Why your employees are still your biggest IT risk in 2026 (And what to do about it)
Most business owners assume their biggest IT risk is a sophisticated hacker targeting their systems from the outside. The reality is far less dramatic and far more preventable.
According to the UK Government's Cyber Security Breaches Survey published in 2026, 43% of UK businesses experienced a cyber breach or attack in the past twelve months. The most common attack vector wasn't a zero-day exploit or a nation-state actor. It was an email. Specifically, a phishing email, one that looked legitimate enough to trick someone into clicking a link or handing over their login credentials.
The single most common way into a UK business in 2026 is a message your employee didn't think twice about opening.
The numbers that should concern every London SMB
Employees at small businesses with under 50 staff receive more targeted malicious emails than any other size category, one in every 323 emails is malicious. The median time between receiving a phishing email and clicking the link is under 60 seconds. And 20% of people who click also go on to enter their credentials.
In other words, by the time anyone realises something is wrong, it's often already too late.
What makes this particularly frustrating is that the solution isn't complicated or expensive. It just isn't being done. Only 9% of small businesses run quarterly security awareness training. Yet employees who receive consistent, simulation-based training are seven times less likely to fall for a phishing attack.
Seven times. For a few pounds per employee per month.
Shadow AI is making this worse
There's a newer dimension to this problem that barely existed two years ago. Around a quarter of UK organisations using, adopting, or considering AI have no security practices in place to manage the associated risks.
That means employees are using AI tools, pasting client data into ChatGPT, uploading contracts to summarisation tools, asking AI assistants questions they'd never send to an external email address, without any governance or awareness of where that data is going. It's not malicious. It's just habit. But the consequences can be significant, particularly for businesses handling client information under GDPR.
What good actually looks like
The businesses that handle this well aren't necessarily spending more. They're doing a few specific things consistently:
Regular phishing simulations. Not a one-off training video that gets clicked through in ten minutes. Actual simulated phishing campaigns sent to staff throughout the year, with targeted follow-up for anyone who falls for them. The goal isn't to embarrass anyone, it's to build the instinct to pause before clicking.
Multi-factor authentication enforced everywhere. MFA doesn't stop phishing, but it does stop an attacker from being able to use stolen credentials to log in. Even if an employee hands over their password, MFA means the attacker still can't get in without the second factor. It's one of the single highest-impact controls available and it costs almost nothing to implement.
A clear AI usage policy. Not a 40-page document nobody reads. A simple, practical set of guidelines that tells staff which tools are approved, what data should never be pasted into an external tool, and what to do if they're unsure. Most employees want to do the right thing, they just haven't been told what that looks like.
Email filtering and DMARC. Sixty-eight percent of UK SMBs don't have DMARC configured, which means attackers can send emails that appear to come from your own domain. Proper email security stops a significant proportion of phishing emails before they ever reach your team's inbox.
The uncomfortable truth
Board-level responsibility for cyber security in UK businesses has risen to 31% — which means 69% of businesses still have nobody at a senior level meaningfully involved in cyber security decisions. For a small business where the "board" is the owner-director, that gap is even larger.
This isn't about blame. It's about the fact that cyber risk is now an operational and financial risk, not just an IT problem. A single successful phishing attack can result in a data breach, regulatory consequences under GDPR, reputational damage with clients, and in the worst cases, ransomware that takes your business offline entirely.
The businesses that avoid these outcomes aren't the ones with the biggest IT budgets. They're the ones that treat their people as part of the security solution, not just a potential weak point.
At Blackgate Tech, we help London SMBs put the right controls in place — from phishing simulations and security awareness training to MFA enforcement and email security. If you'd like to understand where your business currently stands, we offer a free IT security review with no obligation.
