Malwarebytes CEO Marcin Kleczynski discusses the dangers of failing to prioritise cybersecurity, particularly for SMEs.
2025 has been a bumpy ride so far. In the US, the actions of the new administration raises questions around cybersecurity policy, government support, and the talent pipeline. Across the Atlantic, UK businesses face similar jitters. Trade tensions, economic headwinds and policy shifts are reshaping how companies everywhere think about risk – and how much they’re willing to invest in protection.
That backdrop matters because while global uncertainty builds, cyberthreats aren’t slowing down. In fact, a threefold increase in major UK cyber incidents was reported last year alone, with consumers losing an estimated £11.4bn.
AI, ransomware and state-sponsored attacks continue to evolve, yet budgets are tightening and confidence is fading.
The tension between rising threats and tighter budgets is causing businesses to pause their protection efforts and scrutinise their spending. Smaller businesses in particular are now asking a dangerous question: Is cybersecurity a priority or a luxury?
Cutting corners comes at a cost
SMEs make up more than 99pc of all UK firms – and many are now facing impossible trade-offs, with cybersecurity sliding down the priority list. Some are second guessing earlier investments, others are choosing not to add extra layers of protection, such as upgraded antivirus, backup tools or email filters. When cashflow is tight, anything that isn’t seen as immediately essential is put on pause.
But cybercriminals don’t pause – they exploit every gap left open.
The instinct to delay or downgrade protection might save money today, but for smaller businesses, it can open the door to losses they can’t recover from – downtime hits harder and recovery takes longer.
Without the right defences in place, even a modest breach can become a business-ending event.
Over the years, I’ve seen small businesses bounce back – and others fold – based on a single ransomware incident.
Attacks are still evolving
The biggest threats come through the inbox or browser. Phishing, credential harvesting and social engineering continue to work because they’re human problems, not technical ones.
Now, attackers are also turning to malvertising – injecting malicious code into seemingly legitimate ads on trusted websites. One careless click is all it takes to trigger malware downloads or redirect users to fake login pages.
AI is raising the stakes, too. Attackers are using it to craft convincing emails that mimic tone, language and timing. They’re impersonating suppliers, colleagues, even customers. The old signs – typos, odd formatting, generic greetings – aren’t reliable anymore.
‘Insecurity loves indecision’
And when people are overworked, distracted or under pressure, mistakes happen.
Even organisations with well-trained teams are slipping up. That’s why phishing simulations and ongoing education still matter. Not once a year or once a quarter, but consistently and in context.
Realistic testing helps keep people sharp and reminds them that vigilance is everyone’s job.
Separating substance from snake oil
Every product in the cybersecurity market now claims to be ‘AI-powered’. Scratch the surface, and many of these tools are just marketing makeovers. There’s often little explanation of how AI is being applied, where the data comes from or, most importantly, what real benefit it brings.
In times like these, businesses need clarity, not confusion. If the AI features of a product can’t be explained in plain English, it’s probably not doing much beyond automation.
Good AI tools should simplify decision-making, reduce alert fatigue and support scale. If they’re adding noise or hiding logic, they’re part of the problem.
Security leaders need to separate innovation from illusion. AI absolutely has a role to play, but only when it’s used responsibly and transparently. Blind faith in technology without understanding how it works is just another vulnerability.
Delay is the real danger
Many businesses are in wait-and-see mode. They’re watching the economy and tracking policy. They’re hoping things stabilise before committing to long-term security investments. But in cybersecurity, delay creates exposure.
Threat actors are waiting to exploit. They know smaller firms are cutting back and they know protection gaps are opening. The opportunity window for them is wide open and they’re moving quickly.
Don’t become the next headline
Don’t let delay become your downfall. Stop treating cybersecurity like a luxury and start treating it like the business-critical lifeline it is.
Here’s what you can do right now:
Re-evaluate your risk exposure
Identify your most vulnerable points – email, endpoints, backup systems – and make them your top priority.
Invest in solutions tailored to you
Focus on solutions and partners who understand your needs and can help streamline and simplify security for your company, without cutting quality.
Educate and empower your people
Launch regular, realistic phishing tests and ongoing security awareness training to make vigilance a core part of your culture. Welcome questions and discussions about scams, phishing attempts and security.
Demand transparency from your vendors
If you use AI tools, insist on clarity, not marketing jargon. Make sure every solution adds real protection, not just buzzwords.
Create an incident response plan
Create a plan for what happens if someone gains access to your data or systems. There are many resources to help you get started such as the National Cyber Security Centre Small Business Guide.
Insecurity loves indecision. The longer you wait, the more opportunity you give your attackers.
Marcin Kleczynski is CEO and co-founder of Malwarebytes, a cybersecurity company specialising in simple, intuitive cyber protection for consumers and businesses.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
