Small doesn’t mean safe: why SMEs are a target for fraudsters

Small business owners must not think they have nothing worth hacking

When it comes to cyberattacks the news is littered with stories of big business beasts falling foul to hacks, from Yahoo to Uber.  The average small business owner could be fooled into thinking that their own enterprises simply are not worth hackers’ time; unfortunately, this is simply not true.

The common misconception that smaller businesses are not worth attacking can result in a more lax attitude to security among small and medium enterprises (SME) leaders.  Unfortunately, this attitude is their downfall, as the economies of scale here can still make sense: a thousand SMEs that all struggle to upgrade their operating systems make a juicy target; equally, a million staff members who all use Password123 as their password can make quite the payday for the entrepreneurial hacker.

Defending your business won’t cost the Earth and is often a fairly simple process.

To start, business owners should pinpoint the easiest potential points of access and work from there:

• Two-factor authentication and asking staff to create strong passwords – by choosing three random words that aren’t easy to guess and ensuring they use a separate password for work accounts – are essential security measures.
• Phishing and ransomware attacks are common but are not complex, so before clicking a link or opening an attachment in an email verify if the sender is genuine.

Staying alert

Businesses need to act fast, because the financial ramifications for not doing so are real: with GDPR (General Data Protection Regulation) becoming law on 25 May 2018, businesses could face fines of up to £17m, or 4% of their global turnover – so a serious breach of user data could put a small company out of business (Note: Companies of over 250 employees must employ a Data Protection Officer (DPO); and GDPR will apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9).  That’s before you consider the additional damage a company could face: small businesses that have been hacked faced reputational damage and 30% actually lost clients as a result.  Read more about GDPR here.

Ultimately, the reason SMEs get attacked is simple: money.  With economies of scale afforded by widely scattered cyberwarfare, cyberattackers can, and do, make good money from SMEs.

The UK Government’s Cyber Essentials advice is a good place to start identifying the biggest risks to your organisation.  If you consider the risks early, and instil a culture of awareness in your company, you are already one step ahead of the hackers.