For years, many UK SMEs have reassured themselves with a simple phrase: “We’re too small to be a target.” It feels comforting, and on the surface, it is even plausible. Why would attackers waste their time on a regional law firm, a specialist manufacturer, a hospitality group, or a college when there are global brands to aim at?
The reality, especially in the DDoS (Distributed Denial of Service) world, is very different.
When attackers launch DDoS campaigns, they are not looking up your Companies House filings before pressing the button. They are using large botnets, automated tools and opportunistic targeting. If your services are online and important to your customers – booking engines, payment portals, VPNs, remote desktop, web apps – then you are part of the blast radius.
As a result, “too small to target” has quietly become one of the most dangerous myths in SME cyber security.
This is exactly the problem Securus Technology Group built its DDoS protection service, Securus Shield, to address.
What a DDoS Attack Actually Is – in Plain English
A DDoS attack is a way of knocking a service offline by overwhelming it with traffic. Instead of trying to “hack in”, the attacker simply makes it impossible for legitimate users to get through.
There are two broad types that matter to SMEs:
* Volumetric attacks: these are like opening a fire hydrant into a garden hose. The attacker floods your internet connection or upstream network with so much traffic that nothing else can get through. Legitimate requests queue up, time out, or never arrive.
* Application‑layer attacks: here, the attacker sends what looks like normal web traffic – for example, lots of HTTP requests to your website or booking engine – but in such a way that the server becomes overwhelmed. It is more “surgical” than a raw bandwidth flood, but the outcome is similar: real users see slow pages, errors or a complete outage.
Both approaches typically use a botnet: thousands of compromised machines and IoT devices scattered across the internet, all sending traffic at once on command.
From the attacker’s perspective, your size is irrelevant. What matters is that:
* you have something online; and
* taking it down causes pain, visibility, or leverage.
Why UK SMEs Are Now Squarely in the Blast Radius
Historically, DDoS was often associated with large gaming platforms, global banks or political targets. Those are still hit, but three trends have dragged SMEs into the same storm.
First, there is far more automation. Attackers do not manually hand‑pick every victim. They scan for exposed services, weak protections and known targets (like specific web platforms, VPNs or remote access systems). If your business runs the same technology stack as a larger one, you can be swept up in the same campaign.
Second, DDoS is cheap. “DDoS‑for‑hire” services mean that anyone with a modest budget – a disgruntled ex‑employee, a competitor with poor ethics, a student with a grudge – can rent a botnet for an hour or a weekend. SMEs are attractive because they often lack sophisticated defences, so a small outlay can cause significant disruption.
Third, geopolitics has become a backdrop. As we have seen in conflicts involving Russia, Iran and others, politically motivated groups are happy to hit a mixture of primary targets and collateral ones. They go after shared infrastructure, specific industries and widely used hosting providers. SMEs can be impacted because they are in the wrong place at the wrong time on the internet.
If your customer portal, booking site, VPN gateway or web application lives in that shared ecosystem, you are exposed – whether or not an attacker can spell your company name.
Real‑World SME Scenarios: Where DDoS Actually Hurts
It can be tempting to think of DDoS as an abstract “IT problem”. For most SMEs, it is a very tangible business problem. A few familiar scenarios:
* Hospitality and leisure
* A hotel or venue relies on an online booking engine and gift voucher site. A flood of traffic makes both unreachable on a Friday afternoon. Guests cannot book; vouchers cannot be redeemed. The team scrambles to handle calls manually. Week‑end revenue drops, and the brand looks unreliable.
*Professional services
A law firm or accountancy practice offers a client portal for document sharing and case updates. A DDoS against the hosting provider makes access intermittent. Clients trying to upload time‑critical documents encounter errors and delays. From their perspective, the firm looks disorganised and insecure, even if no data has been compromised.
* Education
A college has remote access and learning platforms for students and staff. In exam season, a DDoS attack aimed at “making a point” takes the main access point down. Teaching is disrupted, and the organisation suddenly finds itself talking to regulators and anxious parents.
* Manufacturing and distribution
A specialist manufacturer runs a web portal for orders and a VPN for remote access to key systems. A DDoS incident ties up its internet connection. Orders cannot be placed; remote sites cannot connect; or, in a more subtle case, performance becomes so poor that operations slow to a crawl.
In all of these cases, the damage is disproportionately large compared to the effort an attacker expends.
The Economics: Downtime vs Protection
Boards and finance teams quite reasonably ask, “What is the business case?”
A sensible way to think about DDoS protection is through three lenses:
*Direct revenue impact
How much revenue flows through online channels per hour or per day? You do not need to be an e‑commerce giant for the numbers to be uncomfortable. A hospitality group losing a weekend of online bookings, a manufacturer unable to accept orders, or a professional services firm with a key client tender portal offline can see significant losses quickly.
* Contractual and reputational damage
Many organisations now work under SLAs with uptime expectations. Repeated outages – even if caused by third‑party attacks – can erode trust and raise awkward questions. Clients often do not distinguish between “our systems broke” and “our provider was attacked”; they just see that you were unavailable.
* Recovery cost and internal disruption
DDoS incidents consume internal time: IT staff firefighting, leadership answering calls, service teams handling complaints. In some cases, emergency workarounds and infrastructure changes are rushed through under pressure, introducing new risks.
Against that, the cost of a properly designed, managed DDoS protection service – especially one integrated with your connectivity and firewall – is usually modest. It becomes part of the cost of doing business online reliably, rather than a luxury.
Why On‑Premise Firewalls Alone Are Not Enough
A common misunderstanding is that “we have a firewall, so we are covered.”
Firewalls are essential, but they were not designed to absorb huge amounts of unwanted traffic. In fact, they can become part of the problem during a DDoS attack:
• The internet connection saturates before the firewall can decide what to allow or block.
• The firewall itself becomes overwhelmed trying to inspect and handle the flood.
• Legitimate traffic to other services using the same connection is squeezed out.
Effective DDoS mitigation generally needs to happen upstream, before the bad traffic reaches your line. That means diverting traffic through specialised “scrubbing” infrastructure on a high‑capacity network that can:
• detect attack patterns;
• filter or rate‑limit malicious flows; and
• pass only clean traffic back to your actual connection.
This is the model Securus Communications has built into Securus Shield.
