In the UK, small and medium-sized enterprises (SMEs) They employ a staggering number of employees, and their vulnerability to cyber attacks is particularly evident, often feeling isolated. At a chapter of the Infosecurity Europe 2025 conference held in London this week, Steven Furnell, a professor of cybersecurity at the University of Nottingham, will convey the results of a research project called CyCOS - Network Support Community - that is jointly organized by the University of Nottingham, Queen Mary University and Kent University, and has received support from multiple parties including the Home Office, the National Cyber Security Centre, IASME, ISC2, CIISec and three regional cyberrecovery centers.
According to data from the Federation of Small Businesses, CyCOS researchers note that there are 5.5 million SMEs in the UK, accounting for 99.9% of the total UK businesses and employ 60% of the workforce. According to the 2024 Cybersecurity Vulnerability Survey, 56% of businesses outsource their security management.
The CyCOS project began in September 2023 and is scheduled to be completed in February 2026. Its stated goal is to improve the network resilience of SMEs through the "Cybersecurity Support Community".
The project was initially conducted by a survey of 374 UK SMEs, and the survey results showed that 23% of enterprises had difficulties in finding cybersecurity advice and support, 26% found these suggestions difficult to understand, and 20% found it difficult to put them into practice.
A CyCOS respondent said, "It is very difficult to find peers with similar scales and similar mindsets to communicate."
The researchers also interviewed more than 30 providers providing cybersecurity consulting services and collected some of the original feedback. "For SMEs, their participation often begins after security incidents. Frankly speaking, they are not very positive because they are also facing other business pressures." Another said, "The basic level of network hygiene we see in practice is very, very worrying." Another pointed out, "I hope to build some kind of bridge that SMEs can find us, and we can find them... The concept of working closer with others can do better."
Entermination
At the chapter of the Infosecurity Europe 2025 conference, Furnell pointed out that although SMEs can theoretically obtain a lot of information, navigation itself has formed a barrier to entry. This will not only significantly affect SMEs, but also may have a chain impact on large organizations that rely on SMEs as part of important supply chains.
In an interview with Computer Weekly before the meeting, Furnell mentioned that SMEs “sometimes feel that they are very isolated in this regard, and they have no peers to communicate with, or at least the additional funding required for communication.”
He said, “They recognize that cybersecurity should be part of the agenda and are always paying attention to this issue, but they face many challenges in dealing with it due to limitations such as time, expertise and funding.”
The research project will end in February 2026. Furnell and co-authors Neeshe Khan, Maria Bada, Matthew Rand and Jason Nurse are publishing paper entitled “Investigating Experience in Providing Cybersecurity Support for SMEs” in Computers and Security.
The paper summarizes: "The cybersecurity content for SMEs is extremely rich. The research finds that suppliers play an auxiliary role in the understanding, education and implementation of cybersecurity defense measures by SMEs. Despite great efforts, SMEs' cyber health levels are still low, and they are unlikely to actively seek help. In addition, the lack of knowledge and understanding, abilities, attitudes and resources of SMEs also restricts their response, while suppliers face many internal and external challenges when providing support. The data reveals that by building a community with security as the core, it is expected to achieve many improvements."
Furnell said CyCOS The actual goal of the project is to help build support communities based on factors such as geographic location, industry sector or key supply chain status.
He said, "We are trying to bring SMEs together with suppliers through the philosophy of supporting the community to form a real peer community, especially within SMEs."
"So if a business wants to directly listen to peers who have been attacked, they can consult with SMEs in their region, industry or in the same supply chain."
Furnell will be held at the Infosecurity Europe meeting on Wednesday, June 4, with Stephen Bell, head of cybercrime prevention and victim support at the Ministry of the Home Office, Sapna Chadha, CEO of the Cyber Recovery Centre, London and Amanda Finch, CEO of the Chartered Institute of Information Security.
![[Bilingual] The 20th meeting of the peacekeeping expert group of the ASEAN Defense Ministers' Enlarged Meeting will be held in Nanjing](https://p3-sign.toutiaoimg.com/tos-cn-i-axegupay5k/c5b2d838635a40fda2b3f55c697ce789~tplv-tt-origin-web:gif.jpeg?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1750072107&x-signature=Wnk%2FLnwKb2lvfcYthHk3QV5ETf4%3D)