Do hackers have your business in their sights?

Small businesses are a big target for certain cybercriminals. Here’s how to build your cyber fortress.

The recent high-profile attacks on major UK retailers such as M&S have once again put the issue of cybercrime in the news. But while it’s tempting to think that it’s the household names, with their revenues in the multi-millions, that are the most attractive targets for cyber criminals, in fact the opposite is true.

SME in the sights

KNP, a 170-year-old logistics company in Northampton, went into administration in 2024. A ransomware attack that damaged the company’s financial position led to its collapse, and the loss of 730 jobs.

Meanwhile, the Information Commissioners Office (ICO) recently revealed that it received reports of 140,000 incidents between 2019 and 2023.

Matt Norris is a consultant and underwriter at insurance firm Beazley. He works with smaller businesses to help them develop better cybersecurity, and says the KNP case revealed some concerning facts for smaller firms.

The group that attacked KNP back in 2023 was a ransomware group called Akira. “This group has different styles of attack, and what they do is target people that only use passwords to secure access to their email accounts or their network. The group has stolen things like email addresses and guessed passwords.”

Estimates suggest that about 80% of the companies that Akira attacks are SMEs. Similarly, cybersecurity firm Coveware recently reported that 35% of all the ransomware attacks affect companies with 11-100 employees.

“So, if you take Akira, which targets SMEs, and you combine that with the number of incidents revealed by the ICO data, and then you look at Coveware’s figures, then you get a picture which points pretty firmly at SMEs,” Norris says.

Two-pronged attack

So what does a typical ransomware attack look like?

Loss of network

“There are two main things about a ransomware attack,” Norris says. “In the first one, you can’t use your network. For a logistics company like KNP, which has so many bits of technology, like optimum route, goods locators, ordering systems and so on, that is critical.

“So you can imagine with a logistics or manufacturing company, or a retailer, are absolutely reliant upon technology. The ransomware attack means you probably can’t even use your telephones either. And we often we call it ‘pen and paper’ time, when a business is attacked and doesn’t have their network up and running or a way of recovering it, end up literally using a pen and paper to keep the trade going. And of course that has huge impact.

Stealing sensitive data

The second area of ransomware involves the theft of personal or sensitive information. “And the idea there is they try to put you in between a rock and a hard place about whether to pay the ransom or not,” Norris explains. “So for other types of company like education and health services, for instance, obviously they’ll be affected by not having a network, but they probably feel even more sensitive about that other part of ransomware: the data side.”

For the average accounting practice, both versions of attack can be deadly: “Their ability to trade with no network is going to be significantly impacted of course; but at the same time, if their clients feel that their sensitive personal information and financial information is accessed, then that could have longer term effects on that company because there may be an effect on trust.”

Security when outsourcing

And it’s also true to say that the risks are intensified if the business is careless about who it works with. “I think the stats in the UK are about 70% of small companies outsource their IT, so they don’t really build it themselves now,” says Norris. “And so one of the key things about outsourcing – which can be brilliant – is that only 14% of companies ask their outsourcer what their security is like.”

The UK has 13,000 managed service providers (MSPs), which suggest that the quality of cyber security will vary.

Three ways to ensure your security

Norris’s three tips are:

Tip one – take time to understand how it works

 Norris suggests taking the time to really understand how your MSP protects itself – and you.

“It’s really important that people ask some basic questions of their outsourcer to check. Because, as we’ve seen with bigger events recently, it’s the supply chain which can create problems upstream.”

Tip two – create layers of security

The second key tip is to focus on creating layers of security. “It’s not about doing everything in 24 hours; it’s about slowly building a plan,” Norris says.

Many of Akira’s victims have been firms that don’t use multi-factor authentication (MFA) that demand users authenticate across different devices.

“There are degrees of MFA that you can use, but not using any at all is probably one of the first steps that you’ve got to consider addressing. It’s why a group like Akira go after SMEs – because they can be the softest target if they’re not using MFA.”

Tip three – address third party fraud

The third key vulnerability is what’s now commonly referred to as ‘trusted third party fraud’. This is where your suppliers are attacked as a means of getting to you, or a fraudster attacks your systems as a way into your customers or suppliers network.

“There’s definitely a front door and a back door to this,” says Norris. “And there’s certainly human psychology to it. If you know and trust your someone, then you leave the door open for them to do whatever they need to do, while if you don’t know them, the front door is normally well battened down.

“In a way, sometimes websites have a bit more security than the managed access that some of your critical suppliers have,” Norris explains. “So, as with all kinds of things to do with cyber, the attackers are psychologically trying to work out their easiest entrance routes. And the psychology of how you treat a trusted third party means that they look at it as being a potential softer entry point.”

Takeaways

Finally, while there’s no failsafe approach to cyber security, keeping in mind a few things can go a long way to protecting the business from the growing threats online.

• the need for layered security,
• vigilance over your MSPs, and
• a healthy sense of scrutiny over other partners

Christian Doherty is a business journalist and freelance writer for AAT.