teissTalk: The confidence gap - moving SMBs from reactive to proactive cyber security

Views on news

On 10 February it was Microsoft’s February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities. Looking at these numbers, one may think that zero day attacks may become the new number one threat vector in the medium term ahead of identity-based attacks. Some of the wide range of threats listed in the article are relevant not only for large businesses but also SMEs, who may not have the human resource or the processes to deal with these risks head-on. Businesses should also remember that updating Microsoft is not enough in itself – they must do the patching and the reboot too. Although patching can impact the user experience negatively, a bit of inconvenience is better than no updates at all. The fact that AI now understands context better should ensure that these updates don’t happen when the user needs to use the app. Honeypot tests show that vulnerabilities can get scanned by bad actors in seconds after they go online. 

How SME cybersecurity can get proactive

SMEs view cybersecurity as a tax, as they often don’t see the value that it brings to the organisation. Instead, they should consider how security enables the organisation. The messaging around it very mixed too, which makes it hard for SMEs to understand what good looks like. The way they handle backup – stored on microwaves or carried in underground carriages over the electric motor – means that they may find it empty when an incident happens. For them, testing backup on a monthly basis may be much more cost effective than buying cloud backups in different locations. Thanks to BYOD policy and shadow IT an AI, they often don’t have a clear understanding of their security perimeter either – particularly if they are dynamically growing. Although Zero Trust may sound expensive for them, its presumption that anything can be compromised is actually a mindset that they should also adopt. Moreover, you can’t held SMEs accountable for what they don’t have the in-house knowledge to deal with or the resources to buy. However, Cyber Essentials were designed with small and medium sized companies in mind, although many of them – about 80 per cent –  still don’t know that  it exists. AI-powered tools have the potential to address some of the gaps in SME security, with AI agents being able to identify vulnerabilities or misconfigurations. 

The panel’s advice

• Identify your key processes and protect those first.
• Work out how security can become a commercial advantage for your business.
• It’s unrealistic to expect a small company to have a team comprising a network engineer, a cyber engineer and a continuity analyst.  
• Learn more about the University of Nottingham’s CyCOS (Cyber Security Communities of Support) project where small and medium-sized enterprises can get cyber advice in an informal setting.
• Security is a company issue. Security professionals should collaborate with experts when working out how assets should be protected. 

For further reading:
www2.withsecure.com/en/expertise/campaigns/forrester-2025-the-mid-markets-cyber-security-playbook-is-broken
www2.withsecure.com/en/expertise/resources/cybersecurity-checklist