UK Businesses Under Siege: 78% of Manufacturers Hit by Cyber Attacks — What Every Small Business Owner Needs to Know

If you run a small business in the United Kingdom, the latest cyber security research should give you serious pause. A new report from security firm ESET, covered this week by The Register, confirms what our own threat intelligence data from IPInsights has been showing for months: UK businesses are under sustained, relentless cyber attack — and most are not adequately prepared.

The headline figure is stark. Seventy-eight per cent of UK manufacturers surveyed admitted to suffering at least one cyber incident in the past twelve months. More than half reported direct revenue losses. And in over half of the most severe incidents, the financial damage exceeded £250,000. These are not abstract numbers affecting only large corporations with deep pockets. The ripple effects reach every supplier, subcontractor, and small business in the chain.

The Threat Is Not Hypothetical — It Is Happening Now

The ESET survey polled 500 senior decision-makers across IT, OT, operations, risk, and security in UK manufacturing organisations. The findings paint a picture of an industry — and by extension, an economy — that is absorbing cyber attacks as a routine cost of doing business. Ninety-five per cent of respondents said attacks had a direct operational impact. Forty-four per cent reported supply chain disruption. Thirty-nine per cent missed customer or supplier commitments as a direct result.

For small businesses, these statistics carry a different kind of weight. When a major manufacturer like Jaguar Land Rover is forced to halt production — as happened last year, with the wider economic impact estimated at around £1.9 billion — the damage cascades downward. Smaller suppliers lose orders. Payment terms stretch. Contracts are cancelled. If your business sits anywhere in a manufacturing supply chain, the cyber resilience of your partners is now directly relevant to your own survival.

What Our IPInsights Data Tells Us

At UK Cyber Defence, our IPInsights threat intelligence service monitors attack traffic across UK networks in real time. What we see corroborates the ESET findings — and adds a dimension that should concern every business owner: the attacks do not stop when you lock up for the night.

Our analysis shows that peak attack traffic against UK businesses consistently falls on Thursdays at 23:00 UTC. This is not a coincidence. Threat actors — many operating from different time zones — deliberately target periods when they know IT teams are at their thinnest, security operations centres are winding down, and automated defences are least likely to be supplemented by human oversight.

Perhaps most critically, our data reveals that only 28 per cent of attack traffic falls within standard UK business hours (09:00–17:30 Monday to Friday). That means nearly three-quarters of all attacks are landing when most small businesses have no one watching. If your cyber security strategy assumes that threats arrive during office hours, you are exposed for the vast majority of the time.

"If your business closes at half five and your security closes with it, you are leaving the door open for 72% of the attacks we track. Threat actors are not working nine-to-five — and your defences cannot either."

Why Small Businesses Are Particularly Vulnerable

The UK Government's own Cyber Security Breaches Survey 2025 found that 43 per cent of all UK businesses reported a breach or attack in the previous twelve months — equivalent to approximately 612,000 organisations. For medium-sized businesses the figure was 67 per cent, and for large businesses 74 per cent. But these figures likely undercount the true picture for smaller firms, many of whom lack the monitoring tools to even detect an intrusion.

The reality is that small businesses face a uniquely dangerous combination of factors:

• Limited IT resources: Most small businesses do not have a dedicated security team, or even a full-time IT person. Security is often an afterthought bolted onto existing infrastructure.
• Supply chain exposure: If you work with larger manufacturers or enterprises, attackers may target you as a stepping stone into their systems. Your business becomes an entry point.
• The assumption of insignificance: Many small business owners believe they are too small to be targeted. Automated attack tools do not discriminate by company size. They scan for vulnerabilities indiscriminately, and a poorly configured firewall on a five-person business is just as exploitable as one on a five-thousand-person enterprise.
• Financial fragility: The average cost of a disruptive cyber breach for a UK business is £1,600, rising to £3,550 when only incidents with a financial cost are counted. For a small business operating on tight margins, that can be catastrophic.
• Recovery time: The ESET data shows that most organisations experiencing a shutdown suffered between one and seven days of downtime. For a small business, a week offline can mean lost customers who never come back.

The AI Factor: Attacks Are Getting Smarter

The ESET survey found that 46 per cent of respondents now cite AI-enabled attacks as their top concern — ahead of phishing at 42 per cent and ransomware at 40 per cent. This is a significant shift. Artificial intelligence is allowing threat actors to craft more convincing phishing emails, automate reconnaissance of target networks, and adapt their tactics in real time.

For small businesses, AI-powered attacks are particularly dangerous because they undermine one of the few defences that smaller organisations tend to rely on: human judgement. When a phishing email is flawless — no spelling mistakes, perfect formatting, referencing real invoices or real colleagues — the old advice to "look for the obvious signs" is no longer sufficient.

The Boardroom Blind Spot

One of the most troubling findings from the ESET research is that only 22 per cent of manufacturing firms assign cyber security accountability at board or executive level. In 55 per cent of cases, it sits entirely within IT. And a fifth of organisations still favour reactive approaches — waiting for something to go wrong before acting.

The UK Government's own data echoes this. Board-level responsibility for cyber security across all UK businesses has fallen from 38 per cent in 2021 to just 27 per cent in 2025. At a time when threats are accelerating, governance is actually going backwards.

For small business owners, you are the board. The question is whether cyber security features in your business planning at all, or whether it only gets attention after an incident.

What You Should Do — Starting Today

You do not need an enterprise budget to meaningfully improve your cyber resilience. Here are practical, proportionate steps that every small business owner should consider:

• Accept that you are a target. The data is unambiguous. If you are connected to the internet, you are being probed. Act accordingly.
• Enable multi-factor authentication everywhere. Only 40 per cent of UK businesses currently use MFA. It is one of the most effective defences available and costs nothing to implement on most platforms.
• Ensure 24/7 monitoring — even if outsourced. Our IPInsights data shows 72 per cent of attacks fall outside business hours. If you cannot monitor around the clock, engage a managed security service that can.
• Back up your data and test your restores. Ransomware is only devastating if you have no clean copy of your data. Ensure backups are stored offline or in an immutable format, and test them regularly.
• Train your staff — and train them again. Phishing remains the top attack vector, responsible for 85 per cent of successful breaches. Regular, practical awareness training is essential.
• Get Cyber Essentials certified. The UK Government-backed scheme is affordable and provides a baseline of security controls. Only 12 per cent of UK businesses are currently aware of it — be in the informed minority.
• Review your supply chain. Ask your key suppliers and partners about their cyber security posture. If they cannot answer, that is a risk factor for your business.

The Clock Is Ticking — Literally

Our threat intelligence data tells a very specific story. Thursday night at 23:00, attack traffic against UK businesses peaks. By the time most business owners arrive at their desks on Friday morning, the damage may already be done — data exfiltrated, ransomware deployed, systems compromised.

The ESET research, the Government's Breaches Survey, and our own IPInsights analysis all point to the same conclusion: UK businesses are under sustained cyber attack, the frequency and sophistication of these attacks is increasing, and the majority of businesses — particularly smaller ones — are not adequately prepared.

This is not a technology problem. It is a business risk problem. And like all business risks, it requires active, informed management — not hope that you will be overlooked.