Cyber security for SMEs

Cyber security for SMEs

Zoe Brown

Zoe Brown
19th November 2020

With an increasing amount of business conducted online, it’s more important than ever for companies to protect themselves and their customers from cyber threats.

From your computer systems and networks to hardware, software and personal data, businesses have a responsibility to safeguard their systems. In this guide, we’ll cover everything you need to know about SME cyber security including awareness, prevention and protection and how to respond to an attack.

Why is cyber security so important?

An incredible 65,000 attempts to hack small to medium-sized businesses are made in the UK every single day. Of these, approximately 4,500 are successful. This means that 1.6 million SMBs fall victim to cyber crime every single year.

If that’s not scary enough, one small business is successfully hacked every 19 seconds in the UK according to Hiscox.

Aside from the fact that the risks are high, why is SME cyber security so important?

  • It prevents data breaches. The last thing any company wants is sensitive information leaked via the internet. Whether it’s your own or your customers’, personal information needs to stay exactly that
  • A data breach can permanently damage your reputation, making it difficult to retain existing customers and acquire new ones
  • A cyber attack can destroy important files, hardware and software resulting in downtime for your business. For every minute your company isn’t operational, you’re losing money
  • Downtime can have a negative impact on employee productivity
  • Ensures you’re compliant with GDPR
  • If you’re not prepared for an attack, you could lose important data and work
  • Having a response plan in place means you can get back up and running quicker

What are the main cyber security risks for SMEs?

When it comes to cyber crime, SMEs are unfortunately promising victims. With limited budgets and a lack of security expertise and awareness, these businesses are often seen as easy targets.

When it comes to small business cyber security, what are the main threats?

1. Malware

Malware is malicious software designed to cause damage to a computer, server, client or computer network. You get many different types of malware including viruses, worms, Trojan horses, spyware, ransomware, scareware, Botnets and rogue software.

What malware does and how it works can vary but a few examples include:

  • Trojans – disguises itself as legitimate software and creates backdoors in your security to let other malware in
  • Spyware – spies on you to gain access to information such as passwords, credit card information and browsing habits
  • Worms – infect entire networks of devices
  • Botnets – networks of infected computers that are designed to work together under the control of the attacker

A type of malware, a computer virus is a type of programme which replicates itself by modifying other computer programmes and inserting its own code.

Viruses attach themselves to clean files and infect other clean files. They can spread uncontrollably and damage a system’s core functionality as well as delete or corrupt files.

Users are often tricked into clicking on links which can then infect their computer.

2. Phishing

Phishing scams are used to obtain sensitive information such as usernames, passwords and credit card details. This is done by being disguised as a trustworthy entity in an electronic communication – typically an email or sometimes, a text message.

Approximately half of cyber attacks in the UK involve phishing which is 20% higher than the global average.

3. Ransomware

Ransomware infects your computer and holds data to ransom, often demanding significant amounts of money for its release. Typically, it gains access to computers through convincing phishing emails with infected links or attachments which employees can unwittingly click.

Ransomware can also sneak malware in through vulnerabilities in your systems and software.

Image source:

The statistics surrounding ransomware are worrying. Attacks are costing UK businesses around £346 million every year and it’s estimated that over half of those targeted still can’t recover their files or data even if they pay the ransom.

In the first half of 2019, there was a 195% increase in attacks with the UK being the second most attacked country in the world.

Common signs of a ransomware attack include:

  • You can’t access your desktop or files
  • Your files have a new extension appended to their name. While a word document will have .doc at the end for example, an infected file might have a strange extension such as .ezz
  • Software tools you haven’t installed are appearing on your network
  • Unexplained administrator accounts have been created
  • Your system detects MimiKatz – this is a popular tool used by hackers

If you’re hit with a ransomware attack, it’s important that you don’t pay the demanded fee. Paying provides no guarantee that you’ll get your files back and it can only encourage future attacks.

The NCSC has some top steps to follow if you think you’ve been subject to a malware attack, including disconnecting infected devices from network connections and the internet, resetting passwords, wiping devices and updating and running anti-virus software.

4. DDoS attacks

A distributed denial-of-service attack (DDoS) attack is a malicious attempt to disrupt normal traffic to a machine or network. Even huge corporations such as Twitter, Netflix and Airbnb have fallen victim to these attacks, highlighting just how sophisticated they can be.

Typically, a DDoS attack works by flooding a company’s servers with requests so they can’t cope and eventually shut down. This can leave a business unable to trade for minutes, hours and sometimes days, having a potentially catastrophic impact.

5. Hacking

Hacking occurs when criminals obtain unauthorised access to your computer, emails or system and manipulate the information or data within. Common hacking techniques incorporate many of the threats we’ve already covered including:

  • Botnets
  • Browser hijacks
  • DDoS attacks
  • Ransomware
  • Rootkits
  • Trojans
  • Viruses
  • Worms

Cyber security is a team sport, played at speed, but in the dark by too many people. What are the blind spots? Who are the crucial third-parties that your business depends on?

Kevin Duffey, Managing Director of Cyber Rescue Alliance

Risk management regimes and cyber security for SMEs

The technology that organisations use to run their businesses often store highly sensitive information about their financial records, employees and customers. Using these systems puts companies at risk of information being deleted or stolen which could result in downtime, a breach of legislation, financial loss and a damaged reputation.

Risk is an inherent part of doing business. For any organisation to operate successfully it needs to address risk and respond proportionately and appropriately to a level which is consistent with the organisation’s risk appetite. If an organisation does not identify and manage risk, it can lead to business failure.

Without identifying and managing risks, they can be more likely to happen and the effects can be more devastating. This is why SMEs should have a risk management regime in place. To help you understand more about this, below is a short beginner’s guide to cyber security risk management:

A good risk management regime will allow you to manage any potential risks by:

  • Determining your organisation’s risk appetite
  • Maintaining your Board’s engagement with information risk, if applicable
  • Producing supporting policies
  • Adopting a lifecycle approach to risk management
  • Applying recognised standards
  • Making use of endorsed assurance schemes
  • Educating users (usually employees) and maintaining their awareness
  • Promoting a risk management culture within your organisation

You can find out more information about all these points on the NCSC website. 

Prevention and protection

43% of cyber attacks target small businesses, having a prevention and protection plan in place can be the difference between an organisation surviving or not.

Let’s take a look at what you need to know about SME cyber security including how to protect data, utilise encryption, create secure passwords, train staff and more.

How are you going to be ready when things go wrong? That’s the principle of cyber resilience

Kevin Duffey, Managing Director of Cyber Rescue Alliance

Protecting your business against key threats

Earlier, we discussed what the main cyber security risks are for SMEs. Let’s go into further detail about how you can protect your business against these key threats.

1. Malware

There are a number of small business cyber security tactics you can implement to protect your organisation from a malware attack.

  • Update your operating system, browsers and plugins. Don’t forget this should also be done with mobile devices for anyone who uses their phone to access work files
  • Enable click-to-play plugins. You don’t even need to click on malicious ads for them to infiltrate your system. Click-to-play plugins will stop Flash or Java from running unless you specifically tell them to by clicking on the ad
  • Remove software you no longer use. Microsoft stopped releasing software patches for Windows XP in 2015 and Windows 7 and 8 are only under extended support. Using software without support or the ability to implement patches leaves you open to attacks. Delete any software you no longer use as well as old versions of Adobe reader and media players
  • Watch out for fake tech support numbers. Pop-ups from fake companies offering help with malware infections are common. They tell you that your system has been infected and to call them. A real security company would never market to you via a pop-up. If you have security software and it genuinely detects malware, it will often show up in a scan and won’t tell you to call and shell out money to remove the infection. If you’re unsure, visit your provider’s website and use a number they’ve provided
Malware example message
Image source:
  • Always use a strong password. When choosing our own passwords, we have a tendency to choose things that are easy to remember such as a pet’s name. This is information hackers can get hold of easily if you use social media. Instead, use passphrases or link together random words, adding length and complexity where possible with numbers and symbols. If you use a password manager, these can also generate random secure passwords for you
  • Make sure you’re using secure websites. Check the domain is as expected and look for the lock icon to the left of the URL of the website you’re on. URLs should also read https, not just http
  • Log out of websites and online accounts when you’re finished
  • Use firewall, anti-malware, anti-ransomware and anti-exploit technology. These software applications can help to fend off sophisticated attacks. Here is a roundup of some of the best anti-virus solutions for small businesses
Download cyber security checklist

2. Viruses

Computer viruses are easy to pick up if you’re not protecting your systems effectively. Fortunately however, there are a number of simple steps you can take to reduce the likelihood of a cyber attack.

  • Use reputable anti-virus software and ensure it automatically updates on a regular basis
  • Anti-virus programmes don’t automatically mean you have a firewall. A firewall is a network security system which monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls establish a barrier between a trusted and untrusted network. Macs and PCs come with pre-installed firewall software so ensure it’s enabled to provide an extra layer of protection from viruses
  • Many viruses infiltrate computers through users innocently clicking on a bad ad or link. You can reduce the likelihood of this happening by installing a popup blocker. This will also stop unwanted pages from opening automatically
  • Never click on, open or download anything unless you know the sender, and are expecting something from them, or trust the website

It’s also important to ensure you’re aware of the signs of a virus so you can deal with the problem quickly. Signs that your computer has picked up a virus include:

  • Unexpected shutdowns
  • Your computer has slowed down and/or takes a long time to shut down or restart
  • Repeated error messages
  • New toolbars you didn’t install
  • Changes to your homepage
  • Your battery drains very quickly

3. Phishing

Phishing scams most commonly come in the form of emails. They’re very popular with cyber criminals because it’s easy to send to large numbers of people in one go, they can add company logos to make communications seem authentic and most of us receive genuine emails from the companies being imitated so it’s easy to be fooled by a convincing email.

The example email below is a convincing example of a phishing attack.

Phishing email example

It has the HMRC logo, links to their social media pages and even a section in the footer telling recipients how to stay safe online. With many businesses worried about surviving Coronavirus, it would be easy to fall into the trap of clicking on the button to complete the claim and submitting bank details to fraudsters.

Phishing attacks will often tell a story to try and trick you into clicking on a link or opening an attachment. This usually includes them claiming:

  • You’ve missed a payment and must pay urgently or further action will be taken
  • There has been suspicious activity or log-in attempts with your account
  • There’s a problem with your account or payment information
  • You need to confirm some personal information
  • You need to pay an overdue fake invoice
  • You’re eligible for a tax refund

It’s not unusual for phishing emails to be confrontational – they are designed to scare people into acting fast. Even if you don’t usually fall for things, the threat of a big fine, a lawsuit or even imprisonment could cause you to act without thinking.

Other signs an email might not be genuine include:

  • Spelling and grammar mistakes
  • It’s from a shop or provider you don’t use
  • They might be pushy, rude or demanding
  • They ask for financial or other personal information. A genuine company would never ask you to supply this type of information over an email
  • It includes a suspicious attachment
  • The email address looks suspicious. Before responding to anything, always check the email address, this is a big giveaway even with the most convincing attacks. You would never know the example below is a phishing attack unless you noticed the strange email address at the top
  • The link looks suspicious. If you hover over the links in the email and they don’t show the URL of the company the email is apparently from or are lengthy and confusing, this is another sign of a phishing attack
Phishing email example

When trying to protect your organisation from phishing attacks, it’s very important to ensure your employees are well-informed about these signs. Educate them to implement the following steps:

  • Know the signs of a phishing email
  • Always think twice about clicking or downloading anything from an unknown source. You should only open attachments, click on links or download files if you’re expecting them or are certain it’s from a genuine company
  • Never give out personal or financial information. Phishing emails will often create fear by telling you that you’ve missed a payment or you’ll be in trouble if you don’t pay now. If you’re concerned and have an account with the company in question, go to their website and call them via a number from there. Never reply to the email or phone using a number provided on the communication
  • Only use trusted websites. When inputting bank or card details, only use trusted websites, checking the domain is as expected and ensuring the website is secure with the lock symbol before the URL
  • Use different passwords for different sites. This means that if you do fall victim to an attack, only one account will be compromised instead of all of them
  • Enable two-factor authentication. This is a security process that requires two methods of verification to log in
  • Use a good email provider. It’s worth paying more for an email provider who works hard to identify phishing and other scams

For more tips and advice, head to this blog on ‘how to protect your business from phishing scams.’

Download cyber security checklist

4. Ransomware

Ransomware typically exploits both software vulnerabilities and human behaviour. This means that when it comes to cyber security for your small business, it’s important to protect both.

Have you identified the employees who are most likely to receive emails from external sources? Do staff know how to spot the signs of a fake email? Is there a procedure in place for users to report suspicious emails?

When it comes to protecting your equipment:

  • Do regular back ups so you don’t lose data if you’re hit with an attack
  • Keep all your software up to date
  • Use robust security software that employs a layered approach to block both known and new threats
  • Cyber criminals can embed macros in Office documents to manipulate or delete files in your hard drive, as well as download malware from the internet. When using Microsoft Windows with the applicable version, set the group policy setting for macro settings to ‘disable macros with notification.’ to stop macros from running automatically when a document is opened
  • In Office 2013 and 2016, edit the group policy settings to block macros from running when using Word, Excel and PowerPoint documents from the internet. You can find out more about macros and how to block them on the Microsoft website
  • If you don’t use Java and Flash Player, uninstall it. If you only use it occasionally, disable it until you need it. Many vulnerabilities have been discovered in both programmes over the years, leaving businesses open to attack. These articles explain how to disable Adobe Flash and Java

Make a regular daily/weekly back up copy of essential information. Regularly test that the backup is working to ensure you can restore information from it.

NCSC SME Engagement Lead

5. DDoS attacks

A common misconception with DDoS attacks is that hackers only attack large companies. Unfortunately for SMEs, this simply isn’t the case.

Fortunately, however, there are a number of simple ways you can protect your business including:

  • Know the amount of bandwidth your site typically uses. DDoS attacks offer visual clues so the more familiar you are with your network’s normal behaviour, the more likely you are to catch an attack early
  • Add more bandwidth. This ensures that your server capacity can handle heavy traffic spikes if you’re overloaded with a sudden increase due to a DDoS attack
  • Do your updates. This includes updating and patching your firewalls and network security programmes
  • Secure your network infrastructure. This consists of all your IT which is used to provide network services so that your devices can connect and communicate. Examples include routers, hubs, gateways, servers, ethernet cables, wireless access points, firewalls, VoIP and VPN
  • Practice basic network security. This includes having secure and complex passwords and implementing anti-phishing methods and secure firewalls that allow little outside traffic
  • Prepare for an attack. Ensure you have a cloud-based DDoS mitigation system in place that can handle attacks. This will help to get your business back up and running much quicker. You can find out more about DDoS mitigation and how to choose the right service here

6. Hacking

Businesses get hacked for many reasons. It could be financial gain, a political agenda or even just for criminals to gain notoriety. Below are some tips to prevent hackers getting into your system:

  • Use strong passwords
  • Use two-factor authentication
  • Have different passwords for everything
  • Choose an Internet Service Provider that offers built-in security features
  • Keep anti-virus and anti-spyware software up to date
  • Install a network firewall
  • Encrypt customer data and sensitive information
  • Limit access to certain online information
  • Block high-risk sites from being viewed by employees

For more advice on keeping your business safe, have a read of ‘How SMEs can improve their online security.’