How can SMEs protect their businesses from cyber attacks?

In 2018, 43% of UK businesses and 19% of charities reported a cyber security breach. It’s thought that cyber attacks cost UK businesses £34 billion in 2018, and this is expected to grow in 2019. 

As technology evolves, businesses adopt and implement these practices in their everyday work life. As the adoption of technology takes place, cyber-crime burgeons and malware proliferates with each strand becoming more sophisticated. In Q3 of 2016, it was reported that four new strains of malware were identified every second, – and this growth isn’t expected to slow down any time soon. 

It’s crucial to remember that cybercrime doesn’t discriminate. In 2018, 43% of cyber attacks targeted small businesses, and 60% of SMEs went out of business in the first six months after experiencing a cyber attack. CEOs, business owners, IT managers and MDs need to take a ‘prevention rather than cure’ approach when it comes to cybercrime and put procedures in place to protect their business. 

Understand trends and types of cybercrime

To be prepared for a cyber attack, you need to understand the emerging trends and types of cybercrime threatening your business. When you understand the potential risks, you are then able to identify any vulnerabilities leaving your business at risk. Here are some of the most common methods. 


76% of businesses reported being a victim of a phishing attack in 2018. Hackers collect sensitive data such as credit card information and passwords by pretending to be a legitimate person in the industry. In most cases, unsuspecting employees click on infected links in emails. 


Also known as malicious software, malware is any form of software that’s been deliberately created to harm the data and software within a server, computer or network. Malware is often attached to phishing emails, downloads, texts and much more.


Hacking occurs when cyber-criminals obtain unauthorised access to your computer or emails and can manipulate the information or data within. 


Keylogging is a form of software that takes screenshots of sensitive information and tracks keystrokes, therefore obtaining sensitive information. This type of attack isn’t always detected by anti-virus software.

Educate your employees 

90% of cyber-attacks are down to human error, which means that a business’ employees are the weakest link. When a company doesn’t adopt a security-focused workplace culture and educate their employees on the risks, human error will have an egregious impact on the workplace. 

For example, on 4th May 2017, phishers sent out fraudulent email invitations on Google Docs that stopped 3 million people from working across the globe. The email was clocked as a Google Docs invitation that asked recipients to edit the document in question. Once opened, ‘invitation’ was a third-party app that gave the criminals access to people’s Google Mail accounts.  

SMEs need to make sure they’re giving their staff sufficient training and setting a precedent from the top down. CEOs, MDs, IT managers and business owners need to lead by example, as this creates a vigilant, cyber-aware workplace culture that will benefit the whole organisation. Have a clear policy in regards to the use of personal devices on the company’s network and highlight the dangers. From signing up to workshops to getting your employees to go on training courses and explaining the risks, education is crucial if you want to protect your business from cyber attacks. 

Adopt a password strategy 

From ‘Dictionary’ attacks to trying every possible character combination, to hackers obtaining an encrypted list of username and password combinations; many data breaches and attacks take place when passwords are accessed, and in most cases, the passwords are incredibly simple. In April 2019 the National Cyber Security Centre (NCSC) published a list of the top 100,000 ‘black-listed’ passwords that have been involved in a data breach. Once again, if you don’t instil a cyber aware workplace culture, your business will be open to a cyber attack.

This is why you need to adopt an effective password strategy where your employees have to change their passwords every four to six weeks. These passwords should also include a range of letters, numbers, symbols and capitals. While this may induce a few eye-rolls and take some time for people to become accustomed to, it will be worth it. While password changes don’t stop attacks, they can slow them down and in some instances, discourage the hacker. Alongside this, you should have a procedure in place for temporary workers, contractors and new hires where the need for password sharing is reduced or removed. 

Implementing a patch management strategy

When your business’ software isn’t updated, vulnerabilities are highlighted and left open to a wide range of threats. In May 2017, the NHS fell victim to one of the biggest phishing attacks in history. The malware, named WannaCry, exploited a weakness in Microsoft Windows XP and Microsoft 7 and infiltrated more than 200,000 computers. This attack cost the NHS more than £92 million and could have been prevented had the available patches been installed.

Your patch management strategy should include: 

  • Using a Firewall for your internet connection
  • Installing, using and regularly updating anti-malware, anti-virus, and anti-spyware software on every device 
  • Immediately loading and installing software updates as they become available
  • Ensuring there are secure Wi-Fi connections within the workplace
  • Continuous monitoring of your systems to detect potential problems

Under GDPR, SMEs must have a protocol in place so that they can identify and patch any vulnerabilities – if they aren’t doing this, they face crippling fines and harsh discipline from the ICO. Head of Technology Policy at the ICO, Nick Houldon has stated: 

Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.

Patch management is a critical desideratum for any SME relying on software or networks to run their business. When you implement patch management, you’re being proactive by plugging any vulnerabilities and holes in your software, therefore keeping your infrastructure safe and secure against any new threats.

It’s time for SMEs to put cybersecurity at the top of their list, and start taking it seriously. Cybercriminals do not discriminate, and it would be foolish to assume that small businesses are not at risk. By taking the necessary steps, you’ll be keeping your business and employees safe, while limiting the dangers your business faces.

About the Author

Stephen Peak, Head of Continual Service Improvement at Nasstar. An ITIL v3 Expert qualified IT Service Management and Information Security professional with over 15 years experience in the IT and Cloud Service Provider industry. Considerable experience and success in the design, implementation, integration and operation of business processes and functions, incorporating ITIL and information security best practice techniques to satisfy a range of corporate targets and objectives. 

Featured image: ©pinkeyes