Cybercrime: It’s not just a big business issue

If you think cyberattacks only hit big corporations, think again. 

Nearly half of all cyberattacks globally now target small and medium-sized enterprises (SMEs), and nearly half of all data breaches involve organisations with under 1,000 employees.  

Rather than confronting the sophisticated security systems of large organisations, cybercriminals see SMEs as easier entry points with significant potential rewards and a lower risk of detection. 

And when a breach hits, it hits hard. 

IBM’s Cost of a Data Breach Report found that a severe breach can cost a small business, on average, around US$3.31m once you factor in downtime, recovery, lost business and reputational damage.  

Even routine incidents can drain SMEs of tens of thousands of pounds. In fact, it’s not unusual for an attack to wipe out months, or years, of profit. 

And perhaps the most frightening statistic of all: an estimated 60% of small companies go out of business within six months of a major cyberattack or data breach.  

Many small businesses believe they’re too small to be targeted when, in reality, their size makes them easier prey, explains Nadeem Maniar, partner at Baker Tilly in the UAE. 

“Attackers know SMEs often lack the security budgets and controls of larger organisations, which makes them ideal entry points into global supply chains.” 

And professional services, healthcare and financial firms are particularly vulnerable. 

“These sectors handle highly sensitive client data but rarely have enterprise-grade protection,” says Mr Maniar. 

“Cybercriminals typically exploit outdated systems, weak passwords and the absence of multi-factor authentication. Social engineering is also rife, because many SMEs don’t have formal awareness or training programmes – and attackers take full advantage.”

So, what can SMEs do to rise to the challenge?

Cyber resilience doesn’t have to break the bank

Strong defences start with the basics, says Mr Maniar.  

And top of the list is employee awareness.  

“Security awareness training is one of the quickest and most effective ways for SMEs to strengthen their cyber resilience, because even the best technology fails if your people click the wrong link,” he says.   

And employees are the entry point that attackers most often target. In fact, employees at SMEs face the highest rate of malicious emails, with roughly 1 in every 323 messages carrying a threat. That’s more than a business of any other size.  

Staff at companies with fewer than 100 employees are also targeted 350% more frequently by social engineering attacks, including phishing, than their counterparts in larger firms.  

“While phishing attacks are one of the most prevalent and disruptive type of breach or attack, they’re also one of the most preventable types of cybercrime,” explains Mr Maniar.  

“By equipping staff to recognise and understand how to respond to these threats, you can turn potential vulnerabilities into your first line of defence. 

“And when someone leaves the organisation, shut the digital door behind them immediately.”  

A multi-layered approach 

Effective cybersecurity goes beyond a simple password.  

“Multi-factor authentication keeps your accounts safe by requiring more than just a password,” notes Mr Maniar.  

“It could be a password plus a code sent to your phone, or a fingerprint or a face scan, making it harder for hackers to get in. 

“Firewalls and antivirus software, properly installed and regularly updated, help close vulnerabilities that attackers could exploit, while cloud solutions with built-in security features provide enterprise-level protection without the high cost. 

“It’s also essential to limit risky activity by controlling device storage, app downloads, USB access and public internet connections, reducing potential exposure to cyber threats.  

“And it’s important to keep an eye on network activity to detect unusual patterns and potential threats. 

“Finally, regularly backing up critical business data ensures that, in the event of an incident, valuable information can be quickly restored.” 

But the most critical factor, warns Mr Maniar, is having a clear strategy.  

“Too many smaller businesses rush to buy security tools and overlook the fundamentals, and it’s these basics that are often more effective than expensive technology.” 

Plan for the worst 

Every business owner, from a 10-person startup to a 1,000-employee manufacturer, should assume that attackers are probing their defences, warns Mr Maniar.  

“Every SME is now a potential target, and the numbers bear that out. 

“Having a clear incident response plan ready enables you to respond efficiently to a cyber incident, safeguard sensitive information, and maintain business continuity. It’s all about minimising disruption and protecting your reputation. It’s not enough to wait until an attack to start planning.”