According to the latest figures from the Department for Digital, Culture, Media & Sport, 39% of businesses have suffered a cyberattack in the past year. Concerningly, 31% of those say they’re attacked at least once a week.1
The findings highlight the critical need for SMEs to stay on top of cybersecurity as they emerge from the pandemic and start to make plans with more certainty than has been possible in the past two years.
Failure to take the correct precautions can be devastating for your business, especially in its early-growth stage. For micro and small businesses that have suffered breaches, the average cost of the attack to the company is £3,080.2
The most common form of cyberattack on business is phishing attempts (fraudulent emails or being directed to fraudulent websites). These affected 83% of those companies that had experienced attacks in the past year, according to the survey. Meanwhile, 21% identified a more sophisticated assault such as a denial of service, malware or ransomware attack.
Small companies sometimes fail to take the necessary precautions around cybersecurity because they mistakenly don’t consider themselves to be a primary target for cyber criminals.
The truth, however, is that big companies will frequently invest heavily in cybersecurity, thus making it harder for the hackers, whereas start-ups can have minimal security in place and are therefore more attractive to the criminals.
Consider cyber cover
To protect against the threat, businesses should consider cyber insurance. Although an increasing number of companies are taking out protection against cyberattacks, the proportion is still worryingly low. According to a 2022 survey of 507 small businesses by Aviva, only 33% of SMEs have cyber cover in place.3
“The move to increase online presence and digital processes brings an increased risk of cyberattacks, at a time when businesses can ill afford further disruption,” says Gareth Hemming, Aviva’s Chief Distribution Officer. “It’s good to see the level of cyber cover increasing, particularly among those businesses who plan to increase online or digital activity, but this still leaves two-thirds of businesses exposed to rapidly evolving and varied methods of attack.”
Good cyber insurance policies will cover loss of revenue (for example, if an online shop is unable to operate), the costs of fixing the breach and, perhaps more importantly, access to a suite of response services, paid for and arranged by the insurer. These could include forensic IT, public relations and legal services.
Be alert to sophisticated scams
Good cover is increasingly important because the criminals are getting smarter. Phishing attempts have evolved in recent years to become more sophisticated than simply sending out thousands of emails and hoping for a response. Instead, the attacks – known as ‘spear-phishing’ or ‘whaling’ – are far more targeted and convincing.
Spear-phishing is when hackers target a specific individual, often by impersonating another person or organisation. They will conduct in-depth research to make their impersonation credible – gathering names and job titles, details of projects being worked on and the exact format of company emails. Then an email will be crafted to a target who is likely to believe it’s genuine (for example, someone who has previously corresponded with the person being impersonated, with the email perhaps referring to a current project), tempting him or her to click on a malicious link.
Whaling involves targeting a very senior person in an organisation, often the CEO. Because their devices or areas of network access are likely to hold the most sensitive and valuable data, they are lucrative targets. They’re also seen as soft targets, because CEOs sometimes lack in-depth technical knowledge, are very busy and have to deal with a large number of emails quickly – often making them less proficient in spotting a phishing email.
While less common than phishing, spyware (or malware) and ransomware attacks can be disastrous for businesses. Most often sold on the dark web, these hacking tools are applied on an industrial scale and use sophisticated algorithms to continually try to hack into your business systems.
If you want to make sure you’re following best practice, a good starting point is to go through the Cyber Essentials certification programme run by the National Cyber Security Centre. For a small fee, a business’s security and resilience to cybercrime will be tested, recommendations made and a certificate issued once the business is compliant.
Another good option is to consult the National Cyber Security Centre’s 10 Steps to Cyber Security, which offers practical advice on areas such as risk management, data protection, and staff training and engagement.
1,2 Cyber Security Breaches Survey 2022, Department for Digital, Culture, Media & Sport, March 2022
3 SMEs Moving from Survival to Growth in 2022, Aviva, February 2022 (Based on a survey sample size of 507)