Table of Contents
An IT outage caused global chaos to air travel, health services, businesses and broadcasters on Friday morning. A problem with an update by cyber security firm CrowdStrike triggered the incident, which affected customers using Microsoft’s Windows Operating Systems and was not a result of a cyber attack. However, this IT disaster is a timely reminder for businesses great and small to consider the risks associated with their digital systems.
Large organisations continue to hit the headlines when cyber attacks compromise their operations and put customer data at risk. In April, flooring retailer Carpetright was hacked during a company restructure. The cyber attack has since been described as “the straw that broke the camel’s back”, as the firm announced in July that more than 1,800 of its employees are at risk of redundancy.
According to The State of Ransomware 2024 report by the cybersecurity company Sophos, “most small businesses and start ups are heavy users of Software as a Service (SaaS) platforms, reducing the risk of business outage from threats like ransomware”.
Accounting software is one example of SaaS used by small business owners who do their own accounts. However, cloud-based applications, accessed via a web browser, can be attractive targets for hackers if security measures are weak. Small businesses using online retail platforms, such as Shopify or WooCommerce, need to consider precautions to protect their data.
Phishing is the most common type of cyber attack, affecting 90% of businesses, according to the government cyber survey, but, malware and ransomware also pose a serious threat.
Three quarters (75%) of UK businesses say cyber security is a high priority, but more medium and larger businesses are prioritising this issue, compared with smaller firms. In fact, the proportion of businesses seeking information and guidance on cyber security has fallen since 2023.
The government survey said that a “sizeable proportion” of organisations are unaware of the government-backed Cyber Essentials scheme, which helps businesses get the basics right and offers tools to guard against common online threats. Separate research in 2023 from the Federation of Small Businesses (FSB) also suggested that few small businesses access the cyber security tools and guidance available to them.
We asked IT experts why many small businesses aren’t addressing cyber threats and outline ways to increase your resilience against outages and cyber attacks.
“It won’t happen to me”
Many small business owners may feel the risk of cyber attacks is minimal and could underestimate the potential financial and reputational damage. Tighter budgets make preparing for cyber attacks more of a challenge for smaller firms, with many more focused on making ends meet. But the cyber threat remains and, as most UK organisations are considered small, this could be cause for concern.
“While small businesses are rarely sufficiently well known to hit the headlines, they are a growing target for cyber attacks,” says Sally Adam, senior director of marketing at security software company Sophos. In its 2024 State of Ransomware Report, Sophos found a “small but welcome drop” in the number of organisations hit by ransomware in the last year, from 66% to 59%. But the company says “this is no time to lower your guard.”
The lower level of media coverage of cyber attacks on small businesses could also encourage a sense of complacency.
“Assume that you will be attacked at some stage. Look to see what the key areas of your business are that you need to protect,” warns Richard Archdeacon, former Advisory Chief Information Security Officer at the technology company CISCO.
He told Nerdwallet that every small business should “practise and prepare for the worst”. Whether you work alone or have a team of staff, it’s important to take time, before you experience an outage or cyber attack, to ask yourself these questions:
- How would we communicate with our customers?
- How would we switch our IT systems?
- How would we keep our payment systems going?
- How would we communicate with employees?
What do cyber attacks look like for SMEs?
Social engineering scams are common, says Edward George, account executive at independent insurance broker One Broker, who gives the following example of how easy it is for small to medium-sized enterprises (SMEs) to be scammed.
“Hackers impersonate a director asking the accounts department to send a payment to a supplier or customer, and the payment is made. It is then discovered the email is from a spoof account with only a slight difference in the email address, making it very difficult to spot.”
George adds that malware is another threat. “People click on links and attachments, which release malware onto a system,” he explains. “SMEs, in particular, do not have the infrastructure or expertise to deal with a major breach of their systems. Most SMEs we talk to admit they wouldn’t know the first thing to do in the event they couldn’t get into their systems on a Monday morning, for example.”
“Adversaries will take advantage of any opportunity to penetrate an organisation. If you have made changes to your business and technology operations, always take the time to ensure that you have not inadvertently opened up new gaps in your defences,” says Adam.
“It’s complicated and daunting”
It can be tricky to get to grips with cyber threats and the security measures you should take. The government survey revealed that where cyber security has been outsourced to an external contractor, senior leaders of small businesses become disengaged from the topic and do not have a strong understanding of the actions required.
This complexity can also extend to cyber insurance. A 2022 survey by the FSB found that as much as 38% of small businesses that have a cyber insurance policy don’t know what it covers.
This is compounded by the lack of consistency in the standard cover for cyber insurance. For example, it found that in the London market alone, cyber policies use around 50 different definitions of ‘computer system’.
“Cyber insurance covers are broadly split into two categories: cyber liability and cyber crime,” George explains. “Cyber liability is primarily concerned with the loss of data, be it customers, suppliers or employees, for example. It also covers things like ICO [Information Commissioner’s Office] notifications, investigations and reinstatement of data. Cyber crime is primarily concerned with social engineering, fraud and theft.”
Of course, businesses get cyber insurance for a reason. Sophos’s latest report found that insurance providers contributed towards the ransom in 83% of ransom attacks but insurance firms rarely covered the whole claim.
Even so, there are barriers to cyber insurance. These include a recent rise in premiums and more stringent expectations from insurers for the level of cybersecurity measures the business has in place.
Funding for cyber security and in-house expertise may also be in shorter supply for small businesses.
Ways to help combat cyber crime
“The UK is very fortunate in having the National Cyber Security Agency, which provides an enormous amount of guidance to people,” says Richard, who admits that protecting your business from cyber attacks is a “never-ending task, because your business changes, the threat changes and the environment changes”.
Putting basic risk management measures in place, such as data back-up, firewalls, antivirus software and secure passwords is a start.
“Steps such as multi-factor authentication and staff training can help a business build digital resilience. Many claims result from human error, so giving staff training is an essential means of reducing the risk of a breach,” says George.
Depending on the size and nature of your business, enlisting the help of a security partner is worth considering.
“You won’t be able to have a whole big security team yourself. It just isn’t financially viable. So make sure you have a partner that you can turn to should you have an attack,” says Richard.
It’s more common for micro and small businesses to rely on external service providers since they are less likely to have the capacity or expertise to handle digital security in-house. The National Cybersecurity Centre offers an online guide to cybersecurity for small businesses if you’re unsure where to begin.
Another benefit of cyber insurance is that it may not be restricted to dealing with the fallout from cyber attacks. “Some insurers offer access to training academies for staff to help raise awareness of risk and provide monitoring services,” says George. “This allows them to look for vulnerabilities and alert clients of these vulnerabilities before a breach.
“The reality is hackers’ techniques are changing so quickly, and there are numerous ways of infiltrating a system,” he explains. This is why cyber insurance can be an important consideration alongside cybersecurity measures. After all, he says, “Just because you have a smoke alarm doesn’t mean you shouldn’t insure your building in case of a fire.”
Image source: Getty Images