top of page

SMEs shouldn’t bank on being immune to cybercrime

UK Government data reveals that in the last 12 months, 31% of businesses and 26% of charities estimated they were attacked by cybercriminals at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack. The threats are very real, and every business no matter its size will be touched by cybercrime in some way, whether it’s through phishing emails, malware or ransomware or other methods. It’s a matter of when, not if.

The Cyber Resilience Centre for Wales’ (WCRC) Director Paul Peters chats with Matthew Didcott, information security officer at Monmouthshire Building Society, about its cyber security posture, the benefits of risk awareness training and the urgency for small businesses to implement simple cyber measures as part of their business security agenda.

PP: How seriously does Monmouthshire Building Society take its own cyber security?

MD: Monmouthshire Building Society (MBS) takes cyber security very seriously. The society continuously strives to enhance its security posture by keeping well informed of the latest threats, taking advice from our various expert partners and responding accordingly with investment in our cyber defence capabilities.

MBS has made significant investment in cyber security which includes a dedicated security operations centre (SOC) which provides a wide range of essential security services to the society from advice about the current threat landscape, to helping keep us safe from cyber threats.

Security awareness is also an important factor to help protect the society, and staff are kept up to date with the latest threats through regular newsletters and campaigns. The society understands that defending ourselves against cyber threats and protecting our member data is an ongoing challenge and as such continually reviews its current and future state.

PP: Why is it important for SMEs to make their own cyber security a priority?

MD: In a time of increased remote work and growing cyber threats, SMEs are facing major cyber security challenges. Low-security budget, lack of cyber skills and increase in cyber-attacks can seriously impact SMEs’ competitiveness and compromise supply chains they are connected to,

Leading by example in everyday life is also important and is often overlooked when engaging with staff to strike a work-life balance to help understand and become more aware of the growing cyber threats out there.

PP: While MBS has robust cyber security in place, all staff members of a business must be aware of the risks, as cybercriminals are adept at slipping through gaps.

MD: A user recently requested that IT release a blocked email from a trusted source and was not challenged as to why it was blocked in the first instance.

This led to IT releasing the email which contained a harmful attachment leading to the user entering their login credentials not realising the trusted source had their business email compromised (BEC). However, our second layer of email security intervened and was picked up by our SOC as a ‘Risky User’ with multiple login attempts from outside the UK. Both the user and service desk analyst were provided with basic security awareness training.

PP: What basic steps should an SME be putting in place?

MD: An effective security management process comprises six steps: policy, awareness, access, monitoring, compliance, and strategy. These will all be underpinned by three major requirements i.e. confidentiality, integrity, and availability which support one another. For example, confidentiality is needed to protect passwords. So, by having a strong password and ensuring that it can’t easily be guessed supports this requirement.

PP: Why does MBS believe it is important to support the WCRC and what benefits does working with the WCRC bring to your organisation?

MD: It is important to support each other and take a collaborative approach to realise and share mutual benefits in the cyber world. It can be beneficial when in the right network with the right contacts to share ideas of best practice. The WCRC has been set up to support businesses and third sector organisations across Wales improve their resilience to cybercrime, which is why the MBS is one of the centre’s founding Partners.

The WCRC offers bespoke security awareness training which is delivered in short bite-size modules using real-life examples to help understand risks, how they occur and how to spot signs of potential cybercriminal activity. Please get in touch to see how we can help you.

If you’re not already part of the WCRC membership community, join for FREE today! We provide national guidance, resources, regular cyber updates and member-only content to support small businesses, charities and other third sector organisations to become more aware and better protected against online risks.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page