Why SMEs are dangerously unprepared for global cyber threats

Jack Marley founded cyber security firm P3M Works in Cheltenham in 2021 after leaving his senior contractor role at the Ministry of Defence, where he worked on fascinating but complex global cyber resilience projects.

His move into entrepreneurship was driven by a realisation that most small and medium enterprises (SMEs) were dangerously unprepared for the cyber threats he'd seen.

Jack says:

"I didn't set out to build a consultancy. What I set out to do was solve a problem.

"I wanted to take the discipline, structure and clarity of national-level programmes and make them accessible to organisations that don't have limitless budgets or armies of staff.

“Working inside government and defence has taught me what resilience really looks like."

What it means to be cyber resilient

His company now operates from Hub8 in Cheltenham's Minster Exchange, serving both government clients and private sector businesses.

Rather than focusing purely on prevention – what he describes as building "castle walls", Jack emphasises that cyber resilience isn't just about prevention.

"Cyber resilience isn't just about preventing attacks, but making sure businesses can operate, recover and thrive under cyber threats.

"We help organisations build cyber resilient cultures where employees become cyber-confident and know how to respond in a crisis.

"We deliver outcomes that address technical, human cyber risk and improve how organisations think about their cyber resilience.

"We bring the same rigour, discipline and precision that we use across national security to every project, guaranteeing that your security strategy is as resilient and dynamic as the threats it faces."

The threats small businesses face

The threat landscape Jack describes is stark.

He warns that AI has effectively "replaced that entire bottom layer" of jobs, potentially pushing young people towards cyber crime simply because "to do cyber, all you need is a laptop".

This genuine concern has prompted him to work with local universities and schools around Cheltenham to provide legitimate pathways into cyber security careers.

For small businesses, Jack believes the biggest threat is not understanding their exposure to risk.

He points to recent supply chain attacks like the one on Jaguar Land Rover (JLR), which he estimates contributed significantly to the economy's growth when production resumed.

"Without the JLR effect, you'd still have a plateauing economy," he says, pointing out how cyber incidents can ripple through entire regional economies.

Jack adds:

"I'd really boil this down to firms being reactive when it comes to cyber resilience.

"Our Resilience as a Service objective is to get our customers to a planned state of cyber resilience, which reduces staff burnout and awareness fatigue and also increases confidence when reacting to a cyber incident."

Jack's assessment of the plethora of current threats is enlightening. He says attackers now often bypass traditional hacking by using social engineering to target IT helpdesk staff, particularly those outsourced to overseas operations.

"You're not hacking in as a traditional hacker in a hoodie. You're just logging in."

He says:

"Every small and medium business either wants to sell or grow, and I'd argue that you can't grow or sell without the security fundamentals in place.

"In a digital-first retail world, cyber resilience is no longer about protection only. It's now a case of survival."

Jack's top five cyber resilience tips for small businesses

1. Don't "fire blind". Develop a cyber resilience strategy that identifies aims around business growth and prioritises activity.

2. Define cyber clearly. If you use a managed service provider (MSP) for your IT, make sure you and they see "cyber" in the same way and that they're involved in your incident response and recovery plans.

3. Test everything. Test your systems for vulnerabilities and use tabletop exercises to test how you'd respond to cyber events.

4. Know your assets. Make sure you have an up-to-date asset register, as you can't protect what you can't see.

5. Deploy the basics. Put multi-factor authentication (MFA) in place and always use strong passwords.

Interested in reading more about Jack's work? Visit the P3M Works website.