How to Protect Your Small Business from Cyber Attacks

Cyber attacks can bring your online business to its knees, causing colossal damage to your operations, reputation and revenues. As such, a robust business cybersecurity policy should be a key part of your business continuity and risk management plan.

A recent report by Vodafone Business has found that over half of all UK SMEs (54%) have experienced some form of cyber attack over the past year.

Even the smallest UK companies are not immune to the risk of cyber-attacks. Here, we’ll look at what businesses need to know about business network security and cybercrime in order to protect their companies from cybercriminals.

What is a cyber attack?

A cyber attack is when a criminal organisation or individual uses one or more computers to invade, disable or commandeer a company’s computer network. It involves the use of malicious software to steal data, disable business operations and even launch other attacks using the company’s network.

Types of cyber attacks

In order to establish a small business cyber security plan, business leaders should first familiarise themselves with the different types of cyber attacks. These include:

• Phishing – deceptive emails or other types of electronic messaging designed to make victims part with money, data and personal information. The attacker usually impersonates someone the recipient trusts.

• Malware – malicious software designed to damage or destroy computers and systems. Common examples include viruses, worms, spyware and adware.

• Distributed Denial-of-Service (DDoS) attacks – the normal traffic of servers and networks is disrupted by targeting their infrastructure with a flood of internet traffic.

• Spam – digital junk mail sent in bulk online through electronic messaging systems, mainly email.

• Ransomware – encrypted malware that holds the victim’s critical data at ransom, leaving them unable to access files, applications and databases. By targeting networks, databases and file servers, small businesses can be left paralysed unless they give in to demands.

How to recognise a cyber attack

The best way to educate you and your staff on cyber attacks is to undergo a business cybersecurity training course. The UK government offers free training courses for SMEs via an online learning module for staff that takes approximately 30 minutes to complete.

Training will help alert your employees to the different types of attacks, increase vigilance and help business leaders to identify the right software to keep them at bay.

Further training via instructor-led online courses may also provide further information on:

• Legal, regulatory and contractual responsibilities

• How to develop incident responses

• All types of cyber attacks

• Cybersecurity fundamentals

• Cloud security

How much do cyber attacks cost SMEs?

A 2023 government report suggests that while cybercrime statistics are generally lower than in the previous year, most of the change comes from small businesses and micro businesses investing in better cybersecurity. Nonetheless, cybercrime still cost UK businesses an average of £1,100 with medium-sized businesses paying an average of £4,960. Even non-profit organisations are not immune with charities paying out an average of £530 last year.

Cyber attacks can be costly to SMEs in a number of ways. Most direct costs are associated with:

• Theft of money and/or corporate/financial information (e.g. bank details, payment card information)

• Disruption to trading (such as disabling the ability for online transactions)

• Loss of contracts

• Costs to repair systems and networks hit by the attack

Reputational cost of cyber attacks

When businesses fall victim to a cyber attack it can undermine trust in their brand, especially if cybercriminals access client or customer data. This may cause indirect costs to the business via:

• Loss of customers

• Loss of sales

• Profit reduction.

Reputational damage can be far-reaching and ultimately more damaging than financial loss. Suppliers, partners, investors and other third parties vested in your business may think twice about working with you.

Potential legal consequences of cyber attacks

Data protection and General Data Protection Regulation (GDPR) laws make it essential that you correctly manage the security of personal data you hold on staff, clients and customers. Whether it’s accidental or deliberate, failure to deploy such measures can result in fines and regulatory sanctions.

Developing a small business cyber security plan

When it comes to avoiding cyber-attacks, an ounce of prevention is worth a pound of cure. A small business network security plan can greatly reduce the chance of an attack.

This should encompass:

• Virus protection – every company should have this software, no matter its size. Most operating systems come with free antivirus software but look online to see if other software would suit your needs better – and make sure auto-updates are switched on.

• Employee training – ensure you and your staff are educated in cybersecurity with an online course that can be accessed anywhere. There are a variety of courses available online from beginner level to advanced.

• IT support – do you have a strong team in place to help if an attack happens? Employ IT staff that are qualified and knowledgeable or consider outsourcing to one of the many support teams available.

• Insurance- 64% of businesses have a cyber insurance policy to help mitigate the cost of cyber attacks.

• Passwordless authentication methods – with weak passwords responsible for so many cyber attacks, companies are looking at ways to remove the reliance on passwords for security.

What to do if you encounter a cyber attack

Your business cybersecurity should encompass more than preventative measures. It should also identify how business leaders and employees should react in the event of a cyber attack. Time is of the essence, so it is vital that employees take appropriate action as quickly as possible.

Change passwords

One of the first things you should do after an attack is to change your passwords – and make them harder to hack. Use unique passwords that are difficult to guess and consider two-factor authentication (2FA).

Alert IT

Your IT team should be trained to know how to respond to attacks quickly and effectively. Help them deal with the issue fast by giving them as much information as possible, e.g. what type of attack it is and the extent of the damage.

Remove remote access

Many companies allow remote access to machines so that IT can help when there is an issue with a staff member’s computer while working from home. Secure the network and contain the breach by removing remote access.

Install security updates/ensure the software is up to date

Cyber attacks are constantly evolving. Having security software is one thing, but it needs to be kept up to date to protect against the latest attacks. If you’re hit by cyber criminals, run updates as soon as you can to help fight back, by removing malware, for example.

Communicate with customers

You must be transparent and upfront with customers and tell them if their data has been compromised, otherwise, you risk losing their trust.

Assess the breach and learn what to do next time

Once you’ve contained the attack, you need to find out what data has been compromised, which systems have been accessed, and whether any unauthorised entry points remain. You may need to reinstall systems, restore data and repair or replace damaged hardware. Try to learn from the experience with a thorough investigation.

How we can help

The age of remote and hybrid working brings new cybersecurity challenges and complications for UK SMEs. Square’s suite of business solutions including eCommerce tools and secure payment methods can supplement your small business cyber security plan and help to minimise cybersecurity risk.