top of page

How Can Small Retail/Food Businesses Benefit from a Vulnerability Assessment?

Being a small business owner involves juggling many different priorities all at once. As a result, the cybersecurity of the organisation is a priority that can often go unconsidered, due to the fact it is not urgent until it becomes an issue. However, with 32% of businesses falling victim to a data breach or cyber-attack in 2022, it is an important issue to address.

It can be easy to assume that small equals safe when it comes to cybercrime, and that criminals have bigger fish to fry than a small business or sole trader. However, it is the vulnerabilities of a business that makes them a target, rather than the size. Like an opportunistic car thief walking down the road trying door handles, all it takes is one opportunity for a criminal to do some serious damage. Particularly for a small business, the impacts of a cybercrime can be financially and reputationally devastating, therefore investing in cybercrime prevention is a valuable investment to make, saving money and time before an issue occurs.

retail shop door

What makes retail businesses a target?

Businesses are targeted for two main reasons by cyber-criminals, these being financial gain and sensitive data. These are two assets held by almost every business in the world, no matter their size. For those working in retail, this could mean customer information, mailing lists, invoices or banking information, all of which are useful to a criminal.

In terms of how you may be targeted, phishing is a common attack method for cybercriminals. They may send emails that appear convincing and legitimate, that try to convince you to click on an attachment infected with malware, or to visit a suspicious link that prompts you for your login details. For a small business working in retail or food, this email could appear to come from one of your suppliers, your accountant, or even a customer.

Criminals can also target you using your online platforms, via social media or your website. These days, more and more SMEs offer e-commerce options for their customers or advertise their business via a website or on social media. These can be used to target you directly, using similar phishing methods, or to find out more information about your business, to help them target you using accurate information.

How can a Vulnerability Assessment help?

There are several steps involved in ensuring that your organisation is educated and aware about what good cyber resilience looks like. Firstly, ensuring that everybody understands the common cyber threats they might face means that you will be more likely to spot and report anything suspicious. Another way to become more resilient to the possibility of a cyber-attack is to take stock of any online vulnerabilities that hackers can exploit. At the ECRC, in addition to our free resources and tools, we also offer several affordable services to help identify such vulnerabilities, at a cost that is affordable for many SMEs.

Our services are provided by students, who are employed on the Cyber Path talent pipeline. These local students are mentored and monitored by senior ethical hackers, facilitating hands-on training for those who may become the future leaders in the fight against cyber-crime. This not only makes their services more affordable than those provided by commercial companies, but by utilizing their skills you are supporting the next generation of cyber-talent. The different vulnerability assessments on offer are listed below.

This service assesses your website and web services against the top 10 security risks, searching for weaknesses and vulnerabilities. These assessments are supported with back-out and recovery plans to minimise the risk of outages. Service reporting will the outline the weaknesses in plain language, explaining what it means and the risk to your business, as well as guidance on how to fix this.

This involves reviewing your business’s internet connection remotely, in the same way an attacker would. These are not penetration tests with the goal of complete system compromise and control, rather tests focused on identifying weaknesses that could be used by attackers to achieve those ends. Service reporting is then provided in plain language to explain the findings.

This requires access to your internal network to simulate somebody who has gained illegitimate access. It will scan and review your internal networks and systems for elements including poorly maintained or designed systems, insecure Wi-Fi networks, insecure access controls, or opportunities to access sensitive data. Again, service reporting will describe what each weakness means, the risks associated, and guidance on how to fix them.

If you receive a troubling service report and choose to take remedial action, the ECRC partners with several cybersecurity companies who can help you to manage this, however there is no obligation to do so. You could also choose to pursue a Cyber Essentials qualification, which will ensure you that your company is reaching the minimum recommended standards in terms of good cyber security.

retail shop checkout

What should you do next?

Signing up as a free member of the ECRC allows you to receive the benefits of our email programme. These emails allow you to build your cyber resilience gradually through the form of actionable tasks. They are concise and designed to be accessible for a non-technical audience.

Becoming a member also means you will be signposted towards the various free policing and National Cyber Security Centre (NCSC) tools that are available to support you. Exercise in a Box is a tool created by the NCSC that contains training exercises of varying lengths, which shed light on a multitude of cyber risks. Additionally, their Cyber Action Plan can help you to get some clarity on your current cybersecurity position, leaving you with steps to take that will improve it further. As well as this, the NCSC’s Small Business Guide is also fantastic reading to help SMEs learn more about their cyber risk and how to support themselves.

Ultimately, cybercrime and cyber resilience is an important consideration for SMEs, that pays to be invested in sooner rather than later. Cyber resilience does not have to be expensive and ensuring that the fundamental behaviours of good cyber hygiene are being implemented across your organisation will leave you significantly more protected against becoming a victim.

If you would like further information on vulnerability assessments or wish to chat about the cyber resilience of yourself or your business, you can book a chat with us here.

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which isn’t ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)

the eastern cyber resilience centre


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page