Three Active Threats North Wales SMBs Should Know About Right Now

If you run a small business, you’ve probably heard “cybersecurity threats” mentioned enough times that it’s started to feel like background noise. Fair enough. But three things are active right now that genuinely do affect small businesses, and they’re worth a five-minute conversation with your IT provider this week.

Your Router Could Be Someone Else’s Front Door

The UK’s National Cyber Security Centre (NCSC) has confirmed that APT28, a Russian military intelligence unit, is actively breaking into routers and changing their DNS settings. The DNS settings are what tell your router where to send traffic when you visit a website or log into a service.

When they change those, they can intercept everything. Passwords, banking logins, email, authentication codes, the lot. A business owner in Colwyn Bay types her bank password into the browser; the attacker catches it before the bank ever sees it. The attack works because small office routers often run on default passwords and firmware that’s never been updated.

The NCSC advisory confirms this is ongoing and opportunistic, meaning attackers are casting a wide net and picking off whoever they can reach easily. Small office routers, including common TP-Link models, are a known target.

What to do: Ask your IT provider two simple questions: is your router firmware current, and have your DNS settings been verified as unchanged? If you manage the router yourself, change the admin password and check for firmware updates. If neither has happened in years, this week is the time.

A Flaw in Phone and Tablet Management Software

Ivanti EPMM is software that IT providers use to manage company phones and tablets centrally. A critical security flaw has been found in it, and CISA, the US cybersecurity agency, has ordered federal bodies to patch it by 10 May 2026, which reflects how seriously they’re treating the risk.

This only affects on-premises deployments, not the cloud version. But if your IT provider uses Ivanti to manage your business devices, they need to know about it and have confirmed it’s been patched.

What to do: Ask your IT provider whether they use Ivanti EPMM. If they do, ask for confirmation that the patch has been applied. If they use the cloud version (Ivanti Neurons), you’re not affected.

Phishing That Looks Like Your IT Provider

There’s a phishing campaign doing the rounds that bundles legitimate remote-access tools, the same kind your IT support company uses to log into your machines, into malicious emails. Staff receive something that looks like a document, open it, and a hidden installer runs in the background. Security monitoring often can’t tell the difference between this and your genuine IT provider connecting to fix something.

The result is the attacker gets persistent, quiet access that blends in.

This one is worth reading alongside why phishing training alone won’t protect your team any more, because the fix here is the same: process over instinct.

What to do: Brief your team on one rule: never run installer files that arrive by email, whoever appears to have sent them. If someone claiming to be IT support says they need remote access, hang up the email thread, call your provider on a number you already know, and confirm the request verbally before anything gets clicked.

Three separate issues, but the same underlying pattern: small businesses are easier targets when the basics haven’t been ticked off. If any of these feels unfamiliar, that’s the conversation to have with your IT provider today.