Contents
Introduction
When you think about cybersecurity threats, what comes to mind? Probably major banks, government agencies, or tech giants making headlines after data breaches. But here’s something that might surprise you: that independent bakery down the street with the sleek loyalty app? They’re just as much a target.
The digital revolution hasn’t just transformed how corporations operate; it’s fundamentally changed every business, regardless of size or sector. And with that transformation comes risk.
You’re More Digital Than You Think
Take a moment to consider the digital tools your business uses. A customer relationship management (CRM) system? That’s a digital asset. Cloud-based accounting software? Digital asset. An app for booking appointments or tracking orders? Digital asset. Payment processing systems, email marketing platforms, inventory management tools? You guessed it, they’re all digital assets.
The point is this: if your business relies on technology to function, you’re operating in the digital space. And that means you’re vulnerable to the same threats facing organisations a hundred times your size.
A local coffee shop using Square for payments and Mailchimp for newsletters might seem worlds apart from a multinational financial institution. But from a hacker’s perspective, both are opportunities. Both store valuable data. Both could provide entry points into broader networks.
The False Security of Outsourcing
Here’s where many business owners get tripped up. You’ve moved your operations to the cloud, outsourced your IT support, or adopted software-as-a-service platforms. Surely the security is someone else’s problem now, right?
Wrong.
When businesses outsource services, whether that’s cloud storage, help desk support, or case management systems (CMS), they often believe they’re also offloading the associated security risks. But that’s not how it works.
If your third-party vendor gets compromised and your customer data gets leaked, it’s your business that suffers. Your reputation takes the hit. Your clients lose trust in you, not in the vendor they’ve never heard of. And potentially, your business faces legal consequences.
Recent events have made this painfully clear. Look at the Jaguar Land Rover situation, where a compromise at their IT services provider TCS has created chaos throughout their supply chain. Smaller suppliers are now laying off staff, and there are calls for government intervention to prevent business failures. JLR themselves conducted extensive security testing, but they couldn’t test what they didn’t control: their third-party providers.
The companies in JLR’s supply chain didn’t do anything wrong. They simply trusted that JLR, a major corporation, had their house in order. But when the weak link was a supplier to JLR, everyone downstream paid the price.
Nobody’s Too Small to Attack
There’s a comforting myth that small businesses fly under hackers’ radar. Why would cybercriminals waste time on your ten-person operation when they could target corporations with millions in assets?
This thinking misunderstands how modern cyberattacks work.
Yes, high-profile ransomware groups make headlines by hitting major organisations. They want the publicity, the clout, the bigger payouts. But these visible attacks represent a fraction of what’s actually happening.
For every attention-seeking group causing public disruption, there are countless professional attackers working quietly. They’re not interested in fame; they want access. And they’ll maintain that access for as long as possible without being detected, harvesting data, monitoring communications, or using your systems as a stepping stone to bigger targets.
Small businesses are often easier targets because they typically have weaker security infrastructure. Your systems might lack the sophisticated monitoring and defences that large corporations invest in. That bakery loyalty app storing customer payment details? It’s a goldmine for someone who knows what they’re doing.
The Third-Party Problem
When discussing penetration testing with clients, one of the most common challenges is scope limitation. You want to test your website thoroughly, but the moment you hit a third-party integration, a payment processor, a chatbot service, an embedded booking system, you have to stop.
Why? Because legally, you can’t test systems you don’t own or control, even if they’re integrated into your platform. The Computer Misuse Act is clear: testing requires explicit permission. Your payment gateway provider isn’t yours to test, even though it’s handling your customers’ transactions right there on your site.
This creates blind spots. Critical business functions that you depend on daily become untestable areas in your security posture. You’re trusting that the third party has done their due diligence, but you have no way to verify that.
The major cloud providers, Amazon Web Services, Google Cloud Platform, Microsoft Azure, have addressed this well. They publish clear guidelines on what customers can test and provide blanket permission for certain types of security assessments. This allows businesses to verify that their cloud configurations are secure.
But many other vendors haven’t caught up. Some actively resist when customers request security information or permission to conduct testing. And that resistance should concern you.
Asking the Right Questions
Before adopting any new digital tool or platform, you need to ask hard questions:
Has this software been independently security tested? Don’t accept marketing claims about “bank-level security” or “enterprise-grade protection.” Ask for evidence. Request penetration test reports.
What data will this system hold, and how is it protected? Understand exactly what information you’re entrusting to this vendor and what safeguards are in place.
What happens if there’s a breach? Does the vendor have cyber insurance? What’s their incident response process? How quickly will they notify you?
Can we conduct our own security testing? If a vendor refuses to allow security assessments or becomes evasive about their security practices, consider that a red flag.
Who has access to our data? Understand not just the company’s security measures, but who within that organisation can access your information.
These questions might feel uncomfortable to ask. You might worry about seeming difficult or paranoid. But these are reasonable, necessary questions for any business serious about protecting their assets and their customers.
Your Responsibility, Not Theirs
A company we worked with last year discovered potential security issues with their case management software. This software was the backbone of their practice as it contained sensitive client information, case files, confidential communications.
The vendor was, to put it mildly, unhelpful. Getting clear answers about their security practices has been nearly impossible. Our client suspected the vendor was deliberately obstructive because transparency might reveal significant vulnerabilities.
So they made a decision: they offered to pay for independent security testing themselves. It shouldn’t be their responsibility, the vendor should be ensuring their product is secure. But our client recognised that their clients’ data is ultimately their responsibility. If something goes wrong, it’s their name that gets dragged through the mud, not the software vendor’s.
This is the uncomfortable reality of digital business operations. You can’t simply trust that others are doing their jobs properly. The stakes are too high.
Patching: The Perennial Problem
You’ll often see statistics claiming that some percentage of cyberattacks exploit unpatched software vulnerabilities. Take these exact figures with caution since nobody truly knows what percentage of attacks fall into any given category because we don’t know about every attack. Many successful breaches go undetected for months or years.
But the underlying point is valid: outdated software is a constant security risk.
Keeping systems updated sounds simple in theory. In practice, it’s challenging. You need to balance security patches against system stability, coordinate updates across different platforms, and ensure patches don’t break critical functionality.
The key is prioritising. Focus on your core business assets first, the systems that, if compromised, would seriously damage your operations. Then ensure your end-user devices are properly maintained, because they face the highest risk. People open suspicious emails. They click on attachments they shouldn’t. They visit compromised websites. Every laptop, tablet, and phone used by your staff is a potential entry point.
Also, regularly audit your software. Do you actually need all the tools you’re paying for? Every application, every plugin, every integration is another potential vulnerability. If you’re not using it, remove it. Reducing your attack surface is one of the simplest security improvements you can make.
Click here to learn more about the hazards of outdated software.
Testing Is Just the Beginning
Many compliance frameworks require annual penetration testing. Companies diligently commission these tests, receive detailed reports identifying vulnerabilities, and then… do nothing.
They’ve ticked the compliance box. They’ve got their certificate. Job done.
Except hackers don’t care whether you’ve been tested. They care whether you’ve fixed the problems. If you’re conducting annual tests but not implementing the recommended security improvements, you’re wasting your money.
And here’s another thing: attackers don’t limit themselves to whatever you tested last year. If you only tested your external perimeter but not your internal applications, or you tested your infrastructure but not your third-party integrations (the ones you’ve been given permission to test), those untested areas remain vulnerable.
Strategic penetration testing means thinking about your business holistically. Where are your crown jewels? What would cause catastrophic damage if compromised? Start there, then expand your testing scope over time.
For some businesses, starting from the outside and working inward makes sense, testing external threats first, then moving to internal systems. For others, particularly those offering a specific product or service, starting with that core offering is the logical approach.
There’s no universal right answer. It depends on your specific business, your concerns, and your resources.
Building Resilience
Cybersecurity isn’t about achieving perfect, impenetrable defences. That’s impossible. It’s about resilience; the ability to defend against threats, respond effectively when incidents occur, and recover quickly.
For most small and medium-sized businesses, this doesn’t require massive investment. It requires thoughtful planning and consistent effort:
Understand what you’re protecting and prioritise accordingly.
Vet your vendors thoroughly before entrusting them with your data or business functions.
Keep your systems updated, focusing first on your most critical assets and highest-risk devices.
Train your staff to recognise common threats like phishing emails.
Have an incident response plan. Know what you’ll do if something goes wrong.
Test your security regularly, and actually implement the fixes you’re advised to make.
Reduce complexity wherever possible as fewer systems means fewer vulnerabilities.
Click here to learn more about the reality of perfect cybersecurity.
The Uncomfortable Truth
Whether you’re operating a neighbourhood bakery or a boutique consultancy, if you’re using digital tools, you’re exposed to cyber threats. The sophistication of your security doesn’t need to match that of a bank, but you do need to take the risks seriously.
You cannot assume that because you’ve outsourced a service, the associated security risks have been outsourced too. You cannot assume that being small makes you safe from attackers. And you cannot assume that compliance means security.
Your digital assets, however modest they might seem, are your responsibility to protect. Because when something goes wrong, it’s your business and your customers who bear the consequences.
The good news? You don’t need to solve this alone. Independent security professionals can help you understand your risks, prioritise your efforts, and build defences proportionate to your needs and budget.
But the first step is recognising that this matters for your business, not just for the corporations making headlines. From bakeries to banks, every business operating in the digital space needs to take cybersecurity seriously.
Because in 2025, there’s no such thing as a business that’s too small to be a target.