Cybercrime: a big target on small business

scammers, hygiene, hackers, email security, remote

Cybersecurity was once an afterthought for SMEs. Given their size and lack of reward if breached, many SMEs had a “this won’t happen to me” mindset. Unfortunately, as many SMEs have learnt – the hard way – this is a risky outlook.

Despite a growing focus on the need for cybersecurity to reduce risk, a lack of experienced cybersecurity staff, underinvestment in cybersecurity solutions, and smaller IT budgets mean that SMEs are still typically more vulnerable to threats and suffer more proportionally from the results of cyberattacks than their larger counterparts. And, when hit by these attacks, the cost of recovery is crippling, and many small businesses are forced to close up shop permanently.

Worryingly, cybercriminals understand these factors and have placed a big target on small businesses.

Cybercrime goldmine

With the collection and use of data growing exponentially now that almost every business from your local gift shop to the neighbourhood mechanic has a digital footprint, the key reward for cybercriminals is data. This is particularly true for SMEs as they tend to use one service or software application, per function, for their entire operation. Given this, hackers can access multiple departments and platforms of the business, which causes a ripple effect of damages; stolen credentials could provide access to accounting software, which could then provide access to targeted financials that can be sent to the hacker’s own accounts.

As a result, SMEs have experienced accelerating rates of credential and data theft. According to Sophos’ 2024 Threat Report, nearly 50 per cent of malware detections for SMEs were keyloggers, spyware, and stealers malware that attackers use to steal credentials and data. This stolen information was then used to gain unauthorised remote access, extort victims, and deploy ransomware.

Ransomware remains supreme

Sophos’ 2024 Threat Report also found that ransomware tactics continued to evolve. Ransomware attackers were not only targeting managed service providers (MSPs) but also leveraged remote encryption at much higher rates than previously recorded. The report found between 2022 and 2023, the number of ransomware attacks that involved remote encryption increased by 62 per cent.

Furthermore, despite being small, the same cannot be said about the threats SMEs face. Sophos uncovered LockBit as the top ransomware group wreaking havoc on SMEs – a ransomware gang largely recognised as being the most prolific and harmful globally. Ransomware gangs Akira and BlackCat were second and third, respectively. SMEs studied in the 2024 Threat report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.

Therefore, when stature and resources fall into favour of cybercriminals, SMEs must consider how to effectively improve cybersecurity measures while working within tighter constraints.

Shields-up defences

Enhancing cybersecurity within small businesses begins with a culture shift. Cybercriminals expect SMEs to be less prepared, without sophisticated, modern tools and solutions, so it is essential these assumptions are proved wrong.

SMEs must educate staff, deploy multifactor authentication on all externally facing assets, continually patch servers and network appliances, and consider migrating difficult-to-manage assets like Microsoft Exchange servers to SaaS email platforms. Given their smaller manpower, SMEs can also look to invest in managed detection and response solutions. These third-party 24/7 threat scanning services are provided by experienced cybersecurity professionals giving the business the peace of mind that the experts have its back.

Cybercriminals are relying on SMEs to have gaps in their security, and given the interconnectedness of their platforms and software, if attackers gain access to one part of the system, the likelihood of them wreaking damage throughout the rest of the network is high. Therefore, it is imperative SMEs take the necessary steps to reduce their risk factor and aim to be the unexpected business that is prepared to defeat cyberattacks.