top of page
  • LinkedIn
  • Twitter
  • Facebook
  • YouTube
Search

Small Business Owners: Are you vulnerable to a cyber-crime?

  • emilybevan6
  • May 9
  • 4 min read

In today’s digital world, small businesses and sole traders in the UK are increasingly reliant on online tools, cloud platforms and digital communication. Whilst this makes starting and running a business easier to do from one place, it comes with a heightened risk of cyberattacks. While many small businesses believe they are too small to be targeted, the reality is that cybercriminals often view these organisations as low-hanging fruit, seeing them as under protected and easier to exploit. In this blog, we will explore the most common cyber vulnerabilities affecting SMEs in the UK and offer practical recommendations to help mitigate these risks.


small businesses

Weak or Reused Passwords


One of the most prevalent vulnerabilities is the use of weak or reused passwords across multiple systems, email accounts and social media accounts. Attackers can use techniques including brute-force or credential-stuffing, where they leverage leaked password databases and try those against multiple accounts.


Implementing and enforcing strong password policies is a good way to mitigate this. The NCSC developed the three random words technique to generate strong passwords, by creating a random sentence and extracting three separate words from it, before combining them into one long password. Using a password manager is also effective at improving cybersecurity, as it allows you to store all your separate passwords for all your accounts in one place, meaning you are less likely to reuse passwords for the sake of convenience. Additionally, enabling multi-factor authentication (MFA) wherever possible will add a further layer of security to your online accounts.


Outdated Software and Unpatched Systems


Individuals and small businesses may neglect regularly updating their software. However, unpatched operating systems and apps create easy entry points for online cybercriminals to exploit known vulnerabilities.


Enabling automatic updates on your devices and software is a simple way to mitigate this risk. Whenever you become aware of an available update you should endeavour to install it as soon as possible, as it is essentially flagging a vulnerability to you.


Phishing Attacks and Social Engineering


Phishing emails remain one of the most successful attack vectors used by cybercriminals. This form of attack involves convincing or tricking people into clicking malicious links, opening infected attachments, or providing sensitive information. Often delivered by email, although phone call and text phishes are also common, these attacks range from being easy to spot, to highly sophisticated and convincing. Small businesses are vulnerable to this due being less likely to have had formal security training that outlines the risks and what to look for.


Providing all employees with regular awareness training on how to identify phishing attempts can reduce your risk profile. Establishing clear protocols regarding how to report suspicious messages is also beneficial.


Lack of Data Backups and Recovery Plan


Cyber attacks can devastate small businesses that lack proper data backups. Without a recovery plan, organisations may be forced to pay attackers in the case of ransomware or face permanent data loss and reputational damage.


Insecure Wi-Fi Networks


Many businesses use default router settings, and remote workers may be logging on via public Wi-Fi networks, for example in coffee shops. Unfortunately, using public Wi-Fi makes it easier for hackers to intercept your connection and steal data. Encouraging safe Wi-Fi practices throughout your business will help to keep you safe. Consider using a VPN to encrypt your internet traffic.


Consider Access Controls


If your organisation employs multiple people, consider how much access your employees have to business systems and data. This helps to minimise the risk of data breaches, and unauthorised access to sensitive information. Apply the principle of least privilege, meaning employees only have access to the data and systems necessary for their roles.


As demonstrated above, whilst SMEs face numerous cyber threats, which can have particularly damaging consequences, the majority of common vulnerabilities stem from basic, preventable weaknesses that can be fixed at little to no cost. By focusing on strong cyber hygiene, including following strict password policies, updating all systems and devices in a timely manner, opening a cybersecurity dialogue amongst colleagues, and securing digital infrastructure, small businesses can significantly reduce their cyber risk. Cybersecurity does not have to be overwhelming, but it does have to be considered, as investing in securing your cyber defences now can make all the difference further down the road, stopping things from going wrong. Accessing resources such as the NCSC’s Cyber Action Plan and Small Business Guide are a great place to start if you are unsure, and joining the ECRC for free will mean you are signposted towards all the free guidance available.


How can the ECRC support?


By joining the ECRC as a free member, your organisation will be supported in making the small changes that make the biggest difference when it comes to cyber resilience. Becoming a free member means you will receive the latest cyber resilience guidance via email, which will drip feed you ways in which you can improve your cyber resilience without costing any money.


The ECRC website also contains several links to helpful National Cyber Security Centre (NCSC) resources, which are all free, up-to-date, and easy to use. Tools such as Exercise in a Box and the NCSC Cyber Action Plan are particularly useful in terms of identifying areas where you could improve your cybersecurity. They also have many informative guides that are sector specific, which will give you useful and detailed information.


If you would like more information about how the ECRC can help your organisation specifically, please book a chat with us today!


Reporting a live cyber-attack 24/7:


If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.


Reporting a cyber-attack which is not ongoing:


Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.


Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


the eastern cyber resilience centre

Comments

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page