In the United Kingdom, a burgeoning initiative aimed at assisting small and medium-sized enterprises (SMEs) in combating cybersecurity challenges is on the verge of expansion, setting its sights on a more substantial future. The Cybersecurity Communities of Support (CyCOS) project, launched by researchers from the University of Nottingham, Queen Mary University of London, and the University of Kent, represents a unique, research-driven pilot. The initiative explores a novel, peer-led approach to providing cybersecurity support specifically tailored for small and micro businesses.
Originating in late 2023, CyCOS began as an investigation into the existing gaps in cybersecurity guidance for SMEs. This foundational inquiry quickly evolved into a practical pilot, which successfully created two distinct professional communities. One community is dedicated to micro businesses, while the other focuses on small and medium enterprises. This carefully structured framework allows for intimate, manageable groups that can foster trust and promote open exchange of experiences and practical advice.
Professor Steven Furnell, a leading academic in cybersecurity at the University of Nottingham, highlighted the thoughtfully designed community structure in an interview with Infosecurity. “We’ve got two or three experts and eight or nine organizations within each community, which keeps groups large enough to be useful but small enough to be personal,” Furnell explained. This intimate setting enables members to gain timely, relevant help from volunteer cybersecurity practitioners.
CyCOS employs a hybrid model of synchronous and asynchronous support that aligns with the schedules of busy SME operators. Some key features of the program include:
- Regular thematic webinars and occasional in-person meetings to facilitate direct learning and networking.
- Plenary sessions designed to unite communities for broader discussions and exchanges of ideas.
- Live "Ask Me Anything" sessions where participants can engage directly with volunteer experts.
- A dedicated online platform that hosts community threads, polls, session recordings, and spontaneous Q&A opportunities, allowing discussions to persist between organized meetings.
- Recorded sessions and resource sharing ensures that members who may be unable to attend live events can still benefit from the insights shared.
As the academic phase of the project approaches its conclusion, CyCOS is poised to transition into a new phase aimed at expansion, according to Furnell. The project will soon unveil plans to grow from two to seven communities, a significant leap forward that signifies ongoing commitment to enhancing cybersecurity resilience among SMEs.
This planned expansion comes as the project prepares for a handover to the Chartered Institute of Information Security (CIISec), a prominent professional body for cybersecurity practitioners that has partnered with CyCOS since its inception. Furnell remarked, "CyCOS as a concept of cybersecurity communities of support will still exist but will be promoted within CIISec. As for us academics, we’ll still be around too, just not running the projects like we used to."
Amanda Finch, the CEO of CIISec, expressed pride in her organization’s role in the evolution of CyCOS, emphasizing the essential duty security professionals have to bolster the cyber resilience of smaller organizations. She stated, “The current communities of support are already doing excellent work in this area, so I’m very glad that more are being established.”
While specific details regarding the five new communities remain sparse at this stage, Furnell noted that they would be established by SMEs that are confident in their ability to attract other businesses to join the initiative. These SMEs will act as facilitators, serving as beacons for their respective communities.
The potential for these new communities to focus on geographical areas, specific sectors, or even supply chains adds a layer of customization to the initiative, allowing for a more tailored approach to cybersecurity challenges faced by different businesses. To aid in this process, leading SMEs have been provided with a "Community Toolkit" designed to support member recruitment, community establishment, and the operationalizing of these newly formed groups.
Despite an increasing awareness of cybersecurity risks, SMEs continue to face significant challenges in effectively addressing these threats. Furnell pointed out that while SME leaders recognize the importance of cybersecurity, they often feel overwhelmed by the lack of accessible resources and expert guidance available to them.
In the context of this evolving cybersecurity landscape, the awareness of governmental initiatives, such as the Cyber Essentials program, remains alarmingly low among smaller businesses. The latest UK Cyber Security Breaches survey highlights a stark disparity in awareness: while 64% of large businesses and 56% of medium businesses are familiar with the program, only 25% of small businesses and a mere 14% of micro businesses are aware.
Helen Barge, a principal at Howden and a volunteer within the Federation of Small Businesses (FSB), emphasized that budget constraints should not be viewed as the sole barrier to improved cybersecurity. “Some of the controls that you can put in place, like multifactor authentication (MFA), actually don’t cost any money,” Barge noted. Moreover, she highlighted the plethora of excellent guidance available from the UK government, such as the National Cyber Security Centre’s Cyber Action Toolkit.
Choosing the right IT and cybersecurity providers also plays a crucial role in fostering a culture of cyber resilience among SMEs. Barge expressed concern over some providers who exploit SMEs’ vulnerabilities for profit, calling attention to unacceptable billing practices for standard cybersecurity services.
Nevertheless, she also emphasized that not all SMEs struggle with cybersecurity, citing many that excel in their cyber hygiene. The collaborative efforts within CyCOS and the FSB are fostering a community of businesses committed to improving their cybersecurity posture.
To further discuss the evolution of cybersecurity support for SMEs, Furnell, Finch, and Barge will participate in a panel session titled “Communities of Support: Scaling Practical Cyber Help for SMEs,” scheduled for the keynote stage at Infosecurity Europe 2026. This session aims to explore scalable strategies and collaborative initiatives that can bolster cybersecurity resilience among SMEs across the UK and beyond.