Keep your business safe from harm by learning the methods behind cybercrime and the best ways to protect your firm from becoming a victim.
As the number of connected devices grows and the value of potential digital targets increases, the threat of cyber attacks is only getting larger. The UK’s Cyber Security Breaches Survey suggests half of businesses suffered some kind of cyber security breach or attempted attack in 2023, totalling approximately 7.78 million incidents.
With the threat of an attack ever looming, it is important for businesses to be on their toes. Thankfully, it’s not difficult to build the kind of resilience required to stay safe from online attackers. Small business cyber security is all about awareness. Here, we explain the threats to look out for, the best ways to minimise the potential for and impact of an attack, and what to do if the worst happens.
Any attack on a business – be it physical or digital – can lead to serious consequences and a significant disruption of business continuity. Cyberattacks might even be more damaging than the likes of theft or fire because they not only have the potential to cripple business operations but could also open up the victim to serious consequences, including:
Legal action if data is lost or leaked online
Breach of contract if an attack prevents services from being delivered
GDPR violations, leading to a fine of up to 4% of turnover
Small businesses, both new and established, often underestimate the importance of cyber security. They might even consider themselves unlikely targets, but today’s online criminals do not discriminate based on size. Indeed, SMEs can be even more vulnerable than other businesses since they may lack the proper resources and training to fight off threats. And small firms that work with larger companies may also become targets by association.
Business insurance is available that can provide cover against the potential aftermath of a cyber attack. Professional indemnity insurance, for example, may protect against expensive claims that occur as the result of data loss or disrupted business continuity.
Since most policies do not cover the loss of digital assets, some insurers have also begun introducing direct cyber insurance, designed to offer assistance in the wake of a cyber attack, provided that businesses follow strict cyber hygiene guidelines.
Cybercriminals are clever. They have learned to exploit a number of different digital avenues to gain access to systems, steal money from business bank accounts, destroy critical data and otherwise disrupt their targets. While their methods are always evolving, attacks tend to fall into the following categories.
Phishing scams are the most simple method of attack. They are also the most common and, arguably, the most effective. The similarity to the word ‘fishing’ is no coincidence. When phishing, cybercriminals cast a line – usually an official-looking communication, typically an email – to see who they can catch. Phishing usually uses confidence tricks to compel victims into entering sensitive information into a criminal-controlled website, at which point criminals may be able to use it to compromise accounts, databases or entire networks.
Not every phishing attack is successful, and they can be quite obvious to the trained eye. But phishers rely on their victims being busy, stretched and letting their guard down – something that is all too easy during the working day.
The simplicity of phishing and the ease of automating it means attackers can quickly send thousands of emails to hundreds of potential victims. However, sometimes it leans more heavily on what is known as direct social engineering. For instance, ‘spear phishing’ combines deep research into an individual business with carefully crafted messages that are designed to look as realistic as possible. In recent years, attackers have begun using AI to emulate the writing style of individuals in power, such as IT managers or CEOs, adding more weight to fraudulent emails and making them much more difficult to detect.
The growth of AI is also increasing the use of non-email phishing attacks. Some attackers use AI models trained to emulate the voice of high-level employees over the phone, and the newest attacks are even beginning to leverage AI-generated video to attempt scams over the likes of Zoom and Teams.
Malware refers to any kind of rogue software. This could include:
Viruses: A virus is a malicious program typically designed to disrupt one computer or a network. An infection can leave one’s IT infrastructure unusable.
Keyloggers & spyware: Some malware is less obvious. Spyware may be hidden on computer hardware, sending data or keystrokes over the internet, enabling hackers to listen in on communications and steal passwords.
Fileless malware: A very recent development, fileless malware is even more difficult to find. Hackers have now learned ways to compromise the built-in components of a computer’s operating system. The resulting infections can be very difficult to detect and can remain hidden for years.
Any kind of malware infection could have serious consequences to business continuity, be that through a loss of data, the penalties associated with a data breach, or an inability to use computer systems.
Malware is often installed by accident when individuals run an innocuous-looking file. Occasionally, it may be installed on purpose by a hacker who has previously gained access to a network.
Ransomware is a kind of malware specifically designed, as its name suggests, to hold a user to ransom. Ransomware locks computer hardware and encrypts the data. Using strong cryptographic keys, it can affect a single machine or an entire network. The hackers use it to demand payment – usually in a cryptocurrency like Bitcoin – to restore the hardware to working order.
Such attacks on the right target can be lucrative. Major businesses have been known to spend millions to get data back online. This is because the potential cost of business disruption will outweigh the ransom.
For small businesses, ransomware can be devastating. Hackers use it to extort, and they may ask for more than a business is able to pay – if, that is, the hacker can be trusted to release control of affected systems at all. In addition, recent ransomware attacks have seen hackers steal company data or secrets and threaten to pass them on.
Distributed Denial of Service (DDoS) attacks work by swamping an internet connection with data, slowing it down, or even preventing other connections. Such attacks can be highly disruptive, particularly for small businesses that rely on their online presence.
A hacker will usually conduct a DDoS strike by remotely activating a network of hundreds of malware-infected machines, known as a botnet. The users of these computers usually won’t know they’re part of the attack. They could be located anywhere in the world, and each will send its traffic from a different IP address, making their traffic very difficult to block.
While criminals use numerous technological methods to attack from afar, the source of an attack could also be closer to home. Employees typically have more direct access to systems. If these are not locked down appropriately, an attack could easily come from within.
Every business, no matter its size, must practice good digital hygiene, prepare itself to repel potential attacks, and take the necessary precautions to bounce back quickly if the worst happens. Creating a culture of strong cybersecurity is not daunting or difficult. It is an asset that keeps businesses afloat in difficult times.
No preventative measure is 100% effective. Cybercriminals regularly change their tactics and find new vulnerabilities to exploit. Before considering anything else, small businesses must ensure that their data is safe if the worst happens. This means taking comprehensive backups of everything important, following the 3-2-1 rule:
Make three copies of critical data
On at least two different kinds of media
And store at least one off-site
Cloud tools are great enablers, and they have changed the way many SMEs operate. While most are fully trustworthy, it’s important to research the credentials and reputation of any provider before signing up for a new cloud service. Be aware, too, that using the cloud means putting a lot of trust in a third party – a data breach within a cloud service provider could have ramifications that are passed down to the user.
Ensure that every possible security tool the cloud service offers is put to use, even if it slightly slows down business processes. Control access to such services carefully, and be careful to cleanly offboard employees as soon as they leave the company to prevent disgruntled individuals from stealing data or disrupting business. Also, be careful to read all terms and conditions, as cloud services often exclude themselves from liability in the case of data loss.
Phishing is by far the most prevalent cybercrime attack method, both because it is easy and because the biggest vulnerability of any business is its employees. It only takes one slip-up for credentials to be leaked or malware to be installed. It is, therefore, vital to instil a culture of awareness and education around cybersecurity practices and ensure all possible safeguards are in place, including:
Strong passwords: The easier a password is to remember, the easier it is to bypass through brute force. Implement a policy of using long passwords that mix special characters with upper- and lower-case letters, and ensure each password used for different services is unique so that a breach of one does not lead to a breach in another.
Multi-factor authentication: MFA helps prevent access to cloud services by adding a second layer of security. This is usually a security code sent to a mobile device, but options exist to use physical security keys, biometrics, or offline code generators.
Effective anti-malware: Protecting computers and networks with defensive software can be the difference between a minor nuisance and a major infection.
Employee training: Keep all staff informed of the risks associated with storing data in the cloud, the reason for using strong passwords, and the methods used by cybercriminals to perform attacks. In particular, try to teach employees how to avoid phishing scams. Many IT departments run periodic phishing tests to highlight employees who may be susceptible to such attacks.
Not every business has the expertise on hand to implement a rigid cybersecurity programme. Consider employing a third party to help train and advise staff if required. There are a large number of accredited network security UK business options out there, but make sure any business you use is accredited by the National Cyber Security Centre. Consider Certified Information Security Manager (CISM) training if you’d like to get an internal IT specialist up to speed.
There are also free courses available – ISC2’s Certified in Cybersecurity (CC) qualification is a good start – and the police also offer resources, SME cyber security tips, and online training programmes that are available without charge.
Cyber attacks can be subtle. As discussed earlier, criminals often prefer methods which allow them to lurk undetected over those that immediately raise the alarm. Bear in mind that phishing emails, if ignored or filtered, do not constitute an attack – merely an attempt at one – but do look out for the following, which might indicate some kind of malware or compromised system within a small business:
Strange files: If files can’t be opened or have changed name, they may be infected or being otherwise altered by malware
Odd email behaviour: Peculiar emails in the outbox might suggest that an account has been compromised somewhere along the line
Problems logging in: If existing credentials stop working, it could be a sign that passwords have been changed by an attacker
Slow network connectivity: DDoS attacks can significantly degrade connection speeds
Good defences are active, not passive. SMEs should build a regular, proactive audit programme to check that they are doing everything possible – and to check that subtle attacks have not made their way into networks and computers.
This includes steps such as:
Ensuring software and firmware is up to date
Purging unused accounts
Safely decommissioning old hardware
Reviewing employee training
Checking compliance against new regulations and guidance
Every attack is different, and every business will be in a unique situation post-attack depending on the attack method used and the preparations the business has in place.
However, there are some steps that are universally applicable even if you only suspect an attack may have taken place:
Disconnect affected devices to prevent further spread of the attack
Change all passwords, using a password manager to generate strong passwords if required
Freeze access to services and accounts to ensure attackers lose their connection – this should include any business bank accounts
Inform clients and authorities if there is definite evidence of an attack
Remove the threat by thoroughly cleaning affected devices - this may be possible through a good anti-malware solution, or it could mean wiping drives and then reinstalling and reconfiguring in the case of more damaging attacks
Restore data from the most recent backup
Do not overwrite old backups if you suspect systems have been compromised
Investigate the potential cause of the attack – was it malware, a successful phishing attempt, a direct intrusion, or something else?
Change practices to ensure defences are in place to prevent further attacks
Check business insurance in case compensation is available
Business insurance is a way to protect your company against financial risk if things go wrong.