This article is part of a series of articles called “The Small Business Owner’s Introduction to Cyber Risk”. Each article is dedicated to an important topic that the owners of small businesses should understand as they get started on their journey towards peace of mind from cyber risk.
The cyber threat to small businesses has never been at a higher level than it is right now in the post-COVID era. Small business owners are in a uniquely exposed situation because of the close link between their financial livelihood and the fortunes of their businesses. Both could be severely impacted by a cyber-attack.
As the owner or manager of a small business, you may be confused by cyber risk right now, and if you are, you’re not alone. Most people who own or manage small businesses are concerned about the cyber exposures of their businesses. A lot of people are confused by the complexity of the topic and the large number of solutions promoted by the cybersecurity industry.
I understand the small company perspective. Lack of time, money and expertise are real problems for small businesses, but these should not prevent small business leaders from taking reasonable steps to improve business resilience. In this short series of articles, I hope to show you how.
In today's article, I discuss 5 Common Cyber Threats to Small Businesses. Companies of all sizes are changing the nature of their businesses, and how they engage with customers by increasingly embracing digital technology and data. This can result in a company's digital assets becoming the most valuable assets of the business. The risks of these assets being lost, stolen or destroyed, then becomes a critically important business issue. The company's cyber risk profile also changes profoundly.
The cyber threat landscape is constantly changing. In fact, change and the spread of new threats are the only constants. Malicious attacks are increasing, but accidental disclosure and human error can't be forgotten either. Each year, several reports are produced by the government, by various companies and by industry bodies about cyber risk and cyber losses suffered by UK and Irish industry. Certain trends in the sources of cyber threats are usually evident in these reports. One useful source of information is the cyber insurance industry.
Next, I'll provide my thoughts on five common cyber threats to
small businesses and give a brief explanation of each one.
1. Ransomware and Extortion.
Because of the high dependency of businesses on systems and data, cybercriminals can successfully extort money by threatening to encrypt, delete, or release data, or to disable a network or website that they have already compromised with ransomware. Ransomware is a form of malicious software or malware that encrypts your systems and your data. The attacker then holds your company to ransom for the release of the data.
Most ransomware is delivered via email and extortion in the form of ransomware has been one of the fastest growing forms of cybercrime in recent years, and it grew exponentially with the introduction of remote working in 2020 and 2021. Some victims have chosen to pay the ransom rather than risk losing their entire IT infrastructure and/or their data. Even then, the victim has no guarantee that the ransom payment will be effective. And even if it is, they will still incur costs to fix their systems reconstitute their data and protect their digital assets. The availability of good backups is often a key consideration in mitigating the loss that the company will suffer.
Phishing is a form of social engineering, in which the attacker, posing as a trusted party, sends an email designed to induce the recipient to share sensitive information, such as a username or a password, to download malware or visit an infected site. Ransomware and phishing attacks have seen huge increases during the COVID era as cyber criminals enjoyed the "perfect storm" conditions with unplanned and sometimes enforced remote working a reality, even for most small businesses.
2. Data Breach
A spate of high-profile mega data breach
events involving the loss of hundreds of millions of records hit the headlines
in 2018 and this trend has continued in each year since then. A data breach can
be caused by hackers, for example, using a virus or a malware infection, or
using phishing techniques. A data breach that is caused by hackers usually
involves the theft of data, which has value to the criminal and is therefore
worth stealing. However, a data breach can just as easily result from employee
The incidence of notified data breaches has increased following the introduction of the GDPR in 2018 and its mandatory reporting requirements. This trend is expected to continue as people become more sensitive about the use of their data, and more likely to exercise their rights under GDPR. Fines for non-compliance under GDPR can be up to 20 million euros or 4% of global turnover, if higher. The fines, enforcement actions and lawsuits that have been seen so far are regarded as being just the start of a longer-term change in expectations around data privacy, and data security.
3. Theft of Funds
Technology has made it easy for companies to conduct electronic banking. However, this ease has also attracted cyber criminals who try to steal money from a company's bank account. Cybercriminals hack into the target network to gain access to their online accounting or banking platforms and if they're successful, they transfer money from the victim's account. There was a sharp increase in the number of sophisticated social engineering attacks in recent years, often taking the form of business email compromise. Here, a cybercriminal uses compromised email credentials to induce an employee to make an electronic payment to a bank account controlled by a cybercriminal or to transfer sensitive data.
So-called "CEO fraud" has been a very successful tactic against UK and Irish businesses. Here, the fraudsters impersonate the CEO or other senior executives and send email instructions to finance department staff asking for the transfer of funds to the criminals' bank account. Payroll diversion is a fraud where cyber criminals phish for email credentials and change an employee's deposit instructions to redirect the employee's salary to an account controlled by cybercriminals. Some customers have discovered that banks may not reimburse the money if the company has been negligent in the operation of the bank account. There could also be issues with coverage under cyber insurance policies, where funds have been surrendered voluntarily in a theft of funds fraud.
4. Virus or Malware
Malware is a malicious piece of software or code intended to steal data or credentials, log keystrokes on the keyboard to enable unauthorized access, or otherwise create a risk to the confidentiality, integrity or availability of data and network or other computer resources. Virus and malware infections have been a threat to small businesses for decades. But they're still among the most frequent reasons why small businesses suffer cyber losses. New viruses and malware are constantly being released and no anti-malware or antivirus programs will give completely effective protection against a brand new threat that has never been seen before, or a so-called "Zero Day" threats.
5. Network Interruption/System Failure
Network interruption is the term often used to describe an interruption to the business caused by a cyber incident. Often when a cyber incident happens, it is not immediately clear what the impact will be on the business because of a lack of access to the data or the IT systems being offline. An expert forensic team may be required to thoroughly investigate the cyber incident and establish what business interruption loss is likely. The severity of network interruption losses vary significantly with the company size, the industry and the duration of the incident. Often, the business interruption loss that can result from a cyber attack can be the most expensive component of a cyber loss.
The Consequences of Cyberattacks
Responding immediately to an incident can be the most difficult part of a cyber event. If an attack has compromised the company's computer network, then IT specialists will be needed to identify what's happening, stop the attack, establish what has been stolen, and protect against further immediate threats. The cost of these IT specialists to rebuild systems or data may only become clear after the work is completed. Limiting reputational damage, notifying clients or customers whose data has been stolen and offering them identity theft protection solutions will carry a financial cost. Regulators may also need to be informed within tight deadlines and regulators may take legal action against the business for failure to meet legally required data protection standards.
Organizations operating in an increasingly digital world have never been more likely to suffer a cyber attack and incur potentially severe financial consequences. Cyber resilient organizations prepare for this inevitability that their systems and their networks will be breached at some time, and implement a robust cyber strategy as part of their risk management approach.
The Surviving Cyber Courses
I'll finish this video by saying a little about the Surviving Cyber courses. The Surviving Cyber courses are ideal for small business owners in Ireland and the UK, who are concerned about cyber risk and who want to be empowered to manage it. They'll be of special interest to businesses that operate to high professional standards, and IT skills aren't required, as the focus of these courses is on managing cyber risk as a business risk.
In the courses, I teach the mindset and the strategy required to
help students create a tactical plan for their business. Together, these three
components form the participants' pathway to peace of mind. I explain that
there are straightforward steps that can be taken to deal with it, once you
have a guide to help you see the pathway through the current environment.
I teach a five-step process that empowers business owners to assess
risk, reduce risk, transfer the residual risk to insurance if required, respond
to a cyber incident and report on cyber risk. My offer to course participants
is a transformation in how cyber risk affects your business and your life. It's
delivered quickly at low cost and low risk of failure.
- The Jumpstart Course
The Jumpstart Course is an introductory, self-study, online education course, that gives the owners and managers of small businesses the jumpstart they need to create their first cyber resilience plan in 30 days. The course contains four sections, and the focus is on technology measures that can be implemented quickly. Course material includes approximately three hours and 45 minutes of video content, all of which is available on joining the course and can be viewed at your own pace.
- The Pathway Course
The Pathway Course is a self-study, online education course, through which participants create their pathway to peace of mind from cyber risk. The course contains six sections, and the material includes approximately five and a half hours of video content.
For both courses, the content is available upon joining the course and is completed on demand at your own pace. Each section deals with one topic, and each topic builds on the previous one. The teaching is presented through a series of pre-recorded videos, there is often a poll to gather your views, a Q&A feature, slide deck handouts, supporting documents and action points to be taken.
- The Coaching Course
And finally, the Coaching Course is a six-week online live coaching course that covers the same materials as the pathway course. It consists of six live group coaching calls of one hour's duration delivered on Zoom, and it ends with a live one-on-one session with me as the course instructor to review the pathway document created by each participant. This course is a collaborative live online learning experience and it's only offered to small groups, usually about 20 people at any one time. It offers participants significant one-to-one engagement with me as a course instructor and the opportunity to ask questions directly. Feedback is both requested and expected from participants. If you'd like to join any of these courses, click on the register for the course button on the surviving cyber website and complete your information.
Peace of mind from cyber risk
Small businesses are "big business" for Cybercriminals. If you lead a small business, you may struggle to make sense of this complex environment. You could be concerned that you may not be doing enough to prepare your business and your people for a Cyber incident. A cyber incident is inevitable for your business someday. This could have catastrophic consequences, not just for your business, but for your financial well-being.
By highlighting these "5 Common Cyber Threats to Small Businesses", I hope that this final article in the series will be useful to you when you manage cyber risk in your business.