It is a cruel irony that the reasons why small to medium enterprises (SMEs) claim they are immune from devastating cyber attacks are the very reasons they are most likely to fall victim.
Usually it is a case of: ‘We are too small. Too niche. Too specialist. We already have virus protection. We are not cash rich.’ Or ‘Cyber criminals are only interested in large profitable corporates – not small fish like us.’
While it is true we tend to read about large companies and organisations falling victim to cyber crime, that’s because it is the household names that make the headlines. For example, the British Library, Virgin Media, Ring Go and the Electoral Commission.
Smaller companies represent easy picking for cyber criminals. Typically, they don’t have robust, bespoke cyber protections in place or the resources. They rely instead on ‘off the shelf’ virus packages which, in the face of ever more sophisticated attacks make ‘off the shelf’ solutions about as effective as throwing a glass of water on a house fire.
Companies, large and small, are most likely to find themselves the victims of ‘ransomware’ – a particularly nasty form of malware designed to cause the maximum of confusion and disruption to computer networks.
Small companies are less likely to be targeted individually by criminals. It is more likely that simple, everyday human error will be enough to unleash a devastating ransomware attack.
Philip Mashinchi from leading cyber-security company, Cambridge Support said:
“When it comes to cyber-crime, every one of us is at risk. Besides from implementing good security tools to protect systems, the key is education and being vigilant. I strongly recommend everyone to regularly attend cyber awareness training. The government’s National Cyber Security Centre website includes a great starting point (https://www.ncsc.gov.uk/cyberaware/home).”
Once ransomware has been unleashed, critical parts of a company’s network can be isolated and encrypted. For example, an accounts package, or personnel files, client details or crucial research data. Then comes the ransom demand, usually to be paid in bitcoin. The thief will offer to release your data in return for payment.
Why would a cyber-criminal kill the goose that has just started laying golden eggs?
Education and training are key to protecting a company and yet the majority of SMEs fail to adequately inform or train staff about what to look out for, particularly ‘phishing’ assaults. This is where a normal looking email, perhaps from a supplier or government agency is opened and instead of being legitimate, it is laced with ransomware.
Vigilance and training at all levels are crucial to a company’s ability to fend off an attack, as are robust cyber security solutions.
It could be the case that a criminal ransomware owner is more interested in having access to a company’s supply chain. Although small, a company may have large corporate suppliers or customers who would be much more appealing targets for criminals
If a company has robust on-going cyber protection, coupled with regular training in place then its exposure to risk is greatly diminished. By protecting itself, a company is also helping to safeguard its customers and suppliers. If they do fall victim to an attack, it would not be through you.
If all that hasn’t convinced you to treat cyber protection measures as a business priority, here is another reason: more and more companies are asking potential partners to demonstrate evidence of their own cyber security safeguards before allowing them to bid for contracts.
A successful cyber-attack (and government figures show that 53 per cent of SMEs were hit by an assault in 2023) will not only lead to unprecedented disruption, but it also brings with it significant loss of business focus, loss of revenue, reputational damage and, ultimately, bankruptcy. Not to mention legal consequences, non-compliance issues, fines and if the company is found to be negligent, the possibility of being sued.
If a company falls victim to a cyber-attack, existing customers may well leave as the company cannot be trusted to protect their data. And new customers will go elsewhere for the very same reason.
There are actions a company can take to minimise their risk to an attack, including:
- Training employees to identify phishing attempts
- Backing up data and keeping it offline
- Keeping security patches up to date
- Having robust anti-spam processes
- Introducing multi-factor authentication
- Configuring your firewall to repel invaders…and so on.
If all this sounds a bit too IT-intensive, then outsource all of it to a company with a commercial interest in keeping your business safe.
Preventing an attack has to be a better option than coping with one.
Image above: Steve Greenhalgh, Cambridge based Public Relations consultant.
Main image: Arkadiusz Warguła, Getty Images via Canva