Around 65,000 attempts to hack small to medium-sized businesses occur in the UK every day, around 4,500 are successful. That equates to around 1.6 million of the 5.7 million small businesses in the UK per year.
Small businesses are just as at risk from cyber security threats as large organisations. A common misunderstanding for small businesses is an idea of security through obscurity, that your business is too small to be a target, but unfortunately, this is not the case.
As attackers increasingly automate attacks, it is easy for them to target hundreds, if not thousands of businesses at once. Small businesses often have less stringent technological defences, less awareness of threats and less time and resource to put into cybersecurity. This makes them an easier target for hackers than bigger companies.
At the same time, they are no less lucrative targets. Even the very smallest businesses can deal with large sums of money, or have access to huge amounts of customer data, which, under regulations such as GDPR, they are obligated to protect. Small businesses also often work with larger companies and so they can be used by hackers to target those companies.
Small businesses also arguably have the most to lose from being hit with a damaging cyber-attack. A recent report revealed that businesses with less than 500 employees lose on average £2.5 million per attack. Losing this amount of money in a cyber breach is devastating to small businesses and that is not to mention the reputational damage that also follows.
For these reasons, small businesses need to be aware of the threats and how to stop them. This blog will cover the top 5 security threats facing businesses and how organisations can protect themselves against them.
Phishing Attacks
The biggest, most damaging and most widespread threat facing small businesses are phishing attacks. Phishing accounts for 90% of all breaches that organisations face, they’ve grown 65% over the last year and they account for over £12 billion in business losses. Phishing attacks occur when an attacker pretends to be a trusted contact and attracts a user to click a malicious link, download a malicious file or give them access to sensitive information, account details credentials.
Phishing attacks have grown much more sophisticated in recent years, with attackers becoming more convincing in pretending to be legitimate business contacts.
There has also been a rise in business email compromise, which involves bad actors using phishing campaigns to steal business email account passwords from high-level executives and then using these accounts to fraudulently request payments from employees.
Part of what makes phishing attacks, so damaging is that they’re very different to combat. They use social engineering to target humans within a business, rather than targeting technological weaknesses. However, there are technological defences against phishing attacks.
Having a strong email security gateway like Office 365 in place can prevent phishing emails from reaching your employees’ inbox. Post-delivery protection such as Cloud Mailbox Defence is also crucial to your business.
Malware Attacks
Malware is the second biggest threat facing small businesses. It encompasses a variety of threats such as trojans and viruses. It’s a varied term for malicious code that hackers create to gain access to networks, steal data, or destroy data on computers. Malware usually comes from malicious website downloads, spam emails or from connecting to other infected machines or devices.
These attacks particularly damaging for small businesses because they can cripple devices, which requires expensive repairs or replacements to fix. They can also give attackers a back door to access data which can put customers & employees at risk.
Small businesses are more likely to employ people who use their own devices work, as it helps to save time and cost. This, however, increases their probability of suffering from a malware attack, as personal devices are much more likely to be at risk from malicious downloads.
Businesses can prevent malware attacks by having strong technological defences in place. Endpoint protection solutions such as Cisco AMP (Advanced Malware Protection) protect devices from malware downloads and gives admins a central control panel to manage devices and ensure all users’ security is up to date. Web security (such as Cisco Umbrella) is also important, stopping users from visiting malicious webpages & downloading malicious software.
Ransomware
Ransomware is one of the most common cyber-attacks, hitting thousands of businesses every year. They’ve grown more common recently, as they are one of the most lucrative forms of attacks. Ransomware involves encrypting company data so that it cannot be used or accessed and then forcing to pay a ransom to unlock the data. This leaves businesses with a tough choice – to pay the ransom & potentially lose huge sums of money or cripple their services with a loss of data.
Small businesses are especially at risk from these types of attack. In 2019, 71% of ransomware attacks targeted small businesses, with an average ransom demand of £115,000. Attackers know that smaller businesses are much more likely to pay a ransom, as their data is often not backed up and they need to be up and running as soon as possible. The healthcare sector is particularly badly hit by this type of attack, as locking patient medical records and appointment times can damage a business to a point where it has no choice but to close unless ransom has been paid.
To prevent these attacks, businesses need to have strong endpoint protection in place across all business devices. These will help to stop ransomware attacks from being able to effectively encrypt data.
Businesses should also consider having an effective cloud solution in place. These solutions back up company data securely in the cloud, helping to mitigate against data loss. There are various methods of data back-up available to organisations, so it’s important to research the method that will work best for your business.
The benefit of implementing data back-up and recovery is that in the event of a ransomware attack businesses can quickly recover their data without having to pay any ransoms or lose productivity. This is an important step towards improved cyber resilience.
Weak passwords
Another big threat facing small businesses is employees using weak or easily guessed passwords. Many small businesses use multiple cloud-based services that require different accounts. These services often contain sensitive data and financial information. Using easily guessed passwords or using the same passwords for multiple accounts can cause this data to be compromised.
Small businesses are often at risk from compromises that come from employees using weak passwords, due to an overall lack of awareness about the damage they can cause. An average of 19% of enterprise professionals use easily guessed passwords or share passwords across accounts according to a recent report.
Businesses should also consider implementing multi-factor authentication technologies such as DUO. This ensures users need more than just a password to have access to business accounts. This includes having multiple verification steps, such as a passcode sent to a mobile device. These security controls help to prevent attackers from accessing accounts, even if they do correctly guess a password.
Insider threats
The final major threat facing small businesses is the insider threat. An insider threat is a risk to the organisation that is caused by the actions of employees, former employees, business contractors or associates. These actors can access critical data about your company and they can cause harmful effects through greed or malice, or simply through ignorance and carelessness. A 2019 report found out that 1,473 insiders caused branches.
This is a growing problem and can put employees and customers at risk or cause the company financial damage. Within small businesses, insider threats are growing as more employees have access to multiple accounts that hold more data. Research has found that 62% of employees have reported having access to accounts that they probably didn’t need to.
To block insider threats, small businesses need to ensure that they have a strong culture of security awareness within their organisation. This will help to stop insider threats caused by ignorance and help employees to spot early on when an attacker has compromised or is attempting to compromise company data.