Book a Demo
Demo Centre

Emma Woods

The Ultimate SME Guide To Combating Cyber Security Threats

There's a big misconception that cyber criminals wouldn't waste their time on smaller businesses. Here's why that couldn't be further from the truth.

Close up office desk wih laptop open


We see large companies make the headlines when cyber crime strikes, but what many don't realise is small companies are also victims of cyber crime, in fact they are targeted even more than larger companies.

So, why are smaller to medium businesses such an attractive target to cyber criminals?

#1. SME have as much valuable data as large businesses

Let’s start with the big one. “Why would we be targeted -- we don’t have anything valuable to a hacker!”. Most small businesses store financial information that can be used for fraud, or personal details that can be used for identity theft. Long story short, these things are exactly what a hacker wants.

#2. SMEs are more likely to pay the ransom.

Most small businesses handle computer-based data that is vital for operations, but few are capable of independently recovering from a ransomware attack. These means that, ultimately, small business owners are likely to pay a ransomware demand in order to access and restore their encrypted data.

#3. Smaller businesses are a gateway into larger enterprises.

Smaller companies often supply larger organisations with goods and services, giving hackers a golden ticket for stealing valuable information from SMEs that can be used in enterprise attacks. US retailer ‘Target’, for instance, was breached when a hacker exploited the access that the retail giant granted to an HVAC contractor.

#4. Many small businesses are lacking in adequate cyber defence

It’s no secret that SMEs are an easier target for cyber criminals due to their lack of sufficient cyber defence. There’s often a serious lack of focus on developing a security-aware culture within the organisation. So while the payouts may be much smaller, the chances of an attack being successful are much higher when putting SMEs in the scope.

#5. Criminals are more likely to get away with attacking smaller businesses

Small companies are much less likely to have security personnel and technology in place to detect an attack as it is happening and are less likely to have technology creating and protecting audit logs and other data needed to both perform forensic analysis and establish admissible evidence. As a result, someone attacking a small business is much less likely to get caught, arrested, and punished than someone who attacks a large business.

What type of attacks are targeting smaller businesses? 


Phishing attacks are arguably one of the oldest, yet most effective types of cyber crime. Even though the awareness of phishing has increased, attackers have shifted their approach to become far more targeted in their attempts to gain access to valuable data from employees and organisations.

Similar read: An IT Manager's Guide To Preventing Employee Phishing Attacks

Cyber criminals target smaller companies because most of them can't afford the security measures available to a bigger company. Phishing emails are among the most common and simplest way for an attacker to gain access into a companies system. 

Insider attacks

Insider threats come in many forms, they are one of the largest cyber security threats targeting small businesses on a daily basis. 

There are 4 different types of insider attacks:

Oblivious insider threats:

An insider with important access to company information that has been compromised from the outside are usually oblivious to the act.

Negligent insider threats:

Employees that are usually uneducated on potential security threats, or simply bypass protocol to meet workplace efficiency. These type of employees are most vulnerable to social engineering. 

Malicious insider threats:

Insiders that steal data intentionally, or destroy company networks, such as an employee that deletes company data on their last day of work.

Professional insider threats:

Insiders making a career of exploiting a companies network vulnerabilities and selling that information o the dark web.

Social Engineering

Social engineering is one of the most successful methods used by a cyber criminal to extract data from their targets. There's one big reason for cyber criminals to target small to medium businesses more than large businesses. It's simply due to the lack of investment in cyber security defence methods, most big businesses can afford to spend money on the most up to date software and anti virus systems. 

Social engineering is often used an entry point for a larger attack. An attacker can even get past the strictest security at a large company by simply walking up to the front desk, claiming to be sent from head office to " fix a system error". 


Ransomware attacks are not new. 

Part of the reason ransomware is on the rise is due the drastic developments in technology. Most ransomware these days even has a pre-programmed time delay which enables it to be set- up days or weeks before an attack takes place.

Most small businesses assume they will never be a target, simply due to their size and their general income. Even though this may be true, a criminal will still target a small company. What stands out to a criminal is the lack of security a smaller company has. This therefore makes it a lot easier to gain access to valuable information. 


Smaller businesses are increasingly moving to e-commerce and digitising their business. This opens up many opportunities for cyber criminals to infiltrate a network. Malware infections can come in many forms, including adware, ransomware and spyware. 

Malware is not always detectable and can stay hidden for a long time, not only can malware gain access to your computer or any other device without you knowing, but it can also cause serious damage. It is a harmful program that can be used to transmit personal information you may have stored, which includes credit card numbers, banking details and social security numbers.

 How can these attacks be prevented?

 Update software regularly 

Updating your software may seem like a time consuming task, but keeping it updated on a regular basis will improve the software and fix any bugs that are found. When your device recommends a update, this means the provider of that software has been testing the system and has found some bugs that need fixing. 

When you're not updating your software, your device is still trying to run on the old system. It is not as compatible and runs a lot slower, therefore increasing the chances of a cyber attack.

Run regular phishing simulations 

Phishing has been and always will be one of the biggest problems a company will face. There is no simple answer to combating the problem but there is one method that has always been successful for many companies. 

Phishing simulations allow your employees to be put in a real life situation, it allows you to see how your employees respond to phishing emails and what they do about them. 

Before choosing a phishing simulation tool its a good idea to have a few free trials of various products and find the best simulation tool that suits your business. Here is our free phishing simulation tool (no card details required)

Use strong passwords

Passwords are the first thing a cyber criminal will come across to get access to any data. If the password is not unique and difficult to guess your making it very easy for them to gain access. 

Passwords should be changed every 2-3 months and should never be used on different devices. This simple form of security is extremely important and should never be dismissed.

Implement 2FA

As well as using strong passwords, it's also a good idea to implement 2-factor authentication. 2 factor authentication adds an extra layer of security and even flexibility. The user will be given multiple choices of authentication to use on their devices, for example, they may choose to have a thumb print and a security question as their method of authenticating. 

There are numerous types of authentication such as:

  • pin code

  • password

  • retina scan

  • thumb scan

  • security question 

  • SMS password

Security awareness training

Implementing a security awareness training platform in your business is a fantastic way of keeping your employees educated on the latest security threats and the security best practices. 

The right platform will offer regular training, that has short bite-sized modules to keep your end users engaged. The training itself needs to educational but also engaging, otherwise your employees won't retain the information. If your looking for a security awareness program, we have a free for you to try.

Enable spam filters 

Spam filters are another way of keeping phishing emails at bay. The spam filter will detect any spam like emails, including phishing emails and send them straight to your spam filter.

Most emails such as outlook and gmail have spam filters enable, but they can be filtered in the settings.

Enable a strong cyber security policy

Have you got a strong security policy in place?

A cyber security policy is important in any size business, especially SMB. A security policy should define how employees should handle security risk, and precautions should be taken at all time. A lot of security policies are very vague and do not include the right topics. Here is our blog on what you need to include in your cyber security policy.


Read next