments later. The company had no internal verification process for payments, making the fraud easy. (They have since implemented a two-step payment sign-off and staff phishing training).
Educate your team and instil a security-aware culture. Regularly train employees to recognise phishing emails, suspicious links, and social engineering tricks. Emphasise pause and verify: if an unusual request comes in. (like transferring money or sending sensitive files), staff should double-check by calling the supposed sender or following internal procedures. Simple policies - for example, requiring a second person to approve large payments - can stop fraud in its tracks. Your people are effectively a "human firewall" for your business. Strengthening that human firewall through awareness and cyber hygiene (like using strong passwords, not clicking unknown links, etc.) is often the best defence against cyber heists that technology might miss.
Through a single compromised password to an old VPN account - and critically, the VPN had no multi-factor authentication (MFA) enabled. In other words, the hackers only needed a stolen username and password to access Colonial's network; no secondary verification was required. This glaring gap in security "was a sign of poor cyber security hygiene" experts later noted, and enabling MFA could likely have thwarted the attack.
Don't rely on passwords alone. For all your important systems - email, remote desktop/VPN, cloud apps, banking - enable MFA (e.g. one-time codes, mobile app prompts) so that a password isn't enough to break in. Also enforce strong, unique passwords (consider a password manager to help staff manage these). Many breaches, big and small, trace back to weak passwords. By using MFA and good password practices, even if credentials are stolen or guessed, attackers will hit a dead end. This is a low-cost step that dramatically improves security for any size of business. In short: lock the front door to your accounts with more than just a key - add a deadbolt (MFA) too!
Even here in the UK, similar tactics have been used on a smaller scale. In one case, an employee at a UK energy firm received a call that sounded exactly like their CEO, requesting an urgent £200,000 transfer - it turned out to be AI voice-cloning fraudsters on the phone. These kinds of attacks, using deepfake audio or video, are on the rise as the technology becomes more accessible and realistic.
Always verify unusual or high-stakes requests through a secondary channel. If you get an unexpected instruction supposedly from your boss or a client (whether by email, phone, or video), don't solely trust the medium. Call them back on a known number, or confirm in person if possible. Implement strict policies for fund transfers, such as requiring written confirmation and a callback for anything over a certain amount. It's also wise to raise awareness among your staff that deepfakes exist - seeing is not always believing anymore. By fostering a healthy scepticism and verification culture, you can prevent high-tech impersonators from making off with your money or data. When in doubt, check it out via another method.
Plan for worst-case scenarios. Some attacks won't politely ask for a ransom - they'll just knock out your IT and erase data. Every business, no matter the size, should have a disaster recovery and backup strategy. Regularly back up your critical data offline or to secure off-site storage (so a malware infection can't reach it) and test those backups. Develop an incident response plan: if your computers got wiped or locked up tomorrow, how would you restore operations? Who would you call? Having answers to these questions can make the difference between a bad day and the end of your business. Also, recognise that cyber warfare isn't just "someone else's problem". If a supplier or a larger partner you integrate with is hit, it could impact you as well. By learning from events like NotPetya, we see the importance of building resilience: robust data backups, network segmentation, up-to-date security software, and contingency plans to keep the business running if digital systems go down. Hope for the best, but prepare for the worst.
The cyber threat landscape is constantly evolving, but the fundamental lessons from these high-profile heists remain consistent: keep your systems updated, educate and verify your people, secure your access points, and prepare for the unexpected. Cyber attacks continue to rise against UK SMEs, yet many breaches are preventable with basic precautions.
The good news is you don't need a Fortune 500 budget to drastically improve your security. By applying the lessons above, Greater Manchester businesses can make themselves a much harder target. Start with the basics - patch your software, turn on MFA, train your staff, back up your data - and you'll already be ahead of most. Cyber criminals often go after the lowest-hanging fruit; a bit of proactivity ensures that fruit isn't yours.
At Apex, we believe in making cyber security accessible, understandable, and achievable for every business. If you're not sure where to start, or if you're worried your current setup might have gaps, we're here to help.
Let's make cyber security one less thing to worry about.