SMEs and Cyber Attacks

What you need to know

"A cyber-attack is a deliberate exploitation of computer systems, technology dependent enterprises and networks. Cyber-attacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft."

Targets for cyber-attacks

an image representing a target

The number of cyber-attacks on businesses increased 40% in 2014 and this trend is set to continue.

an image representing crosshairs on a cloud

As businesses migrate their data to the cloud, financial data, customer details, and other sensitive information have become targets for cyber criminals.

an image representing a revenue crash

Attacks can hinder a business’s productivity, harm their reputation, cause them to lose their competitive advantage and impact their revenue.

Examples of recent cyber-attacks on business

United Airlines and American Airlines logos.

United Airlines and American Airlines

In January 2015, nearly 10,000 frequent flyer accounts were possibly compromised when criminals used stolen usernames and passwords to access the accounts, book trips and redeem flight upgrades.

Paddy Power

The bookmaker revealed in 2014 that a large-scale data breach in 2010 resulted in the theft of personal details of nearly 650,000 customers.

Paddypower logo.
Staples logo.


Staples confirmed that 1.16 million payment cards from their US stores were compromised by malware accessing transaction data between April and September 2014.

Why are SMEs targets for

It's not just large businesses who are susceptible to attacks; 60% of targeted attacks in 2014 struck SMEs.

But what makes them targets of cyber-attacks?

Poor security and a lack of awareness and training can leave SMEs ill-prepared for attacks, making them "easy pickings" for cyber criminals.

SMEs can underestimate the threat of cyber attacks and often don't believe they're at risk:

A padlock image, representing online security.

of SMEs did not prioritise improvement to online security for future business growth in 2014.

A cross symbol.

say they're not targets for attacks as they don't have anything worth stealing.

An unlocked padlock image.

believe they won't suffer any lost revenue from a day's worth of downtime from an attack:

SMEs lack the resources or knowledge to defend against an attack.

A shield image.

don't have a plan of action for responding to IT security breaches.

A dollar sign image.

of SMEs think that cyber security is too expensive to implement.

A question mark image.

admit they "Don't know where to start"

How Attacks Happen

Vulnerabilities occur as:

Flaws in the system which act as passageways for attackers to enter.

Nearly 8,000 software vulnerabilities were found in 2014.

Exploitation of legitimate functionalities by attackers.

Attackers commonly use JavaScript, a programming language widely used by websites, to pass malicious code to users’ browsers, divert them to compromised pages and covertly download malware.

User errors where the computer or IT system can be accidentally exposed to attackers.

Weak and common password often allow attackers to easily infiltrate systems without the need for more technical attack methods.

Various tactics are used to exploit these vulnerabilities:


Representation of phishing

Dupes users into opening an infected email attachment and injects malware to the computer system. Malware is software designed to damage or disrupt a system and can come in the form of a virus or Trojan horse.

of SMEs were targeted by spear phishing campaigns in 2014 compared to 30% in 2013.


Representation of water-holing

Compromises legitimate websites by injecting malicious code to visitors passing by when they download the infected software.

were infected by viruses or malicious software.


Representation of ransomewear

Extorts victims for money or information in exchange for the decryption of data and removal of malicious software.

increase in ransomware reviewed by Intel Security compared with 2013, for a total of 250,000.

Botnet or Denial-
of-Service Attack

Representation of Denial-of-service attack.

Attempts to flood a network to disrupt the service and prevent users from accessing it.

of SMEs have suffered a DDoS (Distributed Denial of Service) attack.

What's at risk?

SMEs tend to store confidential information such as client lists, customer databases or financial details which are highly prized assets for criminals.

Cyber criminals make money through identity theft, sale of stolen information, holding data to ransom or stealing funds from bank accounts.

Attackers can sell data, such as pricing information, product designs or manufacturing processes to competitors, which may give them a market advantage.

Cyber-attacks are highly lucrative with profits easily on the black market from selling stolen goods.

Symantec estimated the cost of stolen information on the black market in 2014:

credit card

Ready-made toolkits for attacks are also available for budding criminals with little technical knowledge required to run attacks on their own:

1 million verified email spam mail-outs
custom malware
Drive-by download web toolkit (1-week rental)
Online banking malware

An attack can damage a business's financial health due to stolen money, and the recovery process which can be lengthy and costly. It's estimated that cyber-crimes cost SMEs around £800 million per year.

SMEs lost an average of £3,500 - £7,000 in 2014 (an increase from £300 - £600 in 2013).

£5,000 - £10,000 worth of assets were lost in 2014 (an increase from £150 - £450 in 2013).

Attacks resulting in a data breach and exposure of customers’ confidential information negatively impact customers’ view of the business:

Reputational damage is estimated to cost SMEs £1,600 - £8,000.

In addition to the time required to repair and recover from the attack, some businesses found they've lost their competitive advantage due to the loss of commercially sensitive information.

9% of SMEs suffered from intellectual property theft

14% suffered from loss or leakage of confidential information

Criminals may steal your employees' or customers' personal details and as it's your responsibility to safeguard this data it can be constituted as a breach of the Data Protection Act (DPA).

This could result in compensation to individuals who suffered damage from the breach or severe penalties from the ICO (Information Commissioner's Office) where you can be fined up to £500,000.

The DPA requires that businesses take "appropriate technical and organisational measures" to prevent unlawful use, theft, destruction or loss of personal data. If your company fails to do so, you could be liable.

Insurance company were penalised by the ICO when attackers accessed customer records in February 2015.

The attackers accessed 100,000 live credit card details and customers' medical details.

More than 5,000 customers had their credit cards used by fraudsters after the attack.

The fine amounted to £175,000.

Managing the Risks

Surprisingly 95% of all security incidents involved human error and employees pose the biggest vulnerability to the IT system.

Vulnerabilities caused by human error include:

  • Using "unpatched" applications where software updates containing fixes or patches are not installed.
  • Using easy-to-guess passwords or default passwords.
  • Opening an infected attachment or unsafe URL.
  • Falling victim to social engineering scams (such as phishing).
  • BYOD (Bring Your Own Device) comes with risks if employee-owned devices are infected, which can spread malware to the company's IT system.

Although most human-related security incidents are caused accidentally, disgruntled or dishonest employees can also be a risk.

Educating employees on how to protect sensitive data using security best-practices is crucial to safeguarding your business.

It’s recommended that you consult a network security specialist to give a thorough assessment on protecting your company. Here are some steps you can take right now:

Encourage employees to use strong passwords, refrain from using the same password for multiple logins and change passwords every 90 days.

Always install the latest security updates for software and web applications which will close known vulnerabilities.

Encrypt sensitive data such as employee details and financial accounts.

Update your anti-virus software and firewall as soon as a new version is released to ensure they’re effective against new forms of viruses or malware.

Protect mail servers with security software that scans emails and attachments to reduce the likelihood of falling victim to phishing scams.

Create “whitelists” that control all traffic through the network by granting access to certain IP and e-mail addresses to prevent employees from visiting compromised or receiving malicious email.

Ideally administrative accounts should not be granted access to email or internet to prevent attackers entering the system through these channels. But if the administration user needs Internet access then implement a 2 factor authentication.

  • Cyber Essentials is a scheme backed and supported by the UK Government and industries to help protect businesses of all sizes against common cyber threats.
  • Businesses can also attain a Cyber Essentials badge to advertise the fact that they are following government-endorsed standards for cyber security. To obtain the badge, businesses can carry out a self-assessment to see if they meet the requirements - or they can be independently assessed by accrediting bodies.
  • The scheme outlines 5 main procedures that should be implemented for basic protection against cyber-attacks.

Boundary firewalls and internet gateways

Access control

Patch management

Secure configuration

Malware protection

In the event of an attack

Unfortunately cyber-attacks may succeed despite taking preventative measures.

Having a plan in place in the event of a successful attack can limit damage and safeguarding data should be a priority especially if that data is crucial to the running of your business:

4 in 10 SMEs say they would struggle to recover from data loss.

1 in 4 SMEs admit they wouldn't be able to recover any data.

Logging and monitoring any suspicious activity can inform you as soon as a breach happen, giving you a chance to respond quickly and limit potential damage. This can be done in-house or outsourced to specialists.

Regularly backing up your data means it can be accessed easily to reduce downtime in the event of a breach. However, there is a risk that you may restore the same vulnerabilities which caused the breach in the first place so you should consult a specialist beforehand on how to mitigate this.

Consulting a security specialist for a thorough risk assessment and further advice is essential.
You can also:

Have procedures in place which identify and isolate infected systems to prevent further infection.

Establish an incident response team who are trained with the skills and expertise to address incidents.

If your customer database has been compromised, the customers should be directly informed of the breach and advice should be given on what actions they should take, such as changing passwords and checking bank statements.


The threat of cyber-attacks is ever-present and isn’t going away. Methods are becoming increasingly sophisticated and ever-increasing connectivity means there are more opportunities for cyber criminals than ever.

The risks to businesses are severe: a cyber attack can impact your bottom line, your reputation and even your ability to continue operating.

There’s plenty you can do to insulate yourself against the risk, and the most dangerous course of action would be to disregard the threat. Consult a professional, ensure your staff understand security best practices, make sure that your company’s most important assets are safeguarded and have a plan in place for responding to any breaches.