Why Hackers Target SMEs (More Than You Think)
Small-to-medium-sized businesses (SMEs) are the darlings of cyber criminals. Whilst most small business owners may not think hackers target SMEs, the reverse is true.
According to a 2022 report by the National Cyber Security Centre (NCSC) in the UK, SMEs are increasingly being targeted by cybercriminals because they often have weaker security measures in place compared to larger organisations.
The report also found that the number of reported cyber incidents affecting SMEs increased by 46% in 2020 compared to the previous year. The pandemic contributed to this trend, as many SMEs had to rapidly transition to remote work and digital operations to survive, which has left them vulnerable to cyber threats.
The trend has continued since then. According to a study performed by Vodafone showed that 54% of SMEs in the UK had experienced some form of cyber-attack in 2022 — an 8% increase from 2020.
Considering the significant increase in attacks on work-from-home employees during the COVID-19 pandemic, this statistic is astonishing. And it gets worse.
A Barracuda Networks study found that employees at small companies receive 350% more social engineering attacks than the workforce of larger corporations.
Hackers target SMEs that have shifted to remote working because home networks are even easier to access than business networks. Subsequently, there are more vulnerabilities in the IT systems of small businesses than in larger companies.
Hackers that target SMEs, therefore, have taken advantage of these vulnerabilities, targeting SMEs with phishing emails, ransomware attacks, and other types of cyber-attacks.
Whilst we don’t want to be sensationalist about the risk of getting hacked, it is important for SME business owners to take preventative measures to protect themselves from cyber-attacks. This includes implementing basic security measures such as firewalls, VPNs, and antivirus software, training employees on cybersecurity best practices, and regularly backing up data.
SMEs should also consider working with a qualified and experienced IT security team that can help you to implement a strategy. IT security specialists will be able to assess the vulnerabilities in your business network and develop a cybersecurity strategy that fits your specific needs and budget.
Limited Security Resources
The Vodafone study also revealed that 18% of UK business owners admitted they were not protected with cybersecurity software. And herein lies the main reason why hackers target SMEs.
SMEs are an easy target.
A limited range of security resources makes it easier for threat actors to compromise a device. Once hackers have access to a device, they have a route into your wider business network where they can steal data or engineer a strategy that gives them access to your financial accounts.
The problem with ignoring cybersecurity altogether makes SMEs an easy target for hackers who are looking for vulnerabilities to exploit. But we get it. It’s not always your intention to neglect cybersecurity, it’s just gets pushed down the list of priorities.
As the cybersecurity firm Kaspersky points out:
“When a small business owner is faced with the responsibilities of production economics, financial reports and marketing all at the same time, cybersecurity can often appear complicated and, at times, unnecessary.
However, because SMEs spend less on their cybersecurity defences, their systems are outdated and unsupported. This creates a number of problems:
1. Vulnerabilities
Outdated software and hardware are more susceptible to vulnerabilities which can be exploited by hackers. Cybercriminals can use vulnerabilities as gateways to gain unauthorised access to a company’s network and steal sensitive data or install malware. A quick fix is to use cloud-based software and patch management services.
2. Malware
Outdated systems that are supported are less likely to detect and remove malware effectively. Software companies have to consistently update their anti-virus programs to ensure that the shield is able to identify and quarantine the latest malware.
If you’re not using the latest versions of software, you’re not updating your business network with defences that will protect you from hackers. If malware is allowed to spread throughout the network and cause damage or steal data, it will result in financial losses — mostly dues to the damage to your reputation (more on that next).
3. Compliance
Regulatory compliance requires companies to install cybersecurity defences that can protect data privacy. In the UK, firms are suffocated by GDPR — a data privacy law which obligates you to notify everyone of your connections that is affected by a data breach.
Statistics show that 60% of companies that suffer a data breach go out of business within six months. 82% of the 60% fail because of a cashflow crisis due to a damaged reputation. That’s because you have to inform customers and they lose trust and faith in you.
4. Business disruption
A data breach will result in disruption to your business operations. In most cases, the disruption will be companywide until all devices have been checked and cleared.
If you are subject to a ransomware attack and have backed your data up in the cloud, the disruption to operations could be prolonged for a significant period of time.
To mitigate these risks, it’s important for organizations to regularly update and maintain their cybersecurity systems. This includes implementing patches and updates, investing in new security technologies, and regularly testing and auditing the system for vulnerabilities. It’s also important to have a response plan in place in case of a cybersecurity incident.
Lower Risk of Detection
Hackers target SMEs that do not have as robust monitoring and detection systems in place. It is easier for threat actors to operate undetected for longer periods of time. This is usually because SMEs don’t have a dedicated cybersecurity team or use advanced security software that can constantly monitor their networks for potential threats.
This is why SMEs are turning to managed business IT security teams for help. Experienced IT professionals typically have expertise in the field of cybersecurity and use cutting-edge technologies that identify and mitigate potential security threats.
Subsequently, installing effective cybersecurity defences is much more cost-effective. Hiring a managed IT security team provides you with security measures that meet compliance without the need for a full-time in-house cybersecurity team. This also helps to significantly lower the cost of hiring and training staff.
Managed IT security teams also provide a scalable solution to SMEs, allowing you to easily expand cybersecurity defects as your business grows and your security needs change. Remember that cybersecurity is an ongoing battle because hackers are always evolving their techniques.
To get the lowdown on the techniques threat actors are using in 2023, refer to our earlier article.
Valuable Data
SMEs may not have the financial wealth of multinational corporations stashed away in bank accounts. But you still store data that is valuable to nefarious actors. Customer data, financial records, and intellectual property can all earn hackers a bob or thousands on the dark web.
This means that any business that stores customer data is an attractive target for hackers. Additionally, SMEs do not have the same level of public scrutiny as larger organisations which makes it easier for hackers to operate undetected. The authorities don’t care about the small fish.
Lack of Security Awareness
Verizon’s 2022 Data Breaches Investigations Report showed that 82% of data breaches were caused by human error. This means that employees are the biggest threat to your cybersecurity defences. In many cases, they are also the first line of defence.
A favourite tactic hackers use to exploit employees is phishing. It is thought that a phishing attack is sent every 11 seconds. One source has estimated that one in every 323 emails sent to small businesses is malicious.
A lack of security awareness amongst your employees is a significant threat to the continuity of your business. This is because cyber attackers evolve the social engineering tactics they use to target employees. Unless your staff is aware of the risks, they won’t be vigilant enough to prevent a potential data breach.
For example, an attacker may send a spoof phishing email that appears to be from a legitimate source. The email asks the employee to click on a link or download an attachment — but the attachment contains malware.
We have documented how threat actors target c-suite executives and personnel that work in accounts and HR in whaling attacks which you can read here. These types of attacks could involve a phone call or an email requesting a money transfer.
To avoid these types of attacks, you should have security best practices in place that enable you to verify the request is genuine. If employees are not trained to recognize these types of attacks and understand how to respond to them, they may inadvertently provide access to sensitive data or compromise the security of the network.
Third-Party Risks
Third parties represent a cybersecurity risk in several ways. Maybe you are working with third-party vendors such as suppliers and contractors who require some form of access to applications within your business network. These types of individuals are often freelancers — one-man businesses that install the minimum cybersecurity requirements.
When you share data with a third party, you risk losing control over how that data is handled and secured. If a third-party get hacked, it can make it more difficult to prevent data breaches and respond effectively if a breach occurs.
Third-party vendors also increase the attack surface of an organisation’s network. Software consistently creates potential entry points for attackers to exploit.
If a third party has direct access to an organisation’s network or sensitive data — such as a web developer, accountant or analyst — hackers can use them as a backdoor to access your system.
This brings me neatly to my final point.
Small Businesses Are A Stepping Stone
SMEs that have corporate clients can be used as a stepping stone for hackers, either through direct attacks on the SME or by using the SME’s connections to larger companies — see the whaling article mentioned above.
As I’ve outlined above, there are several ways a hacker can breach a small business’s network. And if you have any level of access to a larger company, there is a potential for hackers to aim higher and target a bigger payday.
One of the ways that hackers use a small business as a stepping stone is through social engineering tactics that exploit the trust relationships between SMEs and larger companies.
For example, a hacker may send a phishing email that appears to be from you asking your client to send the password to a website. Once they are inside your website they have access to all your customers’ sensitive data together with your bank details.
Why Work with a Business IT Support Team
As your business grows, your IT network also needs to expand. You need more employees and you need more software. This all makes you more vulnerable to cyber-attacks.
Teaming up with our cybersecurity experts protects your sensitive data from being stolen and ensures your employees are properly informed of potential threats.
Our IT security professionals in London have specialised knowledge and expertise and provide proactive maintenance and monitoring of your IT systems to ensure that they are running smoothly and efficiently.
Our customised IT packages are designed to prevent downtime and reduce the risk of cybersecurity breaches. They include implementing an effective cybersecurity strategy that meets your cybersecurity requirements and budget.
Outsourcing your business IT support to cybersecurity specialists is usually a cost-effective solution for SMEs. We don’t cost as much as it does to hire full-time IT staff.
To find out what we can do for you, give us a call and speak with a member of our knowledge consultants. We can advise you about how to go about planning, proactive prevention, providing continual awareness of the latest cybersecurity threats and the ongoing management of your IT security systems.
Before you leave, one more thing. Cybersecurity doesn’t have to be expensive.