How to understand and prepare for cyber security threats to your small business 

It can feel overwhelming when you hear about the latest cyber security attacks on the news, but you might think, “that has nothing to do with me” or “nobody would want to target me”. However, research shows that “both SMBs and large companies are using similar services and infrastructure” which means that the attacks that they face are increasingly similar.  

In contrast to large organizations, SMBs have much less resource that they can give to cyber security and if they do suffer from an attack, they can only tolerate a much lower period where their operations are interrupted. We’ll call this “downtime” [DBIR 2023].  

Therefore, understanding what cyber security threats are out there, which are relevant to you, and what you can do about them is essential for ensuring the success of your business in the digital age.  

What are cyber security threats? 

A cybersecurity, or “cyber”, threat is any activity that seeks to cause damage, steal data, or disrupt digital life as we know it. Cyber threats can lead to loss of money, customers, and even have legal consequences.  

Threats can originate from a variety of different places including criminals, activists, and even foreign governments, but who is responsible is much less important than how the threat happens when it comes to protecting yourself. 

There are many different types of cyber threat and attackers may use several in a single attack, where each one exploits a different gap as part of an overall objective.  

Having solid defences, responding quickly, communicating with customers or employees, and having a plan to get back online are the best ways to reduce the impact of any attack. 

What are some of the most common cyber security threats?  

Although the cyber security industry is constantly changing, the top 3 most common cyber security threats are: 

1. Phishing—fraudulent or fake emails, text messages, or calls that aim to get you to reveal personal information or do something you wouldn’t normally do. 

2. Malware (or “malicious software”)—designed to enable unauthorized access to IT systems. Ransomware is a form of malware that encrypts your essential data, denying you access unless you pay a ransom. 

3. Software vulnerabilities—these are flaws in software that can provide attackers with a route to gain access to your devices and systems. When new software vulnerabilities are discovered, they are often quickly adopted by attackers. 

A typical cyber attack might involve a criminal using phishing to manipulate an employee into clicking on a link on a malicious website. When clicked, the website downloads malware to the employee’s computer, which then exploits a software vulnerability on that computer, and gives the attacker access to every system the computer is connected to.  

It is very hard to spot an attacker once they’re inside your network and systems. That’s why understanding threats and the sequence they normally happen in can really help you prevent them before real damage is done. Disrupting an attack as early as possible by using different layers of defence is the best way to do this. 

What can you do?  

Cyber criminals spend a long time testing their tools and techniques to try and find ways in which they can access a system. A common way to do this it through people and tricking or pressurizing a person to make a small mistake.  

An attacker uses phishing, either via text messaging, email, phonecall, or other methods because it is simple, cheap, and it relies on us as humans to make only 1 small mistake. That is why it’s so effective.  

There are simple measures that can help:  

• Having both a strong and unique password and 2-Factor Authentication enabled are the best defences against phishing and many other threats. If an attacker manages to get hold of your password, they can’t access your accounts without your 2FA device. 
• You can watch our separate video on Phishing to learn more about these attacks as a user.

In addition to having a long and strong password and enabling 2FA on all your business and personal accounts for you and your colleagues, you can protect against malware and software vulnerabilities by:  

• Keeping your software up to date, as this will prevent the vast majority of software vulnerabilities being exploited. The easiest way to do this is to configure the settings so it automatically updates. If you see a software update, don’t delay as this may be a critical patch being released by the company.  

• Keeping your data, especially your business-critical information, backed up in separate locations. Many cloud services can do this for you automatically.  

Understand your business cyber risks  

As no organization can guarantee 100% protection against cyber threats, it is important to understand what specific risks your business faces.  

For example, if you conduct all your business online and have an online shop, you should prioritize protection of this website as your source of revenue and generating new customers. 

As cyber attackers are primarily interested in making money, your online shop, customer transactions, and their data is a likely target for them.  

Alternatively, your business might rely on operational technology for manufacturing purposes. While this technology might not be the target for attackers, it might be hard to patch, or could be impacted as collateral damage in an attack which would have a big impact on your business. In this scenario you would prioritize protecting this technology, perhaps by segregating it from your office systems. 

In all scenarios, acknowledge you cannot protect everything to the same level. Prioritize based on the biggest risks to your business and use measures which give you the biggest bang for your buck, such as 2-Factor Authentication and security training for employees. This will be the most effective way of managing your risks. 

You can watch our short video on risk management here. 

Final thoughts 

In summary, understanding cybersecurity threats is essential to effectively protect your business systems, data, and operations.  Finding the right software that can adjust to new threats as they arise, and keep your data and business safe, will be essential to your peace of mind. 

By planning carefully around your business-critical systems, using strong passwords and 2FA, educating employees on phishing attacks and reporting protocols, and backing up your data, you’ll keep your business running smoothly, and successfully.