SMEs must prepare for the next cyber attack?

According to the Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2022, 39% of businesses and 26% of charities report having security breaches or attacks in the last 12 months.

There are many examples of global companies that have suffered cyber attacks. In 2020, the ICO issued its first fine under the new GDPR, slapping British Airways with a £20m fine for a data breach that affected more than 400,000 of its customers. Yahoo, one of the more infamous victims of cyber attacks, has been hacked three times. This is despite both companies’ extensive resources. 

Naturally, it becomes even more challenging for SMEs to compete and maintain the same standard of caution. Hiscox estimated in 2018 that while most attempts fail, a small business in the UK is successfully hacked every 19 seconds. This represents a monumental problem. And cyber attackers have only become even more sophisticated as they hunt the most vulnerable and lucrative prey.

The Covid-19 effect

It’s not an exaggeration to say that COVID-19 radically transformed the world of work. Most UK businesses were forced to adopt remote working for the first time, and a high majority have decided to stick with it – on either a permanent or hybrid basis. 

This move has brought with it heightened cybersecurity risks. For one, behavioural challenges include employees believing they can get away with riskier behaviour like sharing confidential files via email instead of more secure, safer channels when away from senior eyes. In addition, the likelihood of working on insecure personal devices and/or networks massively increases when working from home. 

Secondly, some organisations were forced to adapt their business quickly. Their target customers – both B2B (businesses) and B2C (consumers) – became solely “digital-purchasers” overnight. As a result, organisations had to pivot their operations to provide more goods and services online, raising e-commerce’s share of global retail trade from 14% in 2019 to about 17% in 2020. 

However, the growth of online activity also increases the potential for cyberattacks. Hackers took advantage of this treasure trove of new personal data that was being fed into eCommerce sites i.e., email addresses from customer’s sign-ups, card details during purchasing, addresses for delivery and even passwords for log-ins or date of birth for age validation. This data means eCommerce sites have an even larger target on their back. 

No small phish to fry: The consequences of a breach

The consequences of a successful attack can be high indeed. The EU’s General Data Protection Regulation allows EU authorities to impose fines of up to 4% of a company’s annual global turnover or €20 million, whichever is higher. The severity of this regulation is matched by the scale of the problem. When a company loses a customer’s data in a cyber attack, that data is sold online to criminals who intend to use it for profit.

In one case examined by Deloitte, attackers took advantage of a retailer’s poor wireless network security to intercept credit card information and breach the company’s unencrypted customer database. In this case, the cybercriminals used various attack techniques until they found one that worked, then waited inside the network until they could intercept the data they needed to get into the company’s database. The affected company suffered a significant reputation loss and had to deal with sales losses, fines, and a settlement. 

Despite this, according to CyberSmart, 32% of UK SMEs still don’t have any form of cybersecurity program at all (whether in-house or outsourced), and exactly half of SME managers said they did not have a formal cyber-incident response plan. 

A constant game of cat and mouse: What should we do about it?

Stay up to date: Cybersecurity requires a serious reality check. If an organisation wants to access your information, they will. It’s a matter of when not if. The key is to be proactive. Don’t think it won’t happen to you. 

If your eCommerce site is taken offline, you’re certain to take several hits: lost sales, brand damage, and the cost of restoring it. It’s worth the investment to regularly update your website, patching websites, plugins, and the CMS. It can be tempting to push back the updates due to the cost of upgrades, especially if no additional features or functionalities were added. However, it is absolutely critical that businesses do this as soon as system updates are released. For any vulnerability or exploit announced in a particular piece of software, it’s only a matter of time before it gets exploited by hackers. In the case of British Airways, the cyber attack on their systems wasn’t detected for 2 months, so any delays in identifying risks simply add to the potentially devastating impact of a data breach and the resulting regulatory rulings.

You can protect yourself by ensuring the software you are using is secure and supported by a vendor. If you use software that doesn’t let you reach out to the developer and ask for an update to an element that isn’t quite right, be it a security vulnerability or otherwise, you’re leaving the front door wide open for an attack now or in the future. In that regard, having backups is also essential so that the site can be quickly restored if something goes wrong, and these must be air-gapped/ inaccessible to malicious actors.

Get certified: Cyber Essentials, a set of technical and administrative controls that ensure your business can mitigate the vast majority of threats, is one example of a government-led scheme that can be helpful to safeguard your organisation and prevent the majority of threats from becoming real. The scheme assesses five key criteria to ensure you know how to begin protecting yourself. Research from Lancaster University found that simply being certified can help reduce a business’s cyber risk by up to 98.5%. 

Don’t compromise on training: After all, insider threats such as administrative errors can pose just as much of a challenge. It’s not just about protecting your confidential information from malicious outsiders. For example, phishing emails – the most commonly used threat vector for successful attacks last year – have become more convincing. Perhaps an employee sets a weaker password or writes it down somewhere accessible. Here is where driving cybersecurity requires a cultural shift. It is imperative that every employee at your business receives security awareness training and is well informed of the types of threats that are out there. In addition, a dedicated Chief Information Security Officer should be appointed, whether it’s you as the company’s leader or a part-time position; that person must be properly trained and empowered to fulfil the role.

Ultimately, leave nothing to chance. Always expect an attack to happen, as cybercriminals are constantly looking for that open entryway. SMEs cannot afford to leave the door open. One negative experience can damage your customer relationships, reputation and overall business health. In this constant game of cat and mouse, we all need to be on our guard. 

Andrew Armitage

Andrew Armitage is the founder and owner of A Digital, a digital agency based in the north west of England. He's a podcast host and the author of Amazon best seller Holistic Website Planning: Positioning your Website at the centre of your Digital Transformation. Working with clients including the NHS, Hawkshead Relish, Windermere Lake Cruises, and most recently James Cropper plc, he has grown A Digital from a spare bedroom into a thriving team.

Why DEIB is Imperative to Tech’s Future

Hadas Almog from AppsFlyer • 17th March 2025

We’ve been seeing Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives being cut time and time again throughout the tech industry. DEIB dedicated roles have been eliminated, employee resource groups have lost funding, and initiatives once considered crucial have been deprioritised in favour of “more immediate business needs.” The justification for these cuts is often the...

The need to eradicate platform dependence

Sue Azari • 10th March 2025

The advertising industry is undergoing a seismic shift. Connected TV (CTV), Retail Media Networks (RMNs), and omnichannel strategies are rapidly redefining how brands engage with consumers. As digital privacy regulations evolve and platform dynamics shift, advertisers must recognise a fundamental truth. You cannot build a sustainable business on borrowed ground. The recent uncertainty surrounding TikTok...

The need to clean data for effective insight

David Sheldrake • 05th March 2025

There is more data today than ever before. In fact, the total amount of data created, captured, copied, and consumed globally has now reached an incredible 149 zettabytes. The growth of the big mountain is not expected to slow down, either, with it expected to reach almost 400 zettabytes within the next three years. Whilst...

What can be done to democratize VDI?

Dennis Damen • 05th March 2025

Virtual Desktop Infrastructure (VDI) offers businesses enhanced security, scalability, and compliance, yet it remains a niche technology. One of the biggest barriers to widespread adoption is a severe talent gap. Many IT professionals lack hands-on VDI experience, as their careers begin with physical machines and increasingly shift toward cloud-based services. This shortage has created a...

Tech and Business Outlook: US Confident, European Sentiment Mixed

Viva Technology • 11th February 2025

The VivaTech Confidence Barometer, now in its second edition, reveals strong confidence among tech executives regarding the impact of emerging technologies on business competitiveness, particularly AI, which is expected to have the most significant impact in the near future. Surveying tech leaders from Europe and North America, 81% recognize their companies as competitive internationally, with...

How smart labels are transforming supply chains

Sharath Muddaiah • 27th January 2025

As e-commerce continues to rise globally, the impact of just-in-time manufacturing and rising consumer expectations mean the need for real-time visibility has never been greater. Smart labels directly address this demand, offering solutions to long-standing challenges like shipment delays, theft, and the lack of traceability. With the smart label market projected to grow from $14.1...