SMEs and Cyber Attacks

What you need to know

"A cyber attack is a deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyber attacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft."

Why should businesses worry?

an image representing a target

of businesses in the UK suffered a cyber attack or breach in 2016, double the number in 2015.

an image representing crosshairs on a cloud

Cyber attacks and breaches cost UK businesses an average of £1,570 per attack in 2016.

an image representing a revenue crash

Attacks can hinder a business's productivity, harm its reputation and cause it to lose its competitive edge.

Three Mobile logo.


Cyber criminals compromised the information of 210,200 Three Mobile customers, using stolen login details from Three employees to access the firm's customer upgrade database in 2016.


Attacks on the telecom company's website in October 2015 caused losses of £42 million. Hackers attacked the site 14,000 times, after a vulnerability was exposed by a teenage boy.

Paddypower logo.
Staples logo.

United Airlines and American Airlines

In January 2015, nearly 10,000 frequent flyer accounts were possibly compromised when criminals used stolen usernames and passwords to access the accounts, book trips and redeem

Why are SMEs targets for
cyber attacks?

Poor security and a lack of awareness and training can leave SMEs ill-prepared for attacks, making them easy targets for cyber criminals.

SMEs can underestimate the threat of cyber attacks and often don't believe they're at risk:

A padlock image, representing online security.

of small businesses in the UK suffered a cyber security breach or attack in 2016.

A cross symbol.

of businesses hit by cyber attacks see cyber security as a low priority.

An unlocked padlock image.

of small business managers still do not agree that cyber security is a high priority.

Small and micro businesses lack the resources or knowledge to defend against an attack:

A shield image.

do not receive any training on cyber security.

A dollar sign image.

have no formal policies for ensuring cyber security.

A question mark image.

have no cyber security measures at all.

How Attacks Happen

Website attacks fell by almost a third in 2016 as cyber attackers turned
increasingly to email. This is what a common cyber attack now looks like:

An email is sent disguised as an invoice or bill.

The subject lines of emails containing malware often include words such as 'invoice', 'document' or 'order'.

The user is tricked into downloading an attachment.

This is typically a Javascript file or another scripting type, but it also could be an Office file.

The file triggers the installation of malicious software.

When the file is launched, it prompts the user to execute a macro or launches PowerShell to download and execute the final payload.

The user's device is typically infected with ransomware, which encrypts the user's private data.

Here are some tactics used to exploit cyber security vulnerabilities:


Representation of phishing

Dupes users into supplying sensitive information by posing as a trustworthy source, such as a bank, commonly used retailer or a personal acquaintance.

of the cyber crimes affecting SMEs were spear phishing attacks.


Representation of water-holing

Compromises legitimate websites by injecting malicious code to visitors passing by when they download the infected software.

of cyber crimes affecting SMEs were malware attacks.


Representation of ransomewear

Extorts victims for money or private information in exchange for the decryption of data and removal of malware.

$1,077 (approx £830) was the average ransom demand in 2016, up from $294 (approx £226) in 2015.

distributed denial
-of-service attack

Representation of Denial-of-service attack.

Attempts to flood a network to disrupt the service and prevent users from accessing it.

of SMEs have suffered a DDoS attack.

What's at risk?

SMEs tend to store confidential information such as client lists, customer databases or financial details which are highly prized assets for criminals.

Cyber criminals make money through identity theft, sale of stolen information, holding data to ransom or stealing funds from bank accounts.

Attackers can sell data, such as pricing information, product designs or manufacturing processes to competitors, which may give them a market advantage.

Cyber attacks are highly lucrative with profits easily made on the black market from selling stolen goods.

Here are estimates of the black market value of some commonly stolen credentials:

credit card

Ready-made toolkits for attacks are also available for budding criminals with little technical knowledge required to run attacks on their own:

basic banking
trojan kit
stealing trojan
android banking
ransomware kit

An attack can damage a business’s financial health directly, and the recovery process can be lengthy and costly. It’s estimated that cyber crimes costs SMEs around £800
million per year.

Small businesses in the UK lost an average of £740 in direct costs in 2016.

Small businesses in the UK incurred losses of £330 in recovery costs in 2016.

Attacks resulting in a data breach and exposure of customers’ confidential information negatively impact customers’ views of the business:

Reputational damage is estimated to cost SMEs £1,600 to £8,000.

In addition to the time required to repair and recover from the attack, some businesses found they had lost their competitive advantage due to the loss of commercially sensitive information:

of SMEs suffered intellectual property theft.

suffered loss or leakage of confidential information.

Criminals may steal your employees' or customers' personal details and as it's your responsibility to safeguard this data it can be constituted as a breach of the Data Protection Act (DPA).

This could result in compensation to individuals who suffered damage from the breach or severe penalties from the ICO (Information Commissioner's Office) where you can be fined up to £500,000.

The DPA requires that businesses take "appropriate technical and organisational measures" to prevent unlawful use, theft, destruction or loss of personal data. If your company fails to do so, you could be liable.

The EU will enforce General Data Protection Regulations (GDPR) in May 2018, notwithstanding Brexit.

Businesses must be able to prove that any data they hold is protected or face the risk of hefty fines.

As many as 9,000 Tesco Bank customers lost money from their accounts, following a data breach in November 2016.

£2.5 million was stolen from customer accounts in total.

Customers had up to £600 withdrawn from their accounts.

Tesco would face fines of over £1.9 billion if it occurred under the EU's GDPR.

Managing the Risks

95% of all security incidents involved human error and employees pose the biggest vulnerability to the IT system.

Vulnerabilities caused by human error include:

  • Using "unpatched" applications where software updates containing security fixes are not installed.
  • Using easy to guess or default passwords.
  • Opening an infected attachment or unsafe URL.
  • Falling victim to social engineering scams (such as phishing).
  • 'Bring your own device' comes with risks if employee-owned devices are infected, which can spread malware to the company’s IT system.

Although most human-related security incidents are caused accidentally, disgruntled employees can also be a risk.

Educating employees on how to protect sensitive data using security best-practices is crucial to safeguarding your business.

It’s recommended that you consult a network security specialist to give a thorough assessment on protecting your company. Here are some steps you can take right now:

Encourage employees to use strong passwords, refrain from using the same password for multiple logins and change passwords every 90 days.

Always Install the latest security updates for software and web applications which will Close known vulnerabilities.

Encrypt sensitive data such as employee details and financial accounts.

Update your anti-virus software and firewall as soon as a new version is released to ensure they’re effective against new forms of malware.

Protect mail servers with security software that scans emails to reduce the likelihood of falling victim to infected attachments.

Create "whitelists" that control all traffic through the network by granting access to certain IPs and e-mail addresses.

Ideally, administrative accounts should not be granted access to email or internet to prevent attackers entering the system through these channels. If administrators need web access then implement a two-factor authentication.

  • Cyber Essentials is a scheme backed and supported by the UK Government to help protect businesses of all sizes against common cyber threats.
  • Businesses can attain a Cyber Essentials badge to advertise the fact that they are following government endorsed standards for cyber security. To obtain the badge, businesses can carry out a self-assessment to see if they meet the requirements, or they can be independently assessed by accrediting bodies.
  • The scheme outlines five main procedures that should be implemented for basic protection against cyber attacks:

Boundary firewalls and internet gateways

Access control

Patch management

Secure configuration

Malware protection

In the event of an attack

Unfortunately cyber attacks may succeed despite taking preventative measures.

Having a plan in place in the event of a successful attack can limit damage. Safeguarding data should be a priority, especially if that data is crucial to the running of your business:

4 in 10 SMEs say they would struggle to recover from data loss.

1 in 4 SMEs admit they wouldn't be able to recover any data.

Logging and monitoring any suspicious activity can inform you as soon as a breach happens, giving you a chance to respond quickly and limit potential damage. This can be done in-house or outsourced to specialists.

Regularly backing up your data means it can be accessed easily to reduce downtime in the event of a breach. However, there is a risk that you may restore the same vulnerabilities which caused the breach in the first place so you should consult a specialist beforehand on how to mitigate this.

Consulting a security specialist for a thorough risk assessment and further advice is essential. You can also:

Have procedures in place which identify and isolate infected systems to prevent further infection.

Establish an incident response team trained with the skills and expertise to address threats.

If your customer database has been compromised, those customers should be directly informed of the breach and advice should be given on what actions they should take, such as changing passwords and checking bank statements.


The threat of cyber attacks is ever-present and isn’t going away. Methods are becoming more sophisticated and ever-increasing connectivity means there are more opportunities for cyber criminals than ever.

The risks to businesses are severe: a cyber attack can impact your bottom line, your reputation and even your ability to continue operating.

There’s plenty you can do to insulate yourself against the risk, and the most dangerous course of action would be to disregard the threat. Consult a professional, ensure your staff understand security best-practices, make sure that your company’s most important assets are safeguarded and have a plan in place for responding to any breaches.


  • >