Manchester SMB Threat Brief — June 2026: the month "patch your edge kit" overtook "change your password"

What this brief is

This is our monthly read on what's actually threatening small and mid-sized businesses across Greater Manchester — written for owners and office managers, not security analysts. Most months we lead with what's crossed our own desk. This month I want to do something a bit different and lead with the national data, because the picture it paints lines up exactly with what we keep telling clients in review meetings — and the headline number has genuinely moved.

We look after 45+ businesses, 350+ users across 6 industries, and we've been doing it in Manchester for 24 years. None of what follows is theoretical. It's the same advice we give the firms we sit with every week. I've kept it plain and I've cited every figure so you can check it yourself.

The number that moved

For years the standard advice opened with passwords. Use a strong one, don't reuse it, turn on MFA. All still true. But the way attackers actually get in has shifted, and the data now says so plainly.

Verizon's 2026 Data Breach Investigations Report found that 31% of breaches now start with the exploitation of a software vulnerability — overtaking stolen credentials as the single most common entry point (CTO at NCSC). That's a real change in the threat model. The front door isn't a guessed password any more — increasingly it's an unpatched box you forgot was facing the internet.

The scale hasn't dropped, either. The government's Cyber Security Breaches Survey 2025 found 43% of UK businesses reported a breach or attack in the last 12 months, rising to 46% of small businesses and 65% of medium-sized ones (ICAEW). The "we're too small to be a target" line has never held up, and it doesn't this month.

And it costs real money. UK SMEs face an average breach cost of around £15,300 when you account for lost time, recovery and disruption (Connection Technologies). For a 20-person Greater Manchester firm, that's not a rounding error — it's a serious dent.

What's actually happening right now

Three things stand out from the last few weeks. Each one maps to a concrete action.

1. Edge devices are under active attack

This is the big one. In the week ending 14 June, NCSC reported active exploitation across Palo Alto, Check Point and Cisco products, plus Ivanti vulnerabilities, alongside a botnet (JDY) that had pulled in 1,500+ small-office and IoT devices (CTO at NCSC). Separately, a Palo Alto PAN-OS flaw (CVE-2026-0257) is under active exploitation, with US federal agencies given a remediation deadline of 19 June (AI Weekly).

Why it matters to you: a firewall or VPN appliance is the one device deliberately exposed to the internet. If it's a few firmware versions behind, you're not "slightly out of date" — you're potentially running a box with a publicly known, actively exploited hole in it.

What to do: ask whoever manages your network — us, or someone else — for written confirmation that every internet-facing firewall, VPN and remote-access endpoint is on current firmware and behind MFA. Don't accept "it's probably fine." Get the version numbers. If you'd like us to handle that as part of managed IT support, we already do it as routine.

2. Phishing has gone professional — and moved to video

Phishing is still the most prevalent attack by a distance — 38% of all businesses in the breaches survey cited it, and among firms that could identify how they were hit, 84% pointed to phishing (Security Journal UK). UK phishing fraud losses topped £1.2bn in 2025 (Security Journal UK).

What's changed is the delivery. We're now seeing the Vidar infostealer pushed through fake, AI-voiced TikTok and Reels "software unlock" tutorials that walk users through running a PowerShell command — which quietly installs the malware (The Small Business Cyber Security Guy). Phishing-as-a-service kits like SniperDz mean the people doing this no longer need any real skill.

What to do: tell your team, in plain words, that "paste this command to activate/unlock the software" is now a live way to get infected — on social platforms, not just email. If a tutorial asks someone to open PowerShell or Terminal, stop and ask us first.

3. Business Email Compromise is where the money actually goes

If phishing is the most common attack, Business Email Compromise (BEC) is the most expensive. The UK has the highest share of BEC claims of any geography at 46.4% of cyber insurance claims, with an average BEC loss of around $35,000 — rising to roughly $106,000 when it leads to a fraudulent funds transfer (Coalition, via Conversational Geek). This is the "the supplier's bank details have changed, please update them" email. No malware, no dramatic break-in — just a convincing message and a payment that goes to the wrong account.

What to do: put a hard rule in place — any change to bank or payment details gets verified by phone, on a number you already hold, before anyone touches the accounting system. It's the single cheapest control with the biggest payoff.

The wider picture

A few threads worth holding in your head:

• Attacks are getting more deliberate. SonicWall's 2026 reporting describes a shift away from "spray and pray" toward targeted exploitation of one weak spot (SME Cyber Insights). Lower volume doesn't mean lower risk — it means they're picking their moment.
• Ransomware headlines are down, but not gone. The breaches survey put ransomware at around 1% of businesses (ICAEW) — rare, but devastating when it lands, and increasingly delivered through managed providers and software supply chains.
• AI cuts both ways. It's powering more convincing attacks, but the data also shows that organisations whose staff complete proper security training report substantially reduced risk — one survey put it at 86% reporting a measurable reduction (Firebrand). The boring stuff still works.

Watch list — July

• Edge-device patching. Confirm your firewall and VPN firmware is current. Don't wait for an incident to find out it wasn't.
• AI-voiced video phishing. Brief staff that "run this command to unlock software" is now an infostealer vector on social media.
• Cyber Essentials 2026 changes. This year's revision clarifies cloud scope, addresses VDI and thin clients, and tightens password rules so they need technical enforcement, not just a written policy (Yellowcom). If you're recertifying, this affects you — our Cyber Essentials service covers the new requirements.

The honest local view

None of this needs a big budget or a panic. The firms that come through the year without a serious incident aren't the ones with the most expensive kit — they're the ones who patch promptly, turn MFA on everywhere, verify payment changes by phone, and keep their people slightly suspicious of anything that asks them to do something unusual in a hurry. That's most of the battle, and it's exactly the routine we run, quietly, for the businesses we look after across Greater Manchester.

If you're not sure where you stand on any of the three actions above, that's a perfectly good reason to get in touch.

FAQ

Are small businesses really targeted, or is this just big-company stuff?

Targeted. The Cyber Security Breaches Survey 2025 found 46% of small businesses reported a breach or attack in the last year (ICAEW). Most attacks aren't personal — they're automated, scanning for any exposed weakness regardless of company size.

My firewall's a few versions behind — is that actually urgent?

This month, yes. NCSC reported active exploitation of edge devices including Palo Alto, Check Point, Cisco and Ivanti products in mid-June (CTO at NCSC). An internet-facing device running known-vulnerable firmware is one of the highest-risk things on your network. Get it confirmed current.

We use an MSP — aren't we covered automatically?

Partly, but you should never assume. Ask your provider for written confirmation that edge devices are patched and MFA is enforced everywhere. A good provider will give you straight answers and version numbers, not reassurance.

What's the single highest-impact thing we can do this month?

Confirm every internet-facing firewall, VPN and remote-access endpoint is fully patched and behind MFA. That closes off the entry point the 2026 data now ranks number one (CTO at NCSC).

We're Cyber Essentials certified — does that cover this?

It covers a lot of the fundamentals, and the 2026 revision tightens several of them (Yellowcom). But certification is a baseline, not a force field — it works when the controls behind it are genuinely maintained, not just documented once a year.

How do you protect against the email scams that change supplier bank details?

Verify every change to payment or bank details by phone, on a number you already hold, before updating anything. BEC is the costliest attack type for UK firms (Coalition, via Conversational Geek), and this one control stops most of it.

Inology IT provides managed IT support and Cyber Essentials certification for businesses across Greater Manchester. If you'd like a straight answer on where your edge devices and email controls stand, get in touch.