SME Cybersecurity: Filing Fiasco – What the Companies House WebFiling issue means for your business
When a core public register stumbles, criminals do not waste time. The Companies House WebFiling security issue is a timely reminder that SME cybersecurity is not just about your laptops and firewalls; it is about the accounts, portals, and identity checks you rely on to trade, borrow, hire, and prove you are legitimate.
Most directors only look at Companies House when filing is due or something goes wrong. That is exactly the gap attackers exploit, especially when they can combine portal access with stolen email credentials and believable “urgent” payment requests.
What happened, and why should UK SMEs care?
Companies House published an update on a WebFiling security issue. Even without the technical detail, the practical SME takeaway is clear: your organisation’s “official identity surface” can be attacked via third-party systems, not just your own network.
For SMEs, the risks tend to cluster around:
* Account takeover: criminals use stolen passwords from previous breaches, or phished credentials, to access online services.
* Filing fraud and impersonation: changes to officer details, registered office, or filings can create confusion with banks, insurers, suppliers, and customers.
* Business email compromise: attackers compromise a mailbox, then pivot to finance processes, invoice redirection, and “director requests”.
This is part of the wider pattern. The UK Government’s Cyber Security Breaches Survey 2024 found 50% of businesses reported a cyber breach or attack in the previous 12 months, showing how routine compromise has become across UK small business cyber threats.
What does “portal security” actually mean in plain English?
A portal is any online service where your business identity and transactions live. Companies House WebFiling is one; HMRC services, Microsoft 365, your bank platform, your pension provider, and your practice management system are others.
Portal security means you can answer three questions, quickly:
* Who can log in? Named users, not shared logins or “admin@”.
* How do they prove it is them? Multi-factor authentication (MFA), not just a password.
* What happens if it goes wrong? A simple cyber incident response plan, with steps to lock accounts and notify the right parties.
In practice, weak portal security becomes expensive because the clean-up hits cashflow, reputation, and director time, not just IT.
