Cyber Security In Small Business

- By -

Robert Wilson

Gone are the days of threat actors solely targeting large businesses and governments for malicious gain.  With large security teams and layers of defence continuously combatting hackers, their attention for some time has turned to easier targets, often with valuable assets to capture with minimal effort required.  The consequences of a cyber attack on a small business can be fatal depending on the information accessed, financial impact or operational downtime resulting from an attack.

Often, small businesses overlook the need for cyber security, or the risk that exists to them.  Common themes seem to be:

“Our IT supplier covers that”:  It is unfair to assume that the organisation providing you with hardware, software or access to the internet bare any responsibility of keeping their client safe against an attack.  While they may have perimeter security embedded into some services like firewalls and antivirus, they become largely powerless against a threat actor proactively looking to obfuscate these defences.  They are your IT partner, not your security partner.

“We have cyber insurance”:  We have property insurance, but if we leave our homes in the morning leaving all windows and doors open the policy is worthless in protecting you.  The same applies to cyber insurance – if you aren’t taking the necessary action to safeguard your digital environment, a cyber insurance policy is meaningless.  Brokers in this field are becoming increasingly vigilant on policy mandates, with an increasing number of organisations failing to secure cover due to the lack of policy and activity in place to demonstrate resilience against attacks.

“We are too small to be attacked”:  Threat actors come in a range of different guises.  If you hold IP or data worth something of value, the hacker will have no issue accessing and encrypting this data and demanding payment in order for you to get back “online”.  Even then there is no guarantee they don’t still have access and won’t do the same at an opportune time.

What are the main cyber threats to a small business?

Phishing Attacks: Sending deceptive emails or create fake websites to deceive employees and gain unauthorised access to company systems.

Ransomware: Ransomware encrypts a business’s data, rendering it inaccessible until a ransom is paid. Small businesses are attractive targets because they often lack robust backup systems and may be more likely to pay the ransom to regain access to their data.

Insider Threats: Employees or contractors with access to sensitive data may intentionally or accidentally compromise data security by stealing or leaking information, or by falling victim to social engineering tactics.

Weak passwords and lack of Authentication: Weak or easily guessable passwords, along with insufficient authentication processes, make it easier for hackers to gain unauthorized access to small business systems. Attackers can use brute force techniques or exploit password reuse across different platforms.

Social Engineering: Social engineering attacks involve manipulating individuals to gain unauthorized access to sensitive information. This can include tactics such as impersonation, pretexting, or baiting, where employees are tricked into revealing passwords, providing access to secure areas, or executing malicious actions.

Unpatched Software and Systems: Small businesses often struggle to keep their software and systems up to date with the latest security patches and updates. This creates vulnerabilities that attackers can exploit to gain unauthorized access or launch malware attacks.

What should small business do to protect themselves against an attack?

While cyber should never be the highest priority of a SME, there are fast, simple, low maintenance, cost effective measures that leaders of these businesses should apply to make them a harder target for threat actors.

Use Strong Passwords and Multi-Factor Authentication (MFA): Encourage employees to create strong passwords that are unique for each account. Implement MFA whenever possible, which adds an extra layer of security by requiring additional authentication factors like a fingerprint or a unique code sent to a mobile device.

Keep Software Up to Date: Regularly update operating systems, software applications, and firmware to protect against known vulnerabilities. Enable automatic updates whenever possible to ensure timely patching of security flaws.

Backup Data Regularly: Implement a reliable backup solution to create regular copies of important business data. Store backups in a secure location, separate from the network, to mitigate the impact of data loss in case of a ransomware attack or other incidents.

Get Tested!: If you want to answer the simple questions of “How susceptible am I to an attack? And what damage would be done if I was attacked today?” it is advisable to get a pen test from an accredited professional.  Gone are the days where you need to spend thousands and wait weeks for this answer, there are excellent services which now provide this answer in a matter of days for moderate investment.

Implement Security Policies: Develop and enforce comprehensive security policies and procedures that cover areas such as acceptable use of company resources, password management, remote work, and incident response. Make sure employees are aware of and adhere to these policies.

Consider Zero Trust: If suspicious activities are taking place within your environment, as a business owner you don’t want to know what they are, you just want assurance they are being prevented at source.  There are a range of technologies now killing unknown actions at source enabling business continuity without continued investigation into unknowns.

These are just a sample of considerations or activities.  Every business will have varying concerns.  If you’re unsure where to start, then contact Amicis to understand how we already help hundreds of SMEs like yours at

Ready to get started?