Cyberattacks: why small businesses should be worried

The reports are endless. From cryptojacking to automated hacks based on AI, cyberattacks are increasing in both frequency and complexity.

But it’s only when you hear first-hand from the people affected that the statistics become meaningful.

“My small sustainable online vintage clothing business was attacked by [someone] posing to be one of my international importers in 2021,” an anonymous source told TechFinitive.

The attacker then changed the Australian company’s login credentials for both their website and their banks. “I ended up losing $15,000. It was extremely devastating for me as my business had only been launched eight months ago.

“I will never forget how stressful and heart-wrenching that week was for me,” said the small business-owner.

If you don’t think it can help, consider this: a new report indicates 32% of businesses have suffered a serious cybersecurity breach in the past year, with that figure set to rise in 2023.

Increasing complexity and cost

Cybercrime continues to rise in both scale and complexity, affecting essential services, businesses and individuals.

Untargeted cyberattacks such as phishing and ransomware have seen rampant growth in the past two years as more opportunities present themselves to cybercriminals.

“When businesses are attacked it is one of the worst parts of their lives in both a business and financial perspective,” said Martin Boyd of Vertex Cyber Security, echoing the experience of our anonymous victim.

“Often the cost is ten to 100 times more than if they were to originally put security and preventative measures in place. Had they had the right cyber security implemented it would only cost a fraction of what the cost is to repair the damage done.”

Small businesses at risk of cyberattack

Around a third of global organisations have had customer records compromised multiple times over the past year as they battle “a surging level of risk”, according to an annual Cyber Risk Index (CRI) report by the Ponemon Institute .

The report also showed that the number of global organisations experiencing a “successful” cyber-attack increased from 84% to 90% over the same period.

“The stakes couldn’t be higher in the face of stiff macroeconomic headwinds,” said Dr Larry Ponemon, Chairman and Founder of Ponemon Institute. “Respondents pointed to the high cost of outside expertise, damage to critical infrastructure, and lost productivity as the main negative consequences of a breach.”

Top cyber threats in the first half of 2022 were business email compromise, clickjacking, fileless attacks, ransomware and login attacks (credential theft).

Phishing menace

But the most damaging and widespread threat facing small businesses is the dreaded phishing attack. Phishing accounts for 90% of all breaches that organisations face with over $12 billion in losses. And the problem is getting worse: they’ve grown 65% over the past year.

Phishing attacks occur when an attacker pretends to be a trusted contact, and entices a user to click a malicious link, download a malicious file, or give them access to sensitive information, account details or credentials.

The attacks have grown much more sophisticated in recent years, with attackers now much more convincing in pretending to be legitimate business contacts. As we discussed at the start of this article.

The danger of complacency

Despite large organisations such as Ferrari, Ikea and Medibank earning the most attention when attacked, the most vulnerable of the recent global attacks have been small businesses.

61% percent of small business owners polled in the most recent quarterly survey said they were not concerned that their business will be the victim of a cyber attack in the next 12 months, up from 58% last year.

The vintage clothing business owner was one of many business owners who didn’t have cyber security as a priority.

“As we were such a small business I didn’t even think of having security measures in place as we only had a small website and mostly ran through Depop and Facebook Marketplace,” they said.

“We made sure to have strong passwords, but paying one to two thousand dollars for some cyber security was not our priority at all and is certainly something I will regret for the rest of my life.”

What can be done: part one

So, how do you protect your business? One answer is certainly to consult a specialist. “In short, we help companies figure out what they need, how they are cyber attacked, and help them figure out how to protect themselves from those attacks,” Boyd told TechFinitive.

When it comes to exact measures, he points to a range of defences – including simple low-cost measures such as better configuration of existing content and user training.

But sometimes you do need to invest. “We had a business where they were doing a lot of advertising and had gaps in their system and needed security measures, so we told them it would be an extra $3,000 a year to increase their security package,” said Boyd.

The company wasn’t willing to pay, say they were “smart with hackers and would be careful”. A few months later, Boyd said, “they were compromised, they lost access to their email, so the hackers were able to access financial transactions. The company lost $500,000 and never got it back.”

His advice? “If you aren’t sure and it’s too difficult, just talk to an expert, get a quote, and get some understanding. Hoping your business won’t get hacked doesn’t mean it isn’t going to happen.”

What can be done: part two

Other than hiring a cyber-security expert, there are many ways businesses can optimize their security against cyberattacks. 

According to Expert Insights, having a strong email security gateway in place can prevent phishing emails from reaching a business’s employees inboxes.

Cloud-based email security providers can also secure a business from phishing attacks. These solutions allow users to report phishing emails, and then allow admins to delete them from all user inboxes.

Multi-factor authentication (MFA) is also important when mitigating the risks of phishing. MFA applies an extra layer of security to the authentication process when users log into an account. This is commonly delivered as a SMS code or tap notification on a trusted device. It can also be a biometric check, such as a fingerprint or FaceID scan.

Security awareness training also covers solutions that allow businesses to protect employees by testing and training them to spot phishing attacks and report them.

How to report cyber-crimes as a business owner differs globally. In Australia, there’s a Global Cyber Crime Helpline: +919156111999. In the UK, you’re told to report it the police by calling 101. And in the US, you should report it on this FBI website.

“We were finally able to relaunch in October 2022, but it has been slow as it was kind of like starting a new business from scratch,” they told TechFinitive. “We have still not fully recovered.”

4 simple actions for small businesses

  • Assume you will be attacked in 2023. 
  • Put protection in place against phishing attacks – both training and software.
  • If in doubt, hire expert help. The expense of allowing an attack to happen is far greater.
  • If the worst does happen, report it.

Illustration: Ikon Images

Zara Powell
Zara Powell

Zara is a reporter for Based in Sydney, she covers breaking Australian tech news and provides insight into other developments in the Asia-Pacific region.