A groundbreaking pilot program in the UK aimed at enhancing cybersecurity for small and medium-sized enterprises (SMEs) is gearing up for a notable expansion. The Cybersecurity Communities of Support (CyCOS), which was initiated in late 2023 with the collaboration of researchers from respected institutions such as the University of Nottingham, Queen Mary University of London, and the University of Kent, is poised to expand from two communities to seven. This transition marks a shift from oversight by academic researchers to management under the Chartered Institute of Information Security (CIISec), showcasing a significant development in supporting SME cybersecurity needs.
The core objective of CyCOS is to bridge a notable gap in the cybersecurity preparedness of SMEs. Despite an increasing awareness of cyber threats—fuelled in part by various supply chain incidents—many smaller businesses continue to grapple with the implementation of effective protective measures. According to a survey conducted by the UK Cyber Security Breaches, the statistics reveal a disconcerting reality: only 14% of micro businesses and 25% of small enterprises are aware of Cyber Essentials, a government-endorsed certification program aimed at fortifying cybersecurity. In contrast, awareness rises significantly among medium (56%) and large businesses (64%). Professor Steven Furnell, an academic from the University of Nottingham, emphasized that while leaders of SMEs recognize the inherent cybersecurity risks they face, there remains a substantial lack of guidance on how to effectively tackle these challenges.
CyCOS operates through deliberately small groups, typically consisting of two to three volunteer cybersecurity experts paired with eight to nine businesses. This model fosters a supportive environment where participants can share knowledge and resources. The communities facilitate interaction through regular thematic webinars, occasional in-person gatherings, live question-and-answer sessions, and an online platform that hosts discussion threads, polls, and recorded sessions. This flexibility accommodates the busy schedules of small business owners, making it easier for them to engage and benefit from the available resources. The forthcoming five new communities will be organized based on geographical regions, industrial sectors, or specific supply chains, with SMEs volunteering to act as facilitators using a standardized Community Toolkit.
While it is commonly understood that budget constraints can pose challenges to improving cybersecurity, experts involved in CyCOS underline that financial limitations are not the primary obstacle. Helen Barge, a principal at Howden and a volunteer with the Federation of Small Businesses, pointed out that basic cybersecurity measures, like multifactor authentication, are cost-free and essential for safeguarding information. She criticized certain IT service providers for levying additional charges for fundamental security practices, such as timely software patching, which is a prerequisite for obtaining Cyber Essentials certification. Although the UK government has made strides in providing accessible resources, including the National Cyber Security Centre’s Cyber Action Toolkit, many SMEs struggle to navigate these offerings effectively.
As CyCOS transitions management to CIISec, the academic founders will take a step back from direct operational roles, although they will continue to offer guidance and support. Amanda Finch, the CEO of CIISec, stated that cybersecurity professionals are ethically bound to assist smaller organizations in enhancing their cyber resilience. The upcoming expansion aims to replicate the successful peer-support model in additional communities, empowering participating SMEs to take on leadership roles within the network. To share insights from its development, the program’s leadership will present at Infosecurity Europe 2026, scheduled for June, where they will discuss findings and experiences gained from over two years of pilot operations.
In consolidating its efforts and expanding its reach, the Cybersecurity Communities of Support program stands as a pivotal initiative in addressing the critical need for improved cybersecurity among the UK’s SMEs. By fostering a collaborative environment that emphasizes shared learning and support, CyCOS aims to build a more secure landscape for small and medium enterprises, ultimately contributing to a more resilient economy overall. The program’s evolution under CIISec’s leadership marks a significant step toward achieving this ambitious goal, reinforcing the need for ongoing partnerships and resources to address the ever-evolving cyber threat landscape.