What makes Cyber Security for SMEs a completely different proposition is that they don’t have endless resources to keep throwing money at the problem. For example, not all small and medium-sized businesses even have a dedicated IT team. Much less a dedicated team dedicated to your small business Cyber Security.
That makes handling Cyber Security impact in any SME a fine balancing act where you need to be very mindful of:
- The specific threats your business is facing, their risk and their potential impact
- What resources – budget, personnel, time, etc.- you actually have to dedicate to Cyber Security (and whether you should be doing it yourself or cost-effectively outsourcing the management of the problem to an expert IT provider)
- The myriad of Cyber Security guidelines and regulations you need to be compliant with to ensure you keep your business safe
This makes Cyber Security a complex and, often, expensive problem to solve for SMEs internally. And as more and more small businesses move to hybrid and remote working models the risk associated with it is only increasing.
Unfortunately, there is also the misconception that Cyber Criminals will only target large-scale businesses in search of bigger payouts. Unfortunately, the truth is that Cyber Attacks on small businesses are often viewed as low-hanging fruit by Cyber Criminals and can be bread and butter for them. Particularly those businesses with limited resources and a low level of Cyber Security knowledge and infrastructure.
The combination of these two factors means that small business Cyber Security is ignored by many SMEs altogether – putting their staff, systems and business data at risk – each and every working day. In fact as many as 43% of SMEs have no Cyber Security plans in place – and up to 1-in-5 don’t even have effective endpoint security software (essential for protecting devices like desktops, laptops and mobile phones) in place at all.
That’s a costly mistake. As a study by IBM and the Ponemon Institute estimates that Cyber Attacks on small businesses collectively cost $2.98 million in the UK alone. With a staggering 39% of businesses coming under attack here.
Which small business sectors are most vulnerable to cyber-attacks?
Being opportunists, Cyber Criminals are generally indiscriminate regarding what type of businesses they target. However, healthcare providers have seen a tremendous uptick in attacks in the wake of the COVID-19 pandemic. And SMEs active in financing, education, or government contracts are at higher risk.
But the reality is any small business can be a target and you should take steps to protect yourself.
What are the most common Cyber Security attacks against small businesses?
Unfortunately, the Cyber Threat landscape is vast. Not only are there a huge variety of attacks and Cyber Security impacts, but attacks are getting more diverse and are continually evolving. Different types of Cyber Attacks employ different techniques. While roughly 93% of attacks are carried out in the hope of financial gain, some are perpetrated in a misguided sense of “vigilantism” or “fun.”
However, the impact on your business certainly doesn’t fall into the same category with successful Cyber Attacks typically resulting in a combination of:
- Financial loss, often serious
- The loss of valuable IP or data including sensitive customer data
- Reputational damage and a loss of trust by the public and key business stakeholders
- Highly disrupted operations and loss of service including costly damage to hardware or software which needs replacing
- The threat of legal action due to non-compliance with regulations or negligence
All of which can not only be damaging for your business. But, also, potentially fatal if the hackers get their approach right.
These threats come in a wide variety of shapes and forms. And we take a closer look at some of these below:
Threat 1 – Phishing
Phishing is a common social engineering tactic whereby an attacker imitates a legitimate business or person, usually via email. Phishing is still surprisingly prevalent and involved in 36% of all business data breaches, according to Verizon. In fact, it is often used as a starting point for launching many other types of attacks inside the business once the hackers are “in”.
The hope is to convince the victim to give up sensitive information, which is usually financial in nature. However, in a business context, the target can also be sensitive company IP or access credentials to company systems. Attackers can also impersonate a colleague, senior member of staff or partner to trick the recipient into downloading malware which is hidden in Excel or Word documents.
And the bad news is that Cyber Criminals are getting increasingly good at creating more convincing Phishing emails. Their shifting tactics mean they can often bypass even the most vigilant email filters from time to time. Which means that the best defence against Phishing attacks is educating and training employees to detect these attempts for themselves. And your email security software and security training need to be regularly updated to stay ahead of hackers as the threats continue to evolve and become more sophisticated.
Threat 2 – Ransomware
Thanks to several high-profile ransomware incidents, including the global WannaCry rampage of 2019, ransomware is on everyone’s radar. According to Verizon, 10% of data breaches involved ransomware, but this is a figure that is doubling yearly.
In this case, the hackers effectively gain access to sensitive data in your business, encrypt it and hold it to ransom until you meet their specific demands. The primary threat from ransomware is being extorted for money or being put at of risk losing all your data. However, ransomware gangs have diversified their tactics, with potentially devastating consequences. Now, they don’t simply encrypt and delete your files but also extract them so that they have a copy that can potentially be used again in future. This creates many opportunities for further extortion, from blackmailing employees or leaders to selling sensitive data on the dark web.
Unfortunately, the unpredictable nature of these Cyber Criminals means that you’re never sure when you’re in the clear. Which also means there is no guarantee they will delete or release your data once you pay them.
Ransomware is often downloaded from malicious emails or websites. Once again, training and educating your employees to avoid suspicious files is vital as part of a wider small business Cyber Security plan. However, you will also need strong anti-ransomware security software installed on all your devices. It’s also essential to have an incident response and business continuity plan in place. Just in case a ransomware attack succeeds and you need to shift quickly from protection to remediation mode.
Threat 3 – Malware attacks
While ransomware might currently be the most concerning form of malware, it’s not the only type you should be wary of. Trojans are another type of malware that hides their true purpose to fool victims into downloading and installing them on their computer. There are many types of Trojans with different objectives, but all can be damaging in their own way.
Some Trojans, called keyloggers, try to steal passwords or other sensitive information by intercepting what a user types in on their keyboard. Others are used to hide malware, infecting a device or secretly downloading even more malware in the background. Some Trojans even disable a computer or system by flooding it with dummy requests, similar to a DDoS attack. True to their names, Trojans open the gates for further attacks. Which can range from ransomware infections to account theft.
In addition to Trojans, worms, bots, adware, spyware and rootkits are also common threats that your business should consider and be prepared for. The best solution to reduce the Cyber Security impact and risk here is to have an excellent anti-virus program that’s frequently updated and effective at detecting, quarantining and remediating a variety of threats.
Threat 4 – Credential theft and insider threats
Nearly 85% of attacks on businesses involve a human element of failure somewhere along the line. Which means that every individual involved with your company is just as important a part of your security perimeter as your hardware, software, network or security software. And, as we all know, you’re only as strong as your weakest link.
Particularly in a remote and hybrid working dynamic where personal security is more critical to overall business security than ever. Weak passwords are still one of the easiest ways for Cyber Attackers to infiltrate your systems. By successfully authorising themselves as a legitimate user, the sky’s the limit for a Cyber Hacker in terms of what they can get up to inside your business.
Often, Cyber Criminals first target low-level employees to gain higher privilege access from the inside. Once they have access to your systems, they can then carry out any of the above attacks without even needing to resort to using malware.
You can address weak account security to a degree by enforcing solid passwords or using MFA (multi-factor authentication). However, you also need to consider the need to prevent employees from accidentally or purposefully sabotaging your security 24/7. And that is where security training and having a holistic approach to addressing your IT security needs is key.
Conclusion – Why it’s essential to have a risk-based Cyber Security approach
As you can see, there is no shortage of security risks facing SMEs. So having an effective small business Cyber Security plan in place is key.
However, operating with limited resources means prioritising your counter-measures based on risk. This means carrying out a thorough risk assessment to identify small business threats based on:
- How likely are they to happen?
- The potential damage they could cause?
- What (if any) countermeasures do you have in place?
This will allow you first to shore up your most essential Cyber Defenses and reduce your risk profile.
This is where the services of an expert managed IT services provider that has expertise in the Cyber Security impact on small businesses can be invaluable – using independently.
At Managed IT Experts we are an approved Cyber Essentials provider and can help you conduct a thorough risk assessment for your business. And help plan and implement a small business Cyber Security strategy to mitigate the threats you are facing – as part of a wider approach to Managed IT support.
Why not contact us today for a no-obligation discussion with one of our experts around your own needs. And get peace of mind around your business IT security today.