In the past couple of years, we’ve seen a surge of cyber incidents hitting the headlines, particularly supply chain and ransomware attacks.
Cyber security is gradually becoming a bigger priority for executives, but small businesses are still holding onto many falsehoods that could be putting them at risk.
Understanding the key threats that smaller companies face and the actions that can be taken to reduce risk is more important than ever, with 60% going out of business within 6 months of a cyber attack.
Let’s explore some of the commonly held beliefs that small businesses often have and why it’s so detrimental to buy into them.
Small businesses don’t get attacked
Of course, this is the first and most crucial misconception to challenge.
Small-medium sized enterprises have long believed that they would never be a target for hackers and it is not hard to imagine why.
The news stories we see about cyber attacks tend to focus their attention on major corporations and rarely on a small business being hit. It seems as though cyber crime is reserved for the big industry players because small businesses just don’t offer the value to be worth a hacker’s time.
But this is very often not the case.
In fact, 46% of cyber attacks involve small businesses. They can be a very useful target for a bad actor, not only for their own data but as an entry point to its supply chain.
Nowadays, businesses large and small could not survive without suppliers to help deliver their goods and services and these supply chains have become complex webs of company networks, with data flowing between them.
A small business may be supplying to a much larger enterprise, allowing a hacker to access a greater wealth of data and assets higher up the supply chain, so it's no surprise supply chain attacks are on the rise, even tripling in frequency in 2021.
Cybercriminals can actually rely on this small business mentality that they are safe from cyber attacks because it will mean even weaker defences to prevent a breach. Essentially, the small business becomes a soft target, offering hackers a much greater chance of success with an attempted attack.
This is why it’s crucial that small businesses recognise their worth and invest in their cyber security, at a minimum ensuring they have the fundamentals in place.
My employees know how to spot a phishing email
Phishing is a very common threat vector, used in 36% of all cyber attacks in 2021, so it is definitely important that employees know how the signs of a phish.
These emails can indeed be extremely obvious and, assuming they’re not picked up by your spam filters first, are often avoidable. But long gone are the days of Nigerian Princes asking for money.
While there will always be poorly crafted phishing emails that are easy to spot, phishing has evolved massively over time and grown in sophistication.
One of the most popular techniques used by phishing attackers is email spoofing, where a sender will try to convince the recipient that the email is coming from an individual or organisation that the person will know, and therefore trust.
At a glance, you might believe you’re being contacted by a friend or perhaps a company you have purchased from, and be swayed to click on a malicious link.
Business Email Compromise is of particular concern to organisations, with 77% experiencing an attack of this sort in 2021. Usually targeting senior executives into transferring funds, these types of attacks are designed for specific individuals, usually making them much harder to spot than widespread phishing email sends.
Rather than assume employees will know what to do with every phishing email, businesses should offer regular training and provide a company policy that addresses how phishing attempts should be reported and dealt with.
It can also be helpful to test your workforce with simulated phishing emails and track opens and clicked links to monitor cyber security awareness.
It’s also worth remembering that phishing is not responsible for all cyber incidents, it is just one of many threat vectors that you have to be prepared for, so businesses need to make sure they’re implementing measures that will help prevent all kinds of attacks.
IT handles all my cyber security - it’s their responsibility
If you don’t spend your days immersed in cyber security, it can be easy to assume it’s just something that IT takes care of - it’s all to do with computers after all. But whether you have an internal IT team of external support, their job is significantly different to a cyber security expert.
An IT professional is tasked with the role of facilitating business operations with technology, making sure everything is running properly so employees can complete their tasks. They may work a little bit on the security side of things such as data protection in the broader sense, but this is really where the cyber security experts should come in.
Cyber security professionals are concerned with protecting your data and assets against cyber threats which involves consistently monitoring for vulnerabilities and new threats that might put your company at risk.
Having a professional that specialises in cyber security on your IT team or investing in external cyber security support will help to keep things both functional and secure in your work environment.
Your IT team will have many other priorities meaning the company’s cyber security may not be getting the attention it should, and you may miss the chance to prevent a breach.
We only need to protect against external threats
So you’ve come round to the idea that your small business needs better protection against cyber threats but your cyber security measures are all targeted towards whatever’s outside your organisation.
Unfortunately, this approach neglects one important type of threat - the insider threat.
In cyber security terms, an insider threat is one that originated within your organisation. Businesses tend to think of cyber risk as something external but often the risks can be right under your nose.
Whether out of malice or negligence, individuals that have a direct association with your business can pose a threat and with insider attacks growing more frequent (between 2018 and 2020, attacks increased by 47%) it’s a threat vector businesses need to take seriously.
Insider threats might involve current employees misusing data, installing unauthorised applications or even being victim to a phishing email, but they may not be individuals directly working for your business.
Anyone with access to your corporate data, be that third party vendors, partners or ex-employees could pose a threat if access privileges are not handled correctly and security requirements met. It’s a good idea for any business to conduct regular risk assessments, and implement good training and security controls (both physical and online).
If we do get attacked, we’ll know immediately
Getting hacked is of course never a desirable experience but at least if you know about it quickly, you can suppress the damage and move on.
It can be obvious when your business experiences a cyber incident and there are some good tell-tale signs to watch out for that will help to indicate as much. For example, unexpected changes to files, suspicious financial activity (financial motivation being the number one driver for hackers) or security settings that have been tampered with.
However, it shouldn’t be assumed that you’ll always know as soon as you’ve been attacked. In fact, it can often be in a hacker’s best interest to stay hidden because the longer they remain unnoticed, the more chance they have to gather data and do greater damage to your organisation.
The malware involved in the major attack on SolarWinds in 2020 had actually already been present on the systems for about 14 months before it was discovered, with the attackers using a series of clever tactics to mask their steps.
Reports have estimated in the past that the average time between a hacker gaining access and an attack discovered is around 95 days, so it’s clear that businesses should always seek to improve on cyber security measures to prevent and detect threats, no matter how good your incident response strategy may be.
The first step is awareness
As attacks on small businesses continue to rise, challenging these common misconceptions around cyber security and improving awareness is a critical first step to allow for improvements to be made.
After all, if you’re not fully aware of the threat and the impact it could have on your business, you’re not going to be able to protect it effectively.
Although business budgets may be tight, the financial impact of a cyber attack far outweighs the cost of investing in strong security foundations, and simply taking your chances is not an advisable risk for any business to take.
