Cyber-attacks on the mid-market have become increasingly common in recent years, affecting all industries, including healthcare, manufacturing, retail, housing, and financial services, among others.

James Arthur discusses five key lessons that mid-market businesses can learn from previous cyber-attacks to better protect themselves in the future.

Why small and mid-size businesses are vulnerable to cyber-attacks

While high-profile companies continue to be targeted specifically, the majority of victims are often small or medium-sized enterprises. What is surprising is that many of these businesses never expected to fall victim to a cyber-attack, despite the continued cyber threat.

Percentage of UK businesses identifying cyber-attacks

Date Percentage
2017 46%
2018 43%
2019 32%
2020 46%
2021 39%
2022 39%

Source: Cyber Security Breaches Survey 2022 - GOV.UK (

These attacks have ranged from cyber-enabled invoice fraud, resulting in organisations and their suppliers paying millions to cyber criminals, through to severe ransomware attacks that can take entire organisations offline.

Although the cyber threat is very real, prevention is a much better approach than a cure. There are a range of pragmatic and cost-effective steps that organisations of all sizes can take to reduce the chances of falling victim to such attacks, and to limit the impact if it happens.

Key lessons

1 Have a robust and tested 'Managed Detection and Response' in place

Unfortunately, just having an effective anti-virus in place isn’t enough anymore. Industry best practice is now to have Managed Detection and Response (MDR). This is typically a 24/7 service where cyber defence experts monitor specialist software on your systems and networks. These systems and constant monitoring help you to identify and respond to cyber-attacks that make it through your existing defences.  

There are many MDR providers in the marketplace using a range of different software solutions and staff with varying levels of experience, training, and operating hours. 

Keep in mind, you often ‘get what you pay for’ and therefore care should be taken when selecting and engaging an MDR provider. Some businesses decide to build their own solution. If you decide to go down this route, you should organise the testing of your MDR capabilities regularly to ensure it is up to date with attack tactics and meeting requirements around detection and response.

2 Develop an Incident Response plan and have the right people on call 

'Time spent in rehearsal is never wasted' is a phrase instilled in every soldier of the British Army since the beginning of their training. Preparing for high-risk and dangerous situations, where adrenaline is flowing, allows soldiers to react instinctively and perform better under pressure.

It is equally important to adopt this approach when preparing for a potential cyber-attack or data breach. When your business is being held hostage, you don’t want to improvise your response on the spot.

Organisations who have a pre-agreed Cyber Incident Response plan in place, along with the appropriate expertise and regular exercises, can significantly reduce the size and impact of cyber-attacks and help accelerate their time to respond. This not only minimises disruption to business operations but also mitigates the severity of the attack. 

3 Don’t expect your IT team to be cyber experts

Many organisations expect their IT teams, whether in-house or outsourced, to be cyber experts as well as being able to support their core systems on a day-to-day basis.

Few IT teams are able to keep pace with developments in cyber security and the rapidly evolving threat state in parallel with conducting their day jobs.

It is unrealistic to expect your IT team to be cyber security experts, in the same way you wouldn’t expect a GP to be able to perform heart surgery despite having a medical degree. To maintain up-to-date defences and recovery capabilities, it is important to either build specific expertise into your team, or partner with specialist cyber security providers.

4 Ensure that there are no open doors in your internet-connected infrastructure

Cyber criminals conduct widespread scans of the Internet on an industrial scale to identify serious vulnerabilities in software and hardware. They use easily accessible and inexpensive tactics to gain easy access to your systems.

Having an effective vulnerability scanning regime in place is crucial to prevent such attacks. Your IT team should only enable remote access protocols such as Remote Desktop Protocol (RDP) in very specific circumstances and with the right security configurations in place.

5 Prioritise phishing awareness and implement phishing defences across your business 

Phishing attacks continue to be a major cause of cyber incidents, and with the rise in technologies such as ChatGPT writing more convincing emails you can't rely on spotting spelling mistakes anymore. In such attacks, an employee is often tricked into downloading a malicious file, clicking on a phishing link, or visiting a website that hosts malware.

Ensuring that you have simple phishing defences in place, including regular training and simulated phishing campaigns conducted by your own teams or a cyber security partner, are key to reducing the chance that your organisation will fall victim to this form of attack.

Our CREST-certified Cyber Incident Response team at Grant Thornton UK LLP has helped hundreds of our clients respond to, and successfully recover from, a range of cyber-attacks and data breaches over the last four years. If you think you are under attack please contact us 24/7 on or +44 20 7865 2552.

If you’d like a conversation about your cyber defences, get in touch with our team. 

Sign up to get the latest updates by email

Sign up to get the latest role, industry or technical updates by email