Why being an SME does not mean you are immune to a cyberattack

Jason Howells, EMEA director of Barracuda MSP, discusses why SMEs are still blissfully unaware of the danger of malware.

The majority of headlines concerning cyberattacks are often focused on the corporate juggernauts or public sector organisations. Very rarely do we read or hear about a small local business falling prey to cyber attack, but that doesn’t mean it’s not happening; in fact, it’s quite the opposite.

According to the National Small Business Association, 44 per cent of small businesses report being the victim of a cyberattack and even more worrying is that 60 per cent of SMEs that suffer a security breach go out of business within six months.

A recently discovered phishing campaign had a staggering 90-per cent success rate and with the average employee having 121 emails flying into their inbox daily, it’s unsurprising that SMEs are vulnerable to attacks.

Considering these alarming figures, why are the majority of SMEs still walking down the road acting blissfully unaware of the probable danger?

Ignorance is bliss

A key characteristic hindering an SME’s approach to security is that they are largely uneducated about malware; it seems everyone knows about cyberattacks, but not what they actually consist of.

So firstly, what is malware? Quite literally, it translates to ‘malicious software’ and is an all-encompassing term for any software used to obtain sensitive information without a user’s consent, such as viruses and ransomware. It disrupts computer systems in a variety of ways by restricting access, encrypting files and corrupting data. In ransomware attacks, a message will appear demanding a sum of money for you to pay to retrieve your files- but paying this does not mean you are guaranteed to get your data back.

With these increasingly common data breaches, owners of small to medium sized businesses need to take responsibility and learn what is needed to protect their company.

The ones close to you are the ones that will hurt you the most

Even with every prevention method in place, it is often employees who unintentionally expose businesses to malware through user errors, such as clicking links in phishing emails. So ultimately, your employees are the most important line of defence.

You should educate and train all employees on being vigilant and it often helps them to understand the extent of damage a malware attack can cause by showing examples – unfortunately there are plenty of examples currently available.

The human touch

Personal information is worth a lot, so it’s no surprise that social engineers or human hackers, if you will, have become more sophisticated in stealing data whenever they can get their hands on it.

While it is critical to teach your employees about cybersecurity best practices, it’s also important for them to understand how to mitigate the risks of social engineering. Would they think twice about giving business-confidential information out over the phone to someone asking the right questions?

As social engineering becomes more personalised and streamlined, you should consider teaching your employees on how to identify common attack methods and how these social engineers successfully extract confidential information.

Suggest that they adopt call scripts to avoid confidential information being divulged over the phone, and most importantly, consider what sensitive information your employees actually have access to. All verticals are unique with information that is confidential, but common things include vacation time, personal information, health records, employee information, and even charitable donations.

Four other things your SME is doing wrong and how to fix them

Taking an inch and not a mile. If you’ve invested in a firewall or installed antivirus software on your machines, you’re taking a step in the right direction. But a step isn’t enough. If you haven’t paid for subscriptions or updates, you are still leaving your door wide open for an attack.

The fix: You can consult a managed service provider (MSP) who will help you with updates, ensuring you’re protected. They can also help you with creating a backup solution so if you are hit with ransomware, you’re up and running in no time.

Out of date systems. Technology plays a key role in day-to-day business but it is often not priority and companies tend to be running out-dated operating systems, making them extremely vulnerable.
The fix: It’s time to transition to a more secure solution. If you feel out of depth with choosing one, you can ask an MSP for their advice.

Not letting go. If you don’t set passwords to expire regularly, old employees still probably have access to your system and while it’s unlikely an old colleague is now a hacker, why take the risk?
The fix: Set up a password policy that makes passwords expire every 90 days. You may get a few grunts from the annoyed employees who have to think of new ones but improving your security is worth it. It is also vital to teach your employees how to choose a strong password – a simple but often overlooked and effective lesson that everyone should know.

Passwords in plain sight. It is almost a certain guarantee at least one employee will have a post-it full of passwords. Whilst it’s undeniably convenient, it also could provide an easy route to sensitive information for people who shouldn’t have access.
The fix: You need to explain to your employees how this simple method can expose your company.

SMEs need to stop underestimating the eventuality and extent of these threats; it is sadly no longer a question of if organisations need security, but what level. Once SMEs accept this reality, they can move towards ensuring their data is protected and help to eliminate the costly risks to their business.

Jason Howells is EMEA director of Barracuda MSP

Further reading on cyber security

Ben Lobel

Delphine Hintz

Ben Lobel was the editor of SmallBusiness.co.uk from 2010 to 2018. He specialises in writing for start-up and scale-up companies in the areas of finance, marketing and HR.

Related Topics

Cyber Attacks

Leave a comment