Cyber security should be a top concern for every business.
Imagine if a stranger tricks your staff and hacks into a system, giving them access to all your data. From there, they can do whatever they please – including conducting blackmail, fraud or completely locking you out.
It’s a nightmare situation. Yet, despite this risk, many businesses aren’t on top of their cyber security. This especially applies to SMBs who often deprioritise their security in the false belief it won’t ever happen to them.
The stats prove small businesses are a common target of cyber crime, with them accounting for 43% of all cyber attacks. Plus, a successful attack is potentially ruinous for a small business when you examine the impact on finance and resources.
We explore why small businesses are seen as an easy target for criminals and the action to take to prevent yours falling victim.
Small business cyber attacks: the stats_
The stats paint a worrying picture for small businesses when it comes to cyber attacks. Here is the key data you need to know:
- 46% of cyber attacks in 2021 were on small businesses with 1,000 or fewer employees, showing how frequently smaller organisations are targeted
- In 2023, the average cost of data breach was reported to be £3.4 million – a cost few small businesses can afford
- The three most common threats facing small businesses are malware, phishing and data breaches
- 23% of small businesses describe cyber security as one of the biggest threats they currently face
- 50% of small businesses report that it took them over 24 hours to recover from an attack, showing the impact on productivity
- 59% of small business owners who don’t have cyber security measures in place believe their business is ‘too small’ to be a target
- One-third of small businesses rely on free cyber security solutions meant for individual consumers rather than enterprise solutions
The stats overwhelmingly show that cyber crime is a frequent risk, yet one that many small businesses do not know how to handle.
On top of this, the Cyber Security Breaches Survey 2024 found that cyber attacks are on the rise. Half of all UK businesses faced a cyber security breach last year, up from 32% the year before. This shows the cyber crime is an increasing issue that businesses need to face now.
Why do cyber criminals target small businesses?
Small businesses commonly think they won’t be targeted by cyber criminals. Many assume they are small fry that criminals won’t be bothered about. However, the data shows this isn’t the case.
In fact, small businesses are often much less effort for criminals. While there are less gains to be won compared to larger enterprises, the low effort gives attackers returns that make it worthwhile. They can target small businesses, faster, and with a higher chance of success.
Many small businesses suffer from a lack of robust tools to prevent attacks. Outdated systems, reduced security measures and unpatched software weaken defences, giving criminals an easy in.
On top of this, there is commonly a lack of in-house security experts, leading to less awareness. Staff are more likely to fall for hacking attempts or fail to detect suspicious activity.
These businesses also won’t have Security Information and Event Management (SIEM) systems in place, which offer threat detection and prevention. As a result, businesses can’t respond to attacks promptly.
Attackers therefore face less risk targeting small business than corporates. Large corporations are under constant scrutiny for security breaches, which can lead to hefty fines and damage their reputation. Due to this, they must be on top of their security. Small businesses, on the other hand, face less scrutiny, making them a less risky target.
These factors combine to grant criminals easy access to IP, finance records and other valuable data. When this happens, your business become susceptible to non-compliance action, system outages, financial losses and more.
When an incident does occur, many small businesses also do not have a plan in place to respond effectively. This can lead to confusion, delays and extend the damages.
Furthermore, small businesses can cause issues across the whole supply chain. If they fall victim to an attack, it can lead to their customers and partners being compromised, which may lead to their customer’s customers being left vulnerable. This can continue across long chains and may make them even more appealing to attackers.
Due to this, compliance is a core factor many partners will look at when considering businesses to work with. If small businesses fail to be compliant, they will find themselves locked out of opportunities and struggling to enter new markets.
With vulnerabilities to be exploited, it’s no surprise that cyber criminals are targeting small businesses – and the results can be catastrophic. But the good news is it’s something you can protect yourself against.
The common cyber security mistakes small businesses make_
We’ve examined that weak defences make small businesses an easy target for cyber criminals. These weak defences are often caused by simple mistakes or lack of provisions that can be rectified with robust solutions, stronger security policies and increased investment of resources.
Below, we’ve listed the common mistakes that you should seek to fix and avoid:
1. Poor password hygiene_
It’s human nature to pick passwords that are memorable. Unfortunately, these passwords are often weak and easy for hackers to guess.
Most businesses suffer from staff reusing passwords or using passwords that are easily connected to them (such as pets’ names). However, it’s crucial to advise staff to opt for stronger passwords that are unique and far removed from them.
2. Outdated or patchwork solutions_
Systems get outdated over time. The move to remote working after the pandemic has sped up this process, with many solutions not built for the modern workplace.
Old systems won’t benefit from the latest security features, making them a weak point in your security. In some cases, businesses will attempt to work around this by adding new technologies to fill the gaps and extend functionality.
However, often this leads to a disconnected patchwork of solutions. Again, this leaves vulnerabilities which attackers can exploit. Instead, you need aligned tools and software that build a strong perimeter around your IT estate.
3. Lack of encryption_
Encrypted data is much harder for criminals to hack into. It scrambles data so that it is unreadable without a decryption key.
However, a huge 83% of small businesses do not encrypt their data.
If a device is stolen or lost with access to your business data, such as an employee’s mobile phone or laptop, it can then lead to serious data breaches. This risks your customers privacy, leaving them susceptible to identity theft, and could leave you liable to fines, legal action and reputational damage.
With encryption, even if a portable device is lost, your data remains protected.
4. Lack of staff education_
With limited resources, it’s unrealistic to expect small organisations to have teams or individuals devoted to cyber security. However, this doesn’t mean their staff should have no awareness.
The World Economic Forum found that 95% of cyber attacks can be attributed to human error. Your staff are your first line of defence, so it’s crucial they’re aware of the signs to look out for (such as phishing emails), as well as ways to protect themselves with strong passwords and so on.
5. Lack of controls_
Another common issue we find in small businesses is that even basic security measures that come with their existing software are turned off.
Usually, this is done to work around an obstacle – for example, unblock a site someone wants to use. However, while it might give you some freedom, it also leaves you vulnerable to unwanted activity.
Aim to utilise the strongest controls that come with your solutions. If you find them to be a blocker, it may be a case of reconfiguring or examining your IT policy.
6. Failing to account for remote environments_
We now live in a world where business teams work from different locations. Some may still be in the office, some may be at home or some may be in an entirely separate place, like a local café or customer premises.
As a result, your IT estate is no longer contained in one location. But many small businesses have not adapted their security for the remote world.
You now need to protect your devices widely to cover those working remotely. You’ll also need to consider things like a bring your own device (BYOD) policy to ensure all endpoints of your business – including staff member’s personal devices – are secured.
7. Unsecured networks_
Every business relies on a strong Wi-Fi connection. However, many fall into the trap of leaving Wi-Fi networks open or failing to use strong encryption.
If a hacker gets into your Wi-Fi, they can easily progress through your network and access sensitive information. A locked down Wi-Fi network with a strong password is a must.
8. Insufficient access controls_
Often, businesses data is a free for all. Anyone can have access if they know where to look.
However, not limiting access to data and systems based on employee roles creates unnecessary risk. Instead, you should implement access controls to ensure only authorised staff can access sensitive information.
9. No email filtering_
Email is common approach for cyber criminals, using spam or phishing to trick your staff into sharing sensitive information or giving them access to your systems. That is why it’s crucial to use email filtering tools to minimise the chance of these emails landing in your staff inboxes.
Some small organisations do not have strong enough filters. They should cover all your inboxes and be configured to accurately remove anything suspicious.
10. Failing to patch vulnerabilities_
Many small businesses fall behind on patching vulnerabilities in their software. This is usually due to a lack of time, or not wanting to wait for systems to update.
However, patch updates make sure your software is prepared against risks with the latest technology and features. If you fall behind, gaps in protection will emerge.
Proactive patching is essential to stay ahead of cybercriminals who exploit these weaknesses.
11. No response plan_
We’ve already mentioned that small businesses tend not to have a response plan in place, making them an easier target.
While we all hope the worst never happens, it is crucial to be prepared if it does. A response plan outlines how you will respond, including who needs to be notified and how you’ll limit the damage.
Without it, you’ll find yourself wasting time if a cyber attack occurs, making the issue harder to resolve.
How should small businesses protect themselves_
With cyber criminals narrowing in on small businesses, and vulnerabilities waiting to be exploited, it’s crucial to take a proactive approach to your security practices.
However, this can be hard for businesses with limited knowledge of cyber security and limited resources.
We’ve put together ten easy tips that will strengthen your security and minimise risk.
1. Re-examine your security_
The first step is understanding the state of your security posture. This will help you to uncover weaknesses that need to be acted upon.
We’ve already listed the common mistakes small businesses make, which should give you grounds to explore. You’ll also want to conduct a thorough audit to find the extent of the problem. A third-party IT professional should be able to help you with this.
It’s also possible to invest in software which simulates cyber attacks, such as phishing attempts. This gives you an opportunity to see how your systems and staff will respond and adjust.
2. Invest in basic training_
While you may not have cyber security expertise in house, it is crucial to ensure your staff have some awareness. This will help them to spot the signs of an attack and act appropriately. At the very least, your IT team should have this understanding.
The government’s Cyber Essentials scheme is a great starting point. It’ll give you protection against the most common cyber attacks and give your business increased knowledge of the dangers. If you complete the scheme, you can also get a certificate for 12 months, which can help you prove your high standard of security and boost trust.
3. Strengthen passwords_
Next, it’s time to get rid of those weak passwords. Your staff shouldn’t be using things like ‘Password123’ to secure your business data.
Set a password policy that recommends how staff can create stronger passwords. A good practice is using three random, unrelated words and adding numbers or special characters. For example, ‘Chair2Turtle!Snow’. These are much harder for criminals to guess.
Password generation and saving tools can also help your staff to generate strong passwords without them being forgotten. You may also want to enforce regular password updates so they’re constantly changing.
4. Firewalls and antivirus_
Firewalls are used to filter incoming and outgoing traffic. They monitor suspicious activity and prevent unauthorised access to your systems.
Antivirus software is used to detect and remove malware, including those downloaded from emails.
Together, these tools can protect you against common cyber risks. Make sure you have a robust solution to cover each area and keep these up to date continually.
5. Data encryption_
Data encryption makes your data unreadable to criminals who do hack in. It protects you and your customers against breaches.
Seek to encrypt sensitive data, both at rest (when stored on devices and clouds) and in transit (being moved between locations).
Encrypting data can be difficult, so it may be worth recruiting an external professional or investing in solutions that encrypt data by default.
6. Secure Wi-Fi_
While speaking on encryption, you should implement strong encryption protocols for Wi-Fi networks. Your business Wi-Fi should never be open, with a password that only authorised people know.
You should also avoid using public Wi-Fi for sensitive tasks, as these networks are less secure. This extends to staff who may be working from remote locations, so make this part of your remote working policy.
7. Software updates_
Having up-to-date software ensure you are continually protected. As new risks emerge, providers will introduce new features and coding into their products to address changing threats.
Regularly patch your operating systems, applications and firmware promptly to address known vulnerabilities.
8. Access controls_
When everyone has access to everything, it increases the chance of them being used to gain sensitive information and heightens insider risk.
To prevent this, you should grant access to data and systems only on a need-to-know basis, and ensure permissions are configured to reflect this.
You’ll also want to employ multi-factor authentication (MFA) for added security. It uses multiple verification factors, such as biometric data, passwords and codes, to ensure only the right people get into your systems. A lot of solutions now offer MFA as standard, so be sure to check it’s included in yours.
9. Invest in consolidated solutions_
There are several elements to cyber security. If you had a separate tool for each, it would result in a lot of unconnected software across your business, increasing costs and reducing efficiency.
Fortunately, there are more consolidated solutions coming into the market. These bundle different technologies to tackle core security risks together.
The benefit of consolidated solutions is that it leaves fewer gaps in protection. It also prevents you having to go out and find multiple tools to address your needs.
10. Recruit third-party help_
Cyber security is a huge task. Understanding the issues in your business and identifying solutions can be time-consuming and require in-depth analysis.
Even if you do find the right solutions, cyber security is never done. Risks can evolve over time, and you need the resource and skills to stay on top of it.
Many businesses bring in third-party security professionals to alleviate the pressure. They have the expertise to proactively manage risks and make recommendations to keep you safe. So, consider bringing one in for your business, especially if you lack internal resource.
What to do next_
With criminals targeting your small business, you can no longer ignore your cyber security gaps. They need to be addressed before an attack occurs and puts you in significant harm.
Fortunately, there are solutions out there to help you win the fight against cyber crime. Microsoft has invested substantial sums into security to create a range of solutions that keep small businesses safe.
Using these solutions, you can better understand the state of your security posture and ensure it is up to scratch.
Our Infinity UNBOUND: Get to Secure video series is a programme of free, expert-led sessions giving you practical advice to strength your security posture. Tailored for the current threat landscape facing small businesses, you’ll gain actionable guidance to protect your business.
