Part 1 of 5: Why Small Businesses Are Losing the Cybersecurity Battle?

A deep dive into building a cost-effective security lab to test real-world attack scenarios

Picture this: A small marketing agency with 15 employees gets hit by a ransomware attack. Their WordPress site — built with a popular plugin — becomes the entry point. Within hours, customer data is encrypted, operations halt, and the ransom demand arrives: £50,000.

This isn't fiction. It's happening every day to small and mid-sized enterprises (SMEs) across the UK and globally.

The harsh reality: 32% of UK businesses reported cyber incidents in the past year. For medium-sized firms, that number jumps to 59%. Even more concerning? The average cost of a breach for small businesses rose by 13–21% in 2023.

For many SMEs, a single successful attack can be existential.

The SME Security Paradox

Here's the problem: Small businesses are perfect targets but the worst equipped to defend themselves.Why SMEs Are Vulnerable

Limited Resources While large enterprises can afford dedicated security teams and advanced monitoring tools, SMEs operate on tight budgets. Cybersecurity often drops to the bottom of the priority list when competing with payroll, marketing, and day-to-day operations.

Lack of Expertise Most SMEs don't have in-house cybersecurity professionals. They rely on generalist IT staff or outsourced support — neither of which typically includes proactive threat hunting or security testing.

Common Attack Vectors The attacks targeting SMEs are well-known:

  • Web applications (especially WordPress sites with vulnerable plugins)
  • Phishing emails targeting employees
  • Misconfigured network services exposed to the internet
  • Weak or reused passwords across systems

The WordPress Problem

WordPress powers 43% of all websites globally. For SMEs, it's attractive: easy to use, affordable, and highly customizable through plugins.

But here's the catch: Third-party plugins are a security minefield.

Many plugins are developed by small teams or individual developers. They're often:

  • Poorly maintained
  • Rarely audited for security
  • Left unpatched for months or years

According to the OWASP Top Ten, "Vulnerable and Outdated Components" consistently ranks as one of the most exploited weaknesses. For SMEs running WordPress, this is a critical concern.

The Cost of Being Unprepared

Industry reports paint a grim picture:

"SMEs are less resilient in terms of recovery, with breaches creating potential existential financial threats that most struggle to overcome."

Recovery isn't just about paying a ransom. It includes:

  • Lost revenue during downtime
  • Reputation damage
  • Legal fees and regulatory fines (GDPR violations)
  • Customer compensation
  • System reconstruction costs

For a business with razor-thin margins, this can mean closure.

The Testing Gap

Large enterprises use penetration testing and cyber ranges — controlled environments where security teams simulate attacks to find weaknesses before real attackers do.

But these approaches are rarely accessible to SMEs:

  • Professional pen tests cost thousands of pounds
  • Cyber range platforms require specialized infrastructure
  • Most SMEs lack the expertise to interpret results

The question becomes: How can small businesses affordably test their defenses without enterprise budgets?

Enter the Red Team vs Blue Team Model

In cybersecurity, there's a proven methodology for testing defenses:

Red Team (Attackers) Security professionals who think and act like real hackers. They probe systems, exploit vulnerabilities, and attempt to breach defenses.

Blue Team (Defenders) The defensive side that monitors systems, detects intrusions, responds to incidents, and strengthens security posture.

By simulating this adversarial dynamic, organizations can:

  • Identify vulnerabilities before attackers do
  • Test the effectiveness of defensive tools
  • Train staff on real-world attack patterns
  • Build incident response capabilities

But again — this is typically an enterprise-only practice.

My Research Question

This led me to my dissertation research:

"How can SMEs effectively evaluate and improve their cybersecurity posture using affordable, reproducible red vs. blue attack-defense emulations?"

In other words: Can we build a realistic, enterprise-style testing environment using free, open-source tools that any SME could replicate?

The Approach: A Tiered Laboratory

I designed a three-tier virtual lab using VirtualBox (free virtualization software). Each tier represents a progressively more secure SME environment:

Tier 1: Minimal Security Baseline

  • Single Windows 10 workstation
  • Weak RDP credentials
  • No monitoring or logging
  • Goal: Show how easily attackers breach poorly secured systems

Tier 2: Basic SME Network

  • Windows Server with Active Directory
  • Domain-joined client machines
  • Ubuntu web server running WordPress
  • Basic logging (Windows Event Logs, Apache logs, Sysmon)
  • Goal: Simulate a typical small business setup

Tier 3: Enhanced SME with Monitoring

  • Everything from Tier 2, plus:
  • Wazuh SIEM (free, open-source security monitoring)
  • Fail2Ban (automated IP blocking for brute-force attempts)
  • Centralized log analysis
  • Goal: Demonstrate affordable enterprise-grade defenses

The Journey Ahead: A 5-Part Deep Dive

This research is structured as a tier-by-tier exploration of SME security. Each tier builds on the previous one, progressively adding defensive measures while testing the same attack techniques.

Part 2: Tier 1 — The Vulnerable Baseline

We'll start at rock bottom: a single Windows workstation with RDP exposed and weak credentials. I'll show you:

  • How the lab is configured (deliberately vulnerable)
  • Step-by-step Red Team attacks: brute-force, remote access, privilege escalation
  • Why there's no meaningful Blue Team defense at this level
  • Complete system compromise in under 10 minutes

Key question: How bad can it get with zero security controls?

Part 3: Tier 2 — Basic SME Network

Now we scale up to a realistic small business setup:

  • The environment: Windows Server with Active Directory, domain-joined clients, Ubuntu web server running WordPress
  • Red Team attacks: WordPress plugin exploitation (CVE-2020–25213), credential harvesting, lateral movement
  • Blue Team defenses: Basic logging (Windows Event Logs, Apache logs, Sysmon), manual log analysis
  • The feedback: What got detected? What slipped through? Where are the blind spots?

Key question: Can basic logging catch determined attackers?

Part 4: Tier 3 — Enhanced Monitoring

The final tier adds enterprise-grade (but free) defensive tools:

  • Added defenses: Wazuh SIEM for centralized monitoring, Fail2Ban for automated IP blocking, custom detection rules
  • Red Team challenges: Can we bypass the SIEM? What about automated blocking?
  • Blue Team response: Real-time alerts, incident correlation, threat hunting
  • The results: Measuring the 40%+ improvement in detection capability
  • Tier comparison: Side-by-side analysis of what each maturity level caught

Key question: How much does open-source monitoring actually help?

Part 5: A Practical Security Framework for SMEs

We'll wrap up with actionable guidance:

  • Complete cost breakdown (spoiler: it's cheaper than you think)
  • Step-by-step implementation roadmap
  • Prioritization framework: where to start with limited budget
  • Lessons learned and mistakes to avoid
  • Open-source tools that deliver enterprise-level protection

Key question: What should SMEs actually do on Monday morning?

Why This Tier-by-Tier Approach?

Most cybersecurity content either:

  • Stays too high-level ("you should use a SIEM!")
  • Jumps straight to advanced techniques without building foundation

This series walks you through the complete maturity journey — from nothing to strong defenses — using the exact same attack techniques at each stage. You'll see:

What changes when you add each defensive layer ✅ What stays vulnerable despite best efforts ✅ Cost vs. benefit of each security control ✅ Real detection rates with actual log examples

By the end, you'll have a reproducible blueprint for defending small business networks.

Starting Point: Tier 1

In Part 2, we begin at the bottom. I'll show you exactly how I built a deliberately vulnerable Windows environment and compromised it using tools any attacker can download for free.

You'll see:

  • Network diagrams and VM specifications
  • Actual command-line attacks with screenshots
  • Credential dumping with Mimikatz
  • Why this matters to real SMEs today

No theory. No hand-waving. Just practical attacks and their consequences.

→ Continue to Part 2: Tier 1 — The Vulnerable Baseline

About This Research

This work was completed as part of my MSc in Cyber Security at the University of York, where I was awarded the Highest Performing Student Award for the cohort. The research was supervised by Dr. Vasileios Vasilakis.

All experiments were conducted in an isolated virtual lab with no connection to real-world systems. The goal is education and defense — not exploitation.