A community based approach to SME cyber security

There are almost 5.5 million small to medium-sized enterprises (SMEs) in the UK, collectively accounting for 99.8% of the business population and 60% of employment. A startling statistic from the 2025 Cyber Security Breaches Survey is that half of small businesses have experienced a cybersecurity breach or attack in the past year. 

The survey also suggests that many SMEs do not focus on key areas of security and are potentially unaware of available resources, and that cybersecurity can often be an area in which SMEs feel isolated and out of their depth. 

Why do SMEs struggle with cybersecurity?

Consider the following quotes from SMEs that we interviewed about their cybersecurity support needs:

• ‘It's very difficult to find peers that have a similar mindset to our own, of a similar size, that we can have a conversation with’
• ‘What we don't know of … is a network of people that you can share best practices with … there's nobody around’
• ‘One of the things I've struggled to find is a community … I've looked in various places and I think because my role isn't necessarily deeply technical … it has been difficult to do’
• ‘Having somebody…that understood our environment that could help us really quickly if we had an issue… it would almost be “an extension of me” type of thing. That would help us immensely’

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Cyber security is not an easy proposition for SMEs and can be a lonely place if they don’t have connections within that field. Many are challenged by a lack of funding, a lack of expertise and a lack of time, and in many cases, these practical constraints mean that cybersecurity is low on their list of priorities. While some, particularly medium-sized businesses, outsource it to external providers (sometimes along with their wider IT), others do their best to fend for themselves or, in some cases, simply ignore the issue and hope they remain secure. 

One key problem that SMEs have reported is a lack of consistent guidance around what they should be doing. While numerous resources exist, an early investigation through our project revealed that they can vary significantly in terms of coverage, consistency and completeness. Moreover, most will highlight what needs to be done, but they don’t get the SMEs any closer to actually being able to do it. Awareness, in this case, is the starting point of the process, not the outcome.

The benefits of community collaboration

In response to the challenge, and in particular the points raised in the earlier quotes, we are piloting a new approach through the Cyber Security Communities of Support (CyCOS) project. Our key aim is to bring SMEs together with cyber experts through a free, community based approach, thereby enabling advice, guidance and support to be offered within a community of SME peers. Such communities may be based upon one or more of the following characteristics:

• Location: the default assumption when initially planning our approach was that SMEs could be grouped based upon their physical location, with the advantage that it would enable community members to get together in face-to-face contexts
• Sector: various respondents during our earlier research suggested that SMEs may wish to come together based on a common area of business on the basis that this would give them more of a shared sense of what their specific cybersecurity needs might be. At the same time, others have suggested that they may prefer not to be grouped alongside organisations that may potentially be competitors
• SME size: the label ‘SME’ encompasses organisations of anything from 1 to 249 people, and so it’s important to recognise that the experiences and constraints of a sole-trader or micro business are likely to be quite different from those at the high-end of the medium size group
• SME maturity: more established SMEs may be at a different stage of the journey to start-ups, and that the nature of the community discussion may change as the journey continues must be recognised
• Supply chain: here, it is envisaged that the community members' commonality would come from being supply chain partners of a larger organisation, which in turn could be the primary source of initial cyber expertise. This links to the notion of the 'Cyber Charter' proposed in 2024’s McPartland Review

Online interactions within the communities will be supported and enabled by a ‘support broker’ environment, enabling community members to ask questions, seek recommendations and guidance or initiate more general discussions. The platform will be based on the use of the discussion platform Discourse, with each community having its own space, and members will be able to address the whole community or channel their contributions in a more targeted manner (such as only involving cyber experts, rather than sharing with the entire group).

Maintaining the community of SMEs

It is intended that SMEs will be able to benefit from the communities by:

• Accessing community knowledge of cybersecurity
• Receiving impartial advice and guidance from contributing security professionals
• Discovering relevant resources recommended by community members
• Joining (or initiating) community activities tailored to their needs and interests
• Learning from other SMEs’ cybersecurity experiences and sharing their own experiences to help others

Of course, all of this is good in theory, but a significant challenge is to ensure that communities can be formed and maintained effectively. Indeed, part of the research element of the project relates to this experience (precisely, what does it take to recruit and sustain engagement?). The pilot communities are intended to run from autumn 2025 through to early 2026, with at least three communities operational (and ideally involving a mix of models).

If you are interested in joining a community of support and participating in one of our pilots, we’d love to hear from you. Our contact details, as well as more information about the project in general, can be found at www.cycos.org. 

About the authors

Steven Furnell, Neeshe Khan and Ram Herkainadu, School of Computer Science, University of Nottingham; Maria Bada and Matthew Rand, School of Biological and Behavioural Sciences, Queen Mary University of London; Jason R.C. Nurse, School of Computing, University of Kent.