Small businesses are at high risk of cybercrime

Small businesses are prime targets for cybercrime. This comes as a surprise to many small business owners, who often think cybercriminals focus their energy on infiltrating larger organisations. But a combination of weak cybersecurity systems, vulnerable IT infrastructures, and lack of employee training could leave small businesses susceptible to devastating attacks.

The 2022 Cyberthreat Defense Report shows that over eight in ten businesses in the UK were victim to at least one successful attack in the 12 months preceding its publication. According to GOV.UK statistics, medium and large businesses are more frequently targeted (companies with more employees offer more entry points to those looking for a way in), but small businesses within supply chains are often the means to access the networks of larger organisations.

A higher number of employees working remotely has also left companies vulnerable to attack; those rushing to implement work from home technologies in response to COVID-19 restrictions in 2020 may well have unrecognised weaknesses in their networks, waiting to be exploited by hackers.

The most common types of cyberattack

Cyberattacks are actions that target a computer or network to change, destroy, or steal data. Sometimes they simply cause disruption, and harm the ability of the victim’s IT network to function normally. They may consist of data theft (such as misappropriation of customer data, financial information, or business strategic information) or digital vandalism, which aims to inflict damage to the network in some way.

Ransomware attacks

A ransomware attack involves taking data hostage using a virus installed illegally onto a computer or IT network. Criminals demand a payment in exchange for releasing the information. In 2021, over three quarters of UK businesses were victims of ransomware, and more than eight in ten of these paid the attackers to release their information.

Phishing

Emails containing malicious links that, when clicked on, provide an opportunity for cybercriminals to gain access to a computer, are the most common type of cyberattack. In 2021, over 90% of UK businesses fell victim to a phishing scam. Emails are sent out indiscriminately and in bulk with the hope that employees click on the links within. They often closely resemble real company emails, making it difficult to distinguish them from legitimate communications.

Man-in-the-middle attacks

It’s possible for cybercriminals to position themselves in the centre of communications between two parties (unbeknownst to them), and effectively spy on the data shared between them. When an email is sent, it is intercepted (and sometimes modified) before it reaches its intended recipient. Companies that use strong encryption processes or VPNs are less vulnerable to these types of attack.

Denial of service

Denial of service attacks prevent genuine users from accessing services by overwhelming the system with illegitimate requests. The site must respond to each fake request, which drains its ability to respond to real users and can result in complete shutdown. Ultimately a business will experience loss of revenue (which is particularly problematic for those reliant on ecommerce channels), and high expenses to bring the site back to normal function

Attacks on character or business reputation

Hackers that gain access to a website or social media account can cause huge disruption by changing passwords and modifying the information therein. This could materialise as attacks on character or culminate in reputational damage to the business – particularly if the updated content is offensive. It also leaves sensitive data open for hackers to access, which could result in a GDPR breach.

How much does cybercrime cost a business?

The cost to a business can be high; not only in a monetary sense but also through the detrimental effect on reputation and consumer confidence. Money, data, and assets can all be lost during an attack. According to GOV.UK, the proportion of businesses experiencing negative outcomes after an attack has reduced over the last few years, likely the result of better basic cybersecurity measures following the introduction of GDPR regulations in 2018.

Overall, the cost can be catastrophic for small businesses.

Cost of repairing the damage

Time and money must be spent repairing any damage caused by a cybersecurity breach. While the actual average cost of this varies depending on the source (£8,460 per GOV.UK, £25,700 per a 2019 World Economic Forum article) it is likely to be substantial to a small business. A full investigation into how the breach happened is necessary, and further money spent on a solution. Many small businesses will need the help of external cybersecurity experts for this.

Revenue lost while systems are offline for repair and customers lost as a direct result of the breach both reduce profit.

Reputational damage

Many years of building up a strong brand identity can all be lost in an instant following a cyberattack; customer trust may never recover.

Larger companies often feature in the media following cyber incidences – such as British Airlines, victim to a cyberattack in 2018 where sensitive data of 429,612 staff and customers were accessed – and seem to bounce back fairly unscathed; for smaller businesses with a modest customer base this can be much harder.

Asset theft

Access to bank account information and credit details can lead to theft of funds from the business. Banks are obligated to refund money stolen via fraud from consumer accounts but may not necessarily cover the cost of theft from a business account. Those that do may carry out lengthy investigations before any cash can be returned, impacting a business’s immediate cash flows.

Litigation costs and compensation to data subjects

Fines for GDPR breaches can be significant. In the example above, British Airlines were dealt a £20 million fine for its poor security measures. Though small businesses are unlikely to face a fine of this scale, failure to implement adequate security measures – particularly in relation to client data – could result in a substantial fine if a breach were to occur.

Small businesses are vulnerable

Small businesses often lack the resources to fund elaborate cybersecurity systems, leaving them vulnerable to external attack. They may also lack robust cybersecurity training programmes, increasing the risk of an employee clicking on a malicious link. Large companies are probably more frequently attacked, but better security improves their chances of detecting and preventing it.

Smaller businesses are less likely to appoint a dedicated IT information security officer. This means the person responsible for IT security is unlikely to be an expert, and IT systems may not be entirely up to date.

Paucity of regular data back-ups means loss of data could severely disrupt business continuity in the event of an attack. Disaster recovery may not be a priority for smaller businesses who aren’t expecting to be targeted by cybercriminals.

Recent global events have also increased the cybersecurity risks for businesses. Since the start of the COVID-19 pandemic, a large proportion of employees have worked remotely. This creates more potential weaknesses for criminals to manipulate. Many companies do not use two factor authentication, and unsecured home wi-fi networks put communications at risk. The Russian invasion of Ukraine and the West’s unity against it could also result in a rise in cyberattacks from overseas.

Ways to improve cybersecurity

Employee awareness training, regular system back-ups, security testing (penetration testing simulates an attack to ensure security systems are working as expected), strong passwords, two-factor authentication, and real-time monitoring of networks are all key to improving security. Many small businesses do not have the internal resources to implement all of these themselves, and often need help from an external expert.

The GCA Cybersecurity Toolkit provides free cybersecurity advice to encourage organisations to reduce their cyber risk. It gives small businesses an opportunity to improve their cybersecurity using advice from world-leading experts, without breaking the bank.

Cloud systems have become popular in recent years due to better accessibility of data to remote workers. Increased security is a prominent feature of cloud-based accounting systems; cloud providers invest in cybersecurity and data encryption so that information can be stored securely. Data is automatically backed-up to the cloud, which promotes business continuity and offers a safety net as part of a business recovery plan.

More than Accountants use Xero – a cloud-based accounting software system designed with small businesses in mind – to manage all client accounts. If you are interested in hearing more about how we can help, please get in touch.

The risk is real

Small businesses may be attacked by cybercriminals as a primary target, or to gain access to larger companies via their supply chain. The size of small businesses may mean security is suboptimal, and the costs of an attack could be substantial. The statistics speak for themselves, and most businesses should expect to be the victim of a cybercrime at some point. Preparation is therefore key to minimise the financial impact and business disruption when it does happen.

Sources

Anon 2022, 2022 Cyberthreat defense report, CyberEdge Group, viewed 21 June 2022, CyberEdge-2021-CDR-Report-v10–ISC2-Edition.ashx

Anon 2021, Official statistics: Cybersecurity breaches survey 2021, GOV.UK, viewed 21 June 2022 Cyber Security Breaches Survey 2021 – GOV.UK (www.gov.uk)

Jones C 2022, More than 80% of UK businesses paid ransomware demands in 2021, ITPro, viewed 22 June 2022, 80% of UK businesses paid ransomware demands in 2021 | IT PRO

Media Centre 2020, ICO fines British Airways £20m for data breach affecting more than 400,000 customers, ICO, viewed 22 June 2022, ICO fines British Airways £20m for data breach affecting more than 400,000 customers | ICO

Jordan A & Bates A 2019, Helping small businesses fight cybercrime benefits the global ecosystem, World Economic Forum, viewed 22 June 2022, Helping small businesses fight cybercrime benefits the global ecosystem | World Economic Forum (weforum.org)

Rose A 2022, How conflict in Ukraine could revolutionize the ransomware threat. Proofpoint, viewed 22 June 2022, How Conflict in Ukraine Could Revolutionize the Ransomware Threat | Proofpoint UK

GCA 2022, Free cybersecurity tools to secure your organization. GCA Cybersecurity Toolkit, viewed 22 June 2022 GCA Cybersecurity Toolkit Home – GCA Cybersecurity Toolkit | Tools and Resources to Improve Your Cyber Defenses (gcatoolkit.org)