Cybercrime is a multi-trillion pound black market industry. From hacking to vital attacks, data theft to fraud and extortion, organised cybercrime syndicates cause enormous disruption to IT infrastructure, business operations and economies around the world. And they are often indiscriminate in the types of organisations they target.
Cybercrime is fuelled by opportunism. It’s easy to assume that, given the scale and sophistication of many of the criminal enterprises involved, they are only interested in going after the biggest fish. But the perpetrators of cybercrime understand only too well that the bigger the business, the more resources they have to pour into cybersecurity. SMEs are often viewed as easy targets.
That helps to explain why half of all UK SMEs have fallen victim to a cyberattacks. Between 2019 and 2023, the average cost per cybersecurity breach for UK SMEs soared by 396%, with a total cost to the economy of £31.5bn.
Financial losses stemming from cyberattacks can include direct theft of assets, disruption to business operations, compensation payments and regulatory fines for data breaches, and the cost of repairing, restoring and resecuring systems. More indirect costs include the longer-term reputational damage that a security breach can cause.
The rising financial risks associated with cybercrime are encouraging more and more SMEs to invest in robust preventative measures. In this guide, we’ll outline what the biggest cybersecurity risks to SMEs are, and the top five strategies every small business should follow for keeping their business safe.
Understanding Digital Security Threats
Malware, viruses, ransomware, phishing… cyber threats come in various forms, and are known by many different names. But what do they actually mean, and what is the risk they pose to your business?
Here are five of the most common threats small businesses face.
1. Phishing & Social Engineering
Phishing is by far the most common of all types of cyberattack, with around 680,000 victims in the UK alone in 2023. But it’s actually one example of a whole family of cyberattack tactics known collectively as social engineering – as in, ‘engineering’ a desired outcome through manipulation, trickery and coercion.
Phishing is social engineering via email. The classic example is, you receive an email that looks as if it comes from a known and reputable source – your bank, a client, a supplier – but is actually a fake.The email asks you to click a link to access some service or another. Doing so downloads some type of malware onto your system (see below). Alternatively, you might be asked to share sensitive information that the phisher can then use to hack into accounts or systems.
Other forms of social engineering include smishing, which is phishing by SMS text messaging, and techniques like baiting and quid pro quo which lure people into traps by offering incentives and services. Another well-known example is a so-called Trojan Horse attack, which hides malware in an apparently benign piece of software, web URL, online ad etc.
Social engineering attacks disproportionately target small businesses, with one study finding that businesses with less than 100 employees experience 3.5 times the number of phishing and similar threats than their larger counterparts.
2. Malware
Malware is the general term for any kind of malicious software used to carry out attacks or execute unwanted, unauthorised actions on a computer system. Malware can attack any part of an IT system, including other software, devices, networks and servers. Malware is commonly distributed by criminal gangs using social engineering tactics like phishing.
There are numerous types of malware. The most common and best-known are computer viruses. Viruses are pieces of code that specifically target other software. Like real viruses, once they ‘infect’ a program, they can self-replicate and spread. Worms share these capabilities, but unlike viruses, they are self-activating, too. For example, for a virus to spread from machine to machine, an infected piece of software has to be shared and run on a new device people. Hence the need for the trickery of social engineering, or having into systems to place a virus. Worms, however, can sending self-activating copies of themselves across a network by exploiting known vulnerabilities in systems.
Another important category of malware is spyware, which sits on a device and tracks users behaviour. Spyware can be used to steal passwords, account details and other sensitive data.
3. Ransomware
Ransomware is a particular type of malware that has gained widespread notoriety in recent years. Like viruses and worms in general, ransomware attacks aim to cause malicious disruption to computer systems. But they have a very specific purpose – to extort money from victims in return for ending the attack and restoring systems to normal.
Ransomware has been responsible for some of the largest cyber attacks in history. Targets frequently include large corporations, banks and public authorities. In these large-scale attacks, sophisticated worms are used that can spread through networked systems quickly, often shutting them down completely, or else shutting users out to render them inoperable. Other ransomware tactics include encrypting data so it can’t be accessed until the attack is called off.
While larger ransomware incidents make headlines, more than 80% of ransomware attacks target businesses with fewer than 1000 employees.
4. Denial of service (DDoS) attacks
Like ransomware, DDoS attacks aim to cause disruption to an organisations IT infrastructure, often with the intention of extorting money to call the attack off. But the means of causing the disruption is different. Instead of using malware, DDoS attacks exploit the fact the majority of cloud-based IT systems these days rely at least in part on web servers. DDoS attacks seek to overload these servers with bogus data requests so genuine traffic can’t get through. The effect is a frozen, jammed up network, or ‘denied service’.
5. Insider Threats
In cybersecurity speak, insider threats refer to cybersecurity vulnerabilities within an organisation. These range from poor password and access controls to lax security arrangements to simple human error.
Insider threats provide an ‘in’ for cybercriminals to exploit, such as phishing attacks preying on unsuspecting members of staff to get them to share sensitive access details, or out-of-date security patches allowing worms and ransomware to infect a system.
Arguably the most common insider threat is poor password management. Weak passwords allow criminals to hack their way into systems simply by guessing or trying out all the possible passord combinations, an approach known as a brute force attack. Repeated use of the same password can give hackers far-reaching access across systems, a threat known as credential stuffing. Password-related hacks are involved in a large proportion of data breaches and cyber fraud.
Five Cybersecurity Strategies to Protect Your Business
Understanding the nature of the threats cybercrime poses to your business is the first step to effective cybersecurity. From there, you can move to taking preventative action to shore up your defences.
Here are five cybersecurity strategies every small business owner should prioritise.
1. Make cybersecurity a training priority
It is estimated that anywhere between 74% and 95% of all cyber-attacks and data breaches occur as a result of human error. So while criminal hacking gangs are undoubtedly smart, most of the time they are looking to exploit a lack of awareness and/or knowledge in their targets, rather than relying solely on advanced technical trickery.
That means that a large proportion of attacks can also be thwarted through effective training. People fall for phishing attacks because they don’t know the red flags to look out for that give away the fact that an email is fake. Similarly, stopping people using the same weak passwords across multiple accounts is partly a matter of raising awareness (more on this below).
Cybercriminals do not discriminate in how they try to target a business. Every email address, every user account, every device is a potential way in, which means every individual within a company is on the frontline of cybersecurity. Prioritizing training and education around cybersecurity, and empowering all employees to take effective preventative measures, is one of the most effective ways any small business can protect itself.
2. Implement a strong password policy
As we’ve touched on already, one of the preferred methods hackers use to gain access to private accounts, databases, servers and more is simply by stealing or guessing passwords. Up to 80& of all data breaches are believed to involve lapses in password security.
Poor password protocols are an easy target for cybercriminals. But equally, improving how passwords are used in your business is a relatively easy win that can have a major impact on security.
A strong password policy starts with educating your staff about what makes a strong password. The basic principle is that the longer and more random a password is, the harder it is to guess or hack via ‘brute force’ trial and error. Current best practice suggests a minimum of 15 characters with a mix of upper and lower case letters, numbers and special characters. Passwords should not be used more than once across different accounts to avoid credential stuffing breaches. And they should be changed at least every three months.
To ease the administrative burden, you can use a password manager app. These programs will generate, store and encrypt all the passwords your staff need so they are kept safe, and automatically retrieve them for each account. You can also set them to auto-renew passwords at fixed intervals.
3. Use encryption and access control for damage limitation
The idea of limiting damage if and when breaches occur is an important principle in cybersecurity. At the forefront of this is encryption. Encryption turns data into meaningless code that can’t be deciphered without the right decryption key. Modern encryption keys use sophisticated mathematics that are virtually impossible to crack. So even if someone does gain unauthorised access to your accounts or systems, encrypted data is still safe. It can’t be used in any way.
Another important way to limit damage from cyberattacks is to have appropriate access controls and permissions in place. This boils down to limiting access to only those users who absolutely need it, especially for the most sensitive systems and apps. The fewer users who are authorised to access certain parts of your IT infrastructure, the fewer routes in there are for hackers looking to steal or hack passwords.
The modern network approach to IT infrastructures makes access control more complicated because it’s founded on the principle of connecting everything together. That means many, many more potential routes into any given app or system, often extending far beyond the boundaries of an individual organisation. This has led to the evolution of zero trust as an access control principle. Zero trust starts from the stance that no one is authorised to have access to any app, system or part of a network without verification.
4. Secure everything
Anti-virus and other forms of anti-malware software are undoubtedly the best-known types of cybersecurity products. But anti-viral software does one particular job – it identifies malicious code once it has already entered a system, and then aims to quarantine and destroy what it finds.
No anti-malware software is 100% effective. Malware adapts all the time and is specifically designed to evade even the very best detection systems. Robust cybersecurity strategies therefore need to do more than seek and destroy. They also need to stop malicious code getting into systems in the first place.
Securing every possible entry point into a business IT system or network is as difficult as rooting out and destroying every virus. But there are a combination of tools and approaches you can use. Firewalls are a mainstay defence. They monitor traffic in and out of your network and block threats at source. They therefore protect everything inside your network, hardware and software alike.
Other things to consider are how to secure your WiFi network. WiFi can provide hackers with a route into the rest of your business systems and is often a major security weak point. It’s essential to keep customer WiFi separate from your business’s own WiFi for starters. The latter should be protected with tight password and access control protocols, plus network encryption.
If employees regularly access your network remotely, for example when working from home, you should also use VPNs and or SDWANs (software-defined wide area networks) to encrypt traffic and secure your network in all places.
5. Stay up to date
However sophisticated and strong the protections against digital crime become, the stock in trade of hacking gangs is continually innovating to find new and novel ways to outsmart them. For that reason, cybersecurity requires continual vigilance.
One of the most important things businesses can do to keep alert and protected is to stay on top of updates. It’s essential to keep your anti-malware software and firewalls up to date for starters, as the developers of these products are continually researching new threats and releasing new versions that cover them.
It’s equally important to update all your other software, firmware and operating systems whenever new versions are released. Again, new releases contain up-to-date security patches designed to fix identified weaknesses that hackers and malware could exploit. Developers and the cybersecurity industry work closely so that threats and potential vulnerabilities are continually being investigated so developers can update their products. Running old versions of software in effect means leaving vulnerabilities in your system that cybercriminals already know how to exploit.
Final Thoughts on Cybersecurity for SMEs
Nearly all businesses these days are digital businesses to some degree. If you sell goods and services online, if you take digital payments, if you keep a digital customer database, critical parts of your business are exposed to the threats that cybercrime poses.
Robust cybersecurity does require commitment and investment. But these days, that investment should be considered an essential part of risk management. From disruption to operations to theft and extortion to the potential for reputational damage and lost custom, small businesses cannot afford the losses that falling victim to cybercrime can cause. Investing in cybersecurity should therefore be viewed in terms of protecting your margins, your stability and your future prospects.
Talk to our specialist SME finance team about how to build investment in cybersecurity into your financial plans.