“We've got two or three experts and eight or nine organizations within each community, which keeps groups large enough to be useful but small enough to be personal,” said Steven Furnell, professor of cybersecurity at the University of Nottingham, describing how a UK pilot is testing a peer-led model of cyber support for smaller firms.
How CyCOS operates day to day
Cybersecurity Communities of Support (CyCOS) began in late 2023 as a research-driven pilot led by academics from the University of Nottingham, Queen Mary University of London and the University of Kent. The pilot established two professional communities: one for micro businesses and another for small and medium enterprises (SMEs). Each community is intentionally small and supported by volunteer cyber practitioners so members can build trust, share experience and obtain timely, practical help.
CyCOS combines synchronous and asynchronous activities to fit SME schedules. Its methods include:
- regular thematic webinars and occasional in-person meetings;
- plenary sessions that bring communities together for broad briefings and cross-community discussion;
- live “Ask Me Anything” sessions in which volunteer cyber experts field members’ questions in real time;
- a support-broker online platform that hosts community threads, polls, session recordings and ad-hoc Q&A; and
- recordings and shared resources so members who cannot attend live still benefit.
Expansion to seven communities and the CIISec handover
After more than two years of academics running the project, CyCOS is entering a new phase. The announced expansion will add five new communities, bringing the pilot cohort from two to seven. That growth coincides with the end of the academic funding phase and a planned transition of operational leadership to the Chartered Institute of Information Security (CIISec), which is already a CyCOS partner.
“CyCOS as a concept of cybersecurity communities of support will still exist but will be promoted within CIISec. As for us academics, we’ll still be around too, just not running the projects like we used to,” Furnell said. Amanda Finch, CEO at CIISec, told Infosecurity the organisation was “proud to be involved” and framed the handover around a professional duty of care to smaller organisations.
Community Toolkit and SME facilitators
The five new communities were each founded by SMEs that volunteered to act as facilitators and “beacons within those communities,” Furnell said. He declined to provide additional detail about the new groups at this early stage, but explained that prospective facilitators were chosen because they “feel they can attract a suitable number of other SMEs to join a community.”
Leading SMEs have been provided with a “Community Toolkit” to recruit members, establish a community and operationalise the model. The toolkit is intended to standardise replication so responsibility can transition cleanly to CIISec. CyCOS communities can be built around geography, a sector or even a supply chain, according to Furnell.
SME awareness of government schemes and practical barriers
Academics working on CyCOS say the core difficulty for many small firms is not a lack of awareness that cyber hygiene matters but uncertainty about where to find resources and expertise to act. Furnell observed that smaller firms are less aware of government programmes: citing the UK Cyber Security Breaches survey, he noted that awareness of the Cyber Essentials scheme was 64% among large businesses and 56% among medium businesses, but just 25% of small businesses and 14% of micro businesses.
Helen Barge, principal and head of digital resilience services at Howden and a volunteer within the Federation of Small Businesses (FSB), pushed back on budget being the principal barrier. She said some controls — citing multifactor authentication (MFA) as an example — “actually don’t cost any money,” while acknowledging that other measures such as patching can be costly. Barge highlighted the National Cyber Security Centre’s (NCSC) Cyber Action Toolkit, released in 2025, as “brilliant guidance” available to SMEs.
Barge also criticised certain vendor practices toward SMEs. She described an example where an IT provider charged extra for patching within 14 days — a requirement to obtain Cyber Essentials — saying “that’s not acceptable: a cleaner doesn’t charge me extra for a buying a bottle of bleach, that’s part of the service.” She balanced that criticism by noting some SMEs “are doing amazing things” and stand out in their cyber hygiene.
What this means for CIISec, SME facilitators and cyber volunteers
- CIISec: will take on promotion and operational responsibility for the CyCOS concept, integrating the communities into the professional body's activities, according to Amanda Finch.
- SME facilitators: firms that volunteer to found new communities will use the Community Toolkit to recruit peers and run local or sector-based groups, then hand day-to-day operation to CIISec as the academic phase winds down.
- Volunteer cyber practitioners: the model depends on volunteers providing synchronous support (AMAs, webinars) and participating in the online support-broker platform; sustaining that volunteer base will be a practical necessity for the expanded cohort.
Steven Furnell, Amanda Finch and Helen Barge are scheduled to appear on the Infosecurity Europe 2026 keynote stage for a panel titled “Communities of Support: Scaling Practical Cyber Help for SMEs” on Thursday, June 4 (11:50–12:30). Furnell will also run cyber gamified activities at Infosec Sidequest, and CIISec will be at Booths #F155 and #F157.
As CyCOS moves from an academic pilot to a CIISec-promoted programme, the core question left by the project’s architects is operational: which SMEs will step forward as facilitators, and how effectively CIISec and volunteer experts can scale a trust-driven, small-group model from two communities to seven while preserving the “personal” dynamic Furnell says makes the groups useful. Read the original Infosecurity story here.




