Shifting security culture in a small or medium‑sized business can feel daunting – especially when busy teams are already stretched. 

For many small and medium‑sized businesses, “fixing” cyber security sounds expensive, technical and overwhelming. It gets pushed down the to‑do list behind sales, cashflow and hiring. 

Yet most incidents in SMEs don’t start with sophisticated hackers – they start with everyday habits. Think a rushed click, an unlocked screen, or a payment approved. 

Small businesses don’t need a huge budget or a full‑time security team to start shifting that culture. You need clear priorities, small experiments and a willingness to learn as you go.

That’s where cyber expert Dr Adrian Davis’s approach comes in. In his closing remarks at the East Midlands Cyber Summit, Dr Davis told delegates that SMEs don’t need a grand transformation programme. They need small, deliberate wins that slowly change “the way we do things around here”.​

Start small and grow

His first recommendation is to start small. Instead of launching a company‑wide cyber culture initiative, pick one behaviour and a small group of people. That might be 10 staff in one team, and one simple target such as ‘lock your screen every time you leave your desk’ or ‘always check with a colleague before paying a new supplier’. Focusing narrowly makes it easier to design clear messages, answer questions and see what works before you roll anything out wider.​

Select your champions

Next, find and support your champions. In every SME there are people who are naturally curious, keen to improve and influential with their colleagues. Dr Davis suggests giving them early visibility of what you’re trying to change, ask for their feedback on messages, and let them test ideas in their teams. Their stories and enthusiasm will travel further than any policy email.​

Measure gains made

Measuring progress is another route forward. If you don’t know what people understood before you spoke to them, you can’t know whether anything has changed. In practice, that can be as simple as a quick pulse survey, a short quiz, or tracking one metric (like the number of suspicious emails reported, or how many unlocked screens you see on a floor walk). The aim is to learn where you are, adjust your approach and show that effort is paying off.​

Dr Davis also stresses the power of celebrating success rather than just pointing out failure. A balloon on a desk, a box of chocolates for the top quiz score, a namecheck in the company update – these light‑touch rewards send the message that ‘this behaviour matters and we appreciate it’. People like being associated with success – and visible recognition nudges others to follow.​

For SMEs, the big lesson is that culture change is a marathon, not a sprint. Start with one behaviour, one team and one clear message. Measure what happens, back your champions, and celebrate each small win. Over time, those small wins add up to a very different security culture.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit 2026. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.