If you work within, or even run your own, SME, it may be tempting to consider yourself protected from the risk of cyber attack by your size. If you only have a handful of customers, or turnover that measures in the hundreds of thousands rather than the millions, you may believe that attackers will simply pass you over in favour of larger, potentially more lucrative targets. This can leave you vulnerable for a couple of reasons, which we’ll talk about here.
‘43% of cybersecurity attacks are aimed at small businesses’, according to business mentoring firm SCORE. Concerningly, they add that ‘this number is expected to increase.’ Why might attackers be so keen to attack an SME?
Take a moment to view things from the attacker’s perspective. What might be appealing about an SME, compared to a major corporation? For a start, whose security do you think might be harder to breach—the multinational with a 100-strong security team, or the local family-run business with five employees, none of whom have any security experience?
Alongside the likely ease of compromise, consider the other primary factor influencing one’s decision to commit a criminal act: the likelihood of repercussion. Would you rather risk attacking a major firm, who will have the resources to implement advanced intrusion detection and prevention systems and who will have the legal muscle to make your life unpleasant if they can catch you, or the 50-employee company that might not even log network traffic at all, let alone analyse it?
Think of it this way—whilst one makes for far more interesting headlines and far more dramatic films, which type of robbery happens more often: muggings and burglaries, or elaborate multi-million-pound bank heists?
There is another threat posed to SMEs, however. Whilst geopolitical disputes between nation states may seem a million miles away from the concerns of your firm, the increasing use of cyber attacks in advancing national interests are less exacting in their targets than the traditional munitions of old. For example, the 2017 NotPetya ransomware attack against businesses in Ukraine has been linked back to Russia.
Whilst the most headline-grabbing target was the shipping multinational Maersk, the attack impacted over 2,000 businesses across the globe. This was in part due to the supply chain attack used to deliver the malware—compromising a popular piece of accounting software allowed the attackers access to all of its clients whether large and small; whether based in Ukraine or the UK.
Whilst cyber security complacency within SMEs is understandable, reliance on such ‘security though obscurity’ is as good as a reliance on no security at all. It is vital that you take the threat of cyber attacks seriously, and implement measures to ensure that you are not the soft target an attacker may be expecting, and to protect yourself from becoming collateral damage in conflicts far larger than yourself. Consider giving the NCSC’s Cyber Security: Small Business Guide a read, sooner rather than later.