Infosecurity Europe: CyCOS Project Expands to Support UK SMEs

In the UK, a small initiative aimed at helping small and medium enterprises (SMEs) tackle cybersecurity problems is scaling up as it prepares for a bigger future.

The Cybersecurity Communities of Support (CyCOS) is a UK research-driven pilot launched by academics from the University of Nottingham, Queen Mary University of London and the University of Kent to test a new, peer-led model of cyber support for small and micro businesses.

The project began in late 2023 as an investigation into gaps in SME cyber guidance and grew into a practical pilot that established two professional communities – one focused on micro businesses and the other on small and medium enterprises.

Each community is intentionally small and manageable and is supported by volunteer cyber practitioners so members can build trust, share experiences and get timely, practical help.

Speaking to Infosecurity, Steven Furnell, professor of cybersecurity at the University of Nottingham, noted: “We've got two or three experts and eight or nine organizations within each community, which keeps groups large enough to be useful but small enough to be personal.”

CyCOS operates with a mix of synchronous and asynchronous support designed to fit SME schedules:

Regular thematic webinars and occasional in-person meetings
Plenary sessions that bring communities together for broader briefings and cross-community discussion
Live ‘Ask Me Anything’ sessions where volunteer cyber experts field members’ questions in real time
A support-broker online platform hosting community threads, polls, session recordings and ad-hoc Q&A so members can keep the conversation going between events
Recordings and shared resources so members who can’t attend live still benefit

After over two years of academics running the project, CyCOS is now about to enter a new phase, with a planned expansion and a winding down of the academics’ leadership, Furnell told Infosecurity.

CyCOS Expands to Seven Communities Ahead of CIISec Handover

The announced expansion will add five new communities, bringing the pilot cohort from two to seven.

The move comes as the academic funding phase nears its end and the project prepares for a handover to the Chartered Institute of Information Security (CIISec), a professional body for cybersecurity practitioners, which is already a CyCOS partner.

“CyCOS as a concept of cybersecurity communities of support will still exist but will be promoted within CIISec. As for us academics, we’ll still be around too, just not running the projects like we used to,” Furnell said.

Speaking to Infosecurity, Amanda Finch, CEO at CIISec, said the organization is “proud to be involved” in the development of CyCOS.

“As security professionals, we all have a duty of care to help smaller organizations improve their cyber resilience. The current communities of support are already doing excellent work in this area, so very glad that more are being established,” she added.

Furnell was unable to give more information about the five new communities at this early stage. However, he explained that they were all founded by SMEs that “feel they can attract a suitable number of other SMEs to join a community” and volunteered to act as facilitators, as “beacons within those communities.”

The new CyCOS communities can be built around a geographical location, a sector or even a supply chain.

Leading SMEs have been provided with a “Community Toolkit” that they can follow to recruit members, establish a community and operationalize it. This document also ensures groups can replicate the model as responsibility transitions to CIISec.

SMEs Know the Risks, But Lack Direction on How to Respond

Cyber threats to SMEs have evolved and grown as citizens and threat actors alike have realized they are “a crucial part of everyone’s life and activities,” Furnell said.

“Particularly, we have seen major cyber incidents that have had impact on the supply chain, and thus involved SMEs,” he added.

In this challenging environment, he said awareness of cybersecurity guidance and government programs is still limited within UK-based SME leaders – and the smaller the company, the less aware they are.

This trend is particularly prominent with Cyber Essentials, the UK government-endorsed scheme to certify the level of cyber hygiene of UK-based organizations.

According to the latest edition of the UK Cyber Security Breaches survey, a point of reference for Furnell and CyCOS, 64% of large businesses and 56% of medium businesses were aware of the program, compared to 25% of small businesses and 14% of micro businesses.

However, after over two years working on the CyCOS project, Furnell believes the main problem for SMEs is not necessarily awareness that cyber hygiene is important, but where to find resources and expertise to implement cybersecurity.

“In many cases, people we’re speaking to recognize the issues but don’t feel empowered to do something about it,” Furnell explained.

Speaking to Infosecurity, Helen Barge, principal and head of digital resilience services at Howden and volunteer within the Federation of Small Businesses (FSB), brushed off the lack of budget as being the main reason behind some SMEs lagging in cybersecurity.

“I get tired of that excuse, because some of the controls that you can put in place, like multifactor authentication (MFA) actually don’t cost any money,” she highlighted.

“Something like patching may cost a lot of money, but budget is definitely not the only restrictor,” she added.

She emphasized the accessibility of what she described as “brilliant guidance” released by the UK government, including the National Cyber Security Centre’s (NCSC) Cyber Action Toolkit, released in 2025.

One thing Barge said was key for SMEs, who do not necessarily have enough staff dedicated to cyber, is choosing the right IT and cybersecurity providers.

She criticized some cybersecurity providers for questionable practices, especially when dealing with SMEs.

“I was working with a client earlier this week and their IT provider charges extra for patching within 14 days – which is a requirement to obtain the Cyber Essentials certificate in the UK. That’s not acceptable: a cleaner doesn’t charge me extra for a buying a bottle of bleach, that’s part of the service,” she said.

However, Barge noted: “I don’t want to tar everybody with the same brush: it’s important to say not all SMEs are rubbish at [cybersecurity]. Within CyCOS and the FSB, we’re working with some that are doing amazing things, that are standing out in their cyber hygiene.”

Steven Furnell, Amanda Finch and Helen Barge will speak on a panel session titled “Communities of Support: Scaling Practical Cyber Help for SMEs”, held on the keynote stage of Infosecurity Europe 2026 on Thursday, June 4 (11:50 to 12:30). Steven Furnell will also be running cyber gamified activities at Infosec Sidequest. You will also be able to find CIISec at Booths #F155 and #F157. Register for Infosecurity Europe here.

Infosecurity Europe: CyCOS Project Expands to Support UK SMEs as CIISec Takes Over

Kevin Poireault

CyCOS Expands to Seven Communities Ahead of CIISec Handover

SMEs Know the Risks, But Lack Direction on How to Respond

You may also like

Are UK Companies Better Prepared than US Counterparts for GDPR?

UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs

#Infosec2025: NCC Group Expert Warns UK Firms to Prepare for Cyber Security and Resilience Bill

Compliance Now Biggest Cyber Challenge for UK Financial Services

2025: A Critical Year for Cybersecurity Compliance in the EU and UK

What’s Hot on Infosecurity Magazine?

India's CERT-In Sets 12-Hour Patch Deadline for Exposed Flaws

GCHQ Chief Urges Action as AI Reshapes Cyber Threats

Thousands of Fake FIFA Domains Target World Cup Fans

Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning

China-Linked Webworm APT Evolves Tactics, Expands to European Targets

AI Raises the Bar on Vulnerability Awareness and Secure-by-Design Software

FBI Warns 'Kali365' Phishing Kit Hijacks Microsoft 365 OAuth Tokens

Cyber Resilience Under Pressure: Can Your Organisation Prove Control When it Matters Most?

Iran-Linked Hackers Target US Aviation with Phishing and SEO Poisoning Campaign

Cybercriminal VPN Dismantled in Europol Crackdown

Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning

Nine-Year-Old Linux Kernel Flaw Leaks SSH Keys and Password Hashes

Cyber Resilience Under Pressure: Can Your Organisation Prove Control When it Matters Most?

Behind the Curtain of Microsoft 365 Cybersecurity: Lessons from Overlooked Resilience Gaps

Building True Cyber Resilience Across Financial Supply Chains

Why Resilience‑Focused Cloud Design Is Your Best Defense Against Modern Attacks

How to Harness Advanced Intelligence Capabilities to Strengthen Cyber Defence

Securing M365 Data and Identity Systems Against Modern Adversaries

Anthropic Rolls Out Claude Security for AI Vulnerability Scanning

Inside the Code War: Defending Against Nation-State Cyber Threats

Interview: How YKK Is Securing the World’s Largest Zipper Manufacturing Operation

CISA and Partners Publish Zero Trust Guidance For OT Security

Most Cybersecurity Professionals Feel Undervalued and Underpaid

Cyber Resilience Under Pressure: Can Your Organisation Prove Control When it Matters Most?

Infosecurity Europe: CyCOS Project Expands to Support UK SMEs as CIISec Takes Over

Written by

CyCOS Expands to Seven Communities Ahead of CIISec Handover

SMEs Know the Risks, But Lack Direction on How to Respond

You may also like

What’s Hot on Infosecurity Magazine?