SMEs must prepare for the next cyber attack?

According to the Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2022, 39% of businesses and 26% of charities report having security breaches or attacks in the last 12 months.

There are many examples of global companies that have suffered cyber attacks. In 2020, the ICO issued its first fine under the new GDPR, slapping British Airways with a £20m fine for a data breach that affected more than 400,000 of its customers. Yahoo, one of the more infamous victims of cyber attacks, has been hacked three times. This is despite both companies’ extensive resources. 

Naturally, it becomes even more challenging for SMEs to compete and maintain the same standard of caution. Hiscox estimated in 2018 that while most attempts fail, a small business in the UK is successfully hacked every 19 seconds. This represents a monumental problem. And cyber attackers have only become even more sophisticated as they hunt the most vulnerable and lucrative prey.

The Covid-19 effect

It’s not an exaggeration to say that COVID-19 radically transformed the world of work. Most UK businesses were forced to adopt remote working for the first time, and a high majority have decided to stick with it – on either a permanent or hybrid basis. 

This move has brought with it heightened cybersecurity risks. For one, behavioural challenges include employees believing they can get away with riskier behaviour like sharing confidential files via email instead of more secure, safer channels when away from senior eyes. In addition, the likelihood of working on insecure personal devices and/or networks massively increases when working from home. 

Secondly, some organisations were forced to adapt their business quickly. Their target customers – both B2B (businesses) and B2C (consumers) – became solely “digital-purchasers” overnight. As a result, organisations had to pivot their operations to provide more goods and services online, raising e-commerce’s share of global retail trade from 14% in 2019 to about 17% in 2020. 

However, the growth of online activity also increases the potential for cyberattacks. Hackers took advantage of this treasure trove of new personal data that was being fed into eCommerce sites i.e., email addresses from customer’s sign-ups, card details during purchasing, addresses for delivery and even passwords for log-ins or date of birth for age validation. This data means eCommerce sites have an even larger target on their back. 

No small phish to fry: The consequences of a breach

The consequences of a successful attack can be high indeed. The EU’s General Data Protection Regulation allows EU authorities to impose fines of up to 4% of a company’s annual global turnover or €20 million, whichever is higher. The severity of this regulation is matched by the scale of the problem. When a company loses a customer’s data in a cyber attack, that data is sold online to criminals who intend to use it for profit.

In one case examined by Deloitte, attackers took advantage of a retailer’s poor wireless network security to intercept credit card information and breach the company’s unencrypted customer database. In this case, the cybercriminals used various attack techniques until they found one that worked, then waited inside the network until they could intercept the data they needed to get into the company’s database. The affected company suffered a significant reputation loss and had to deal with sales losses, fines, and a settlement. 

Despite this, according to CyberSmart, 32% of UK SMEs still don’t have any form of cybersecurity program at all (whether in-house or outsourced), and exactly half of SME managers said they did not have a formal cyber-incident response plan. 

A constant game of cat and mouse: What should we do about it?

Stay up to date: Cybersecurity requires a serious reality check. If an organisation wants to access your information, they will. It’s a matter of when not if. The key is to be proactive. Don’t think it won’t happen to you. 

If your eCommerce site is taken offline, you’re certain to take several hits: lost sales, brand damage, and the cost of restoring it. It’s worth the investment to regularly update your website, patching websites, plugins, and the CMS. It can be tempting to push back the updates due to the cost of upgrades, especially if no additional features or functionalities were added. However, it is absolutely critical that businesses do this as soon as system updates are released. For any vulnerability or exploit announced in a particular piece of software, it’s only a matter of time before it gets exploited by hackers. In the case of British Airways, the cyber attack on their systems wasn’t detected for 2 months, so any delays in identifying risks simply add to the potentially devastating impact of a data breach and the resulting regulatory rulings.

You can protect yourself by ensuring the software you are using is secure and supported by a vendor. If you use software that doesn’t let you reach out to the developer and ask for an update to an element that isn’t quite right, be it a security vulnerability or otherwise, you’re leaving the front door wide open for an attack now or in the future. In that regard, having backups is also essential so that the site can be quickly restored if something goes wrong, and these must be air-gapped/ inaccessible to malicious actors.

Get certified: Cyber Essentials, a set of technical and administrative controls that ensure your business can mitigate the vast majority of threats, is one example of a government-led scheme that can be helpful to safeguard your organisation and prevent the majority of threats from becoming real. The scheme assesses five key criteria to ensure you know how to begin protecting yourself. Research from Lancaster University found that simply being certified can help reduce a business’s cyber risk by up to 98.5%. 

Don’t compromise on training: After all, insider threats such as administrative errors can pose just as much of a challenge. It’s not just about protecting your confidential information from malicious outsiders. For example, phishing emails – the most commonly used threat vector for successful attacks last year – have become more convincing. Perhaps an employee sets a weaker password or writes it down somewhere accessible. Here is where driving cybersecurity requires a cultural shift. It is imperative that every employee at your business receives security awareness training and is well informed of the types of threats that are out there. In addition, a dedicated Chief Information Security Officer should be appointed, whether it’s you as the company’s leader or a part-time position; that person must be properly trained and empowered to fulfil the role.

Ultimately, leave nothing to chance. Always expect an attack to happen, as cybercriminals are constantly looking for that open entryway. SMEs cannot afford to leave the door open. One negative experience can damage your customer relationships, reputation and overall business health. In this constant game of cat and mouse, we all need to be on our guard. 

Andrew Armitage

Andrew Armitage is the founder and owner of A Digital, a digital agency based in the north west of England. He's a podcast host and the author of Amazon best seller Holistic Website Planning: Positioning your Website at the centre of your Digital Transformation. Working with clients including the NHS, Hawkshead Relish, Windermere Lake Cruises, and most recently James Cropper plc, he has grown A Digital from a spare bedroom into a thriving team.

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...