A UK pilot program designed to provide peer-led cybersecurity support to small and medium enterprises is preparing for significant expansion. The Cybersecurity Communities of Support (CyCOS), launched in late 2023 by researchers from the University of Nottingham, Queen Mary University of London, and the University of Kent, will grow from two to seven communities as it transitions from academic oversight to management by the Chartered Institute of Information Security (CIISec).
The program addresses a persistent gap in SME cybersecurity readiness. While awareness of cyber threats has grown, particularly following supply chain incidents, smaller businesses struggle to implement protective measures. According to the UK Cyber Security Breaches survey, only 14% of micro businesses and 25% of small businesses are aware of Cyber Essentials, the government-endorsed certification program, compared to 56% of medium businesses and 64% of large enterprises. Professor Steven Furnell of the University of Nottingham noted that SME leaders often recognize cybersecurity risks but lack direction on how to respond effectively.
CyCOS operates through intentionally small groups, typically pairing two or three volunteer cybersecurity experts with eight or nine organizations. Each community provides support through regular thematic webinars, occasional in-person meetings, live question-and-answer sessions, and an online platform hosting discussion threads, polls, and recorded sessions. This mix of synchronous and asynchronous formats accommodates the limited schedules of small business owners. The five new communities will be organized around geographical locations, industry sectors, or supply chains, with participating SMEs volunteering to serve as facilitators using a standardized Community Toolkit.
Experts involved with the program emphasize that budget constraints, while real, are not the primary barrier to better cybersecurity. Helen Barge, principal at Howden and a volunteer with the Federation of Small Businesses, pointed out that essential controls like multifactor authentication cost nothing to implement. She also criticized some IT service providers for charging extra fees for basic security practices like timely patching, which is required for Cyber Essentials certification. The UK government has released accessible guidance, including the National Cyber Security Centre's Cyber Action Toolkit in 2025, but SMEs often need help navigating these resources.
As CyCOS transitions to CIISec management, the academic founders will step back from operational leadership while remaining involved. Amanda Finch, CEO of CIISec, stated that security professionals have a duty to help smaller organizations improve cyber resilience. The expansion aims to replicate the successful peer-support model across more communities, with participating SMEs taking on leadership roles. The program's leaders will discuss their approach at Infosecurity Europe 2026 in June, where they will present findings from over two years of pilot operations.
Source: https://www.infosecurity-magazine.com/news/cycos-expands-uk-smes-ciisec/