A 30-person business is no longer too small to be a serious cyber target. It is often exactly the kind of company criminals like: enough money, enough data and enough operational dependence on IT to make disruption painful, but rarely enough internal security depth to respond like a large enterprise.
Verizon’s 2025 Data Breach Investigations Report captures the gap clearly. Ransomware was involved in 39% of breaches at large organisations, but 88% of breaches at small and mid-sized businesses. That is not a rounding error. It shows where the pressure has moved.
The UK Government’s Cyber Security Breaches Survey 2025/2026 also shows why smaller firms should pay attention. Just over 4 in 10 businesses, 43%, identified a cyber breach or attack in the previous 12 months, equivalent to around 612,000 UK businesses. Medium businesses reported higher exposure at 65%, while large businesses reported 69%. Phishing remained the most common breach type by far, affecting 38% of all businesses and 88% of businesses that identified a breach or attack. Ransomware was lower in the survey than in previous years, at 1% of businesses, but still equated to around 9,000 UK businesses experiencing ransomware cyber crime.
So this is the right moment to be honest about why a 30-person company is attractive, and what to do about it.
Cyber crime is now a business, not a hobby. Ransomware-as-a-service has industrialised the supply side. Social engineers do the front-end work, stolen credentials are traded, and affiliates take a cut for delivering access. That model makes smaller firms viable targets at scale.
The brutal maths from the criminal side
If you were running an extortion business, would you prefer to attack 1 large enterprise with a 24-hour SOC, tested incident response, board-level security leadership and an insurance underwriter already asking questions, or 5 smaller firms with 1 IT contact, a stretched leadership team and backups nobody has tested?
Criminals often choose the latter. The effort per target is lower. The chance of finding weak identity controls is higher. The pressure to pay can be sharper because a smaller firm may feel existential pressure within days of being offline.
That dynamic explains the wider pattern. The shift towards SMEs is visible in ransomware reporting, supply chain compromises and the growth of credential theft markets. Phishing remains the foundation because it works, which is why anti-phishing controls, the basics in anti-phishing basics, and the discipline of an actual policy as set out in how to create an anti-phishing policy all carry their weight. As an anti phishing company london, we keep seeing the same pattern: many successful attacks on smaller businesses begin with an email or a login page, not a clever exploit.
Why the 30-person company sits in the sweet spot
There are 5 common reasons.
First, the IT setup is often lean by necessity. There may be 1 internal person, or an outsourced provider covering everything. Small risks compound: an old admin account, a weak password policy, a forgotten server or a delayed patch.
Second, leadership is reachable. The managing director may be on LinkedIn, the finance manager’s email format is easy to guess, and the team knows each other well. Requests “from the boss” can feel ordinary. The discussion of business email compromise and the giveaways in how to spot a phishing email is relevant here.
Third, the digital footprint is real but not always controlled. A 30-person firm may run Microsoft 365 or Google Workspace, cloud software, CRM, accounting tools, payment systems and SaaS apps nobody has fully inventoried. Each is a credential target. Password best practices and device management through Microsoft Intune make a big difference. So do endpoint hardening steps, endpoint security for remote teams and modern detection covered in why EDR matters.
Fourth, downtime hurts quickly. If the accounts person cannot log in, invoicing stops. If the order system is down, fulfilment stops. That pressure is exactly what attackers exploit. Read why your business needs a business continuity plan alongside the small business guide to ransomware for the practical view.
Fifth, you may be a route to someone bigger. If you supply a larger customer, attackers may value your access as much as your ransom potential. That is the supply chain angle sitting underneath IT compliance matters.
What an attack usually looks like
A finance assistant receives an email that looks like it came from a known supplier, asking her to log in to view an updated invoice. The login page is fake. Her Microsoft 365 credentials are harvested. The attacker logs in, creates an inbox forwarding rule and waits. Within days, they understand who pays invoices, who approves payments and how the team writes to each other. When the managing director is away, they send a believable payment request from a compromised mailbox.
Or a remote worker downloads a free productivity tool. It contains an information-stealer that scrapes saved browser passwords, including access to a company system. A week later, an attacker logs in, moves quietly and deploys ransomware.
Neither story requires brilliant attackers. They require the foundations to be slightly off.
The 7 things a 30-person firm should actually do
| Priority | What you do | Why it matters most |
|---|---|---|
| 1 | Enforce MFA on every account, especially email and admin accounts | Most attacks start with stolen credentials |
| 2 | Patch operating systems, browsers and key software promptly | Attackers exploit known vulnerabilities |
| 3 | Back up data, including Microsoft 365 or Google Workspace, and test restores | A backup that has never restored is not proof of recovery |
| 4 | Train staff on phishing and payment verification | Human checks stop targeted attacks filters miss |
| 5 | Get Cyber Essentials, then Cyber Essentials Plus | It is the recognised UK baseline and increasingly requested by customers |
| 6 | Manage devices and identities centrally | Unmanaged devices create avoidable risk |
| 7 | Write a 1-page incident response plan and rehearse it | Calm decisions beat panic decisions |
MFA needs to cover every important account, not just the obvious ones. Patching needs to include awkward systems, not just laptops. Backup testing means restoring something, not just reading a “backup successful” message. The incident plan needs to say who calls whom, who speaks to customers and who decides whether to contact law enforcement.
The Cyber Essentials route deserves a separate note. For UK organisations with turnover under £20 million, certification covering the whole organisation includes cyber liability insurance arranged through the scheme’s delivery partner, IASME, including incident response support. The case is set out in why your business should become Cyber Essentials accredited.
The foundation, quickly
For backup, Microsoft 365 backup explains why your tenant is not self-protecting, cloud to cloud backup covers the principle, and common cloud backup mistakes is the sober read. Google Workspace teams should see Google Workspace backup. As a microsoft 365 support services london business, we treat backup, identity and email security as one connected job.
For leaked credentials, dark web monitoring explained covers the basics, the response is in what to do if your company credentials appear on the dark web, and dark web monitoring versus breach monitoring is worth understanding. Our dark web monitoring services london is built for that early signal.
For testing, network penetration testing explained gives the rationale, the importance of penetration testing in cybersecurity covers the value, how often you should run network penetration testing settles the cadence question, and pen testing versus vulnerability scanning explains the difference. Fixing what you find is the point, covered in common network vulnerabilities and fixes, and internal and external network penetration testing helps you scope the right test. For the network side more broadly, tips for securing your small business network covers the fundamentals.
For operating discipline, IT service management describes what good day-to-day care looks like, and the case for handing it off is set out in the benefits of outsourcing your IT to an MSP and why businesses should consider an MSP for their IT needs. A good managed it support services company london businesses can rely on should help you do most of this list without you thinking about it every day.
What to do when it happens
The mood when an incident lands is usually quiet panic and a strong urge to “just pay it and get back to work”. That is rarely as clean as it sounds. There is no guarantee a decryptor will work, stolen data does not become unstolen, and paying may mark you as a future target.
In the early hours, focus on 3 steps.
First, isolate affected machines from the network without destroying evidence. Second, call your IT provider, the NCSC, Action Fraud and your insurer if you have cyber cover. Third, communicate clearly with staff, customers and any regulator that needs to know. If a personal data breach is likely to create a risk to individuals’ rights and freedoms, the ICO may need to be notified without undue delay and, where feasible, within 72 hours of becoming aware.
With backups, patience and a plan, recovery is painful but possible. Without them, the conversation is much harder.
Cross-border and multi-site realities
If your 30-person business operates across more than one country, the picture gets harder. Different reporting rules, time zones and local suppliers complicate response.
We support businesses in this position through european it services and multinational it support services. If you are consolidating systems and want to fix supplier and identity hygiene at the same time, our platform migration services build that cleanup in. For broader scoping, our consulting team and security services cover the rest, and the full range of services shows how the pieces fit.
Frequently asked questions
Are 30-person companies really attacked more than larger ones?
They are not always more visible in government surveys, partly because smaller firms often have weaker detection. But industry breach data shows ransomware is disproportionately present in small and mid-sized business breaches, and UK data shows cyber attacks remain common across businesses of all sizes.
What is the single most valuable thing to do?
Turn on multifactor authentication for every account, especially email and administrator accounts. Most attacks start with stolen passwords, and MFA blocks many of those attempts.
Do small businesses really get ransomware demands?
Yes. The UK Government estimated around 9,000 businesses experienced ransomware cyber crime in the 2025/2026 survey period. Smaller ransom demands can still be profitable for criminals when repeated at scale.
Will cyber insurance cover us?
Sometimes, and usually with conditions. Insurers increasingly expect MFA, patching, endpoint protection, backups and staff training. Insurance is a backstop, not a substitute for the controls.
Is Cyber Essentials worth it at our size?
Generally, yes. It is the recognised UK baseline, starts at a relatively low cost, includes cyber liability insurance for qualifying UK organisations under £20 million turnover, and is increasingly requested in procurement.
What if we cannot afford a dedicated security person?
Most 30-person firms cannot, and do not need to. A capable outsourced provider with security built into the managed service is often a better fit than hiring one specialist without wider cover.
The sensible next step
If you do one thing after reading this, turn on multifactor authentication everywhere. If you do a second thing, check that your backups actually restore. If you do a third thing, write the 1-page incident plan today.
If you would like help putting this in place without losing a quarter to the project, speak to Northern Star. We will give you an honest view of where you stand, prioritise the work by what actually changes risk, and help you stop being the size of business attackers most prefer.
