Small businesses: How to fix the weakest link in cyber security

An abstract image of a chain breaking in half to represent a weak link

This article originally appeared in issue 19 of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.

Many small and medium-sized businesses (SMBs) might think they are immune from cyber attacks. After all, hackers tend to go after big-name organisations, where they’ll be able to make headlines, grab the details of millions of customers, and have their soaring ransom demands met.

However, recent research shows that is no longer the case. Almost a third (28%) of data breaches in 2020 involved small businesses, and more than 22% of SMBs have suffered a security breach due to a remote worker since the beginning of the COVID-19 outbreak, according to Verizon’s 2021 Data Breach Investigation Report.

The consequences of these breaches are particularly devastating for smaller companies, too: a poll of more than 500 business leaders found nearly a quarter of UK SMBs – equivalent to 1.3 million companies – were likely to go bust if they were forced to deal with the average cost of a cyber attack.

These consequences are often felt beyond the small business, as SMBs are frequently the target of supply chain attacks, such as the hacks on MEDoc in 2017 and Inbenta in 2018.

“The SMB in 2021 has a target painted on its back; hackers are always looking for an easy target or a slip-up in security to gain access to the supply chain, while many of the enterprises within that supply chain are simply unable to monitor the security of their own supply chains,” Sean Tickle, head of CyberGuard Technologies tells IT Pro.

“With supply chain attacks being a major growth area for cyber criminals, this is a worsening scenario; and the question is, what can the SMB do to protect both itself and its customers.”

Head in the sand

In order to avoid joining the growing list of small companies being targeted by cyber criminals, the first thing SMBs should do is reassess their priorities, according to Alicia Townsend, technology evangelist at OneLogin. She tells IT Pro that security is not usually a prime concern for many small businesses, which instead tend to focus on the product or the service and getting it out to market.

“With so many software solutions running in the cloud nowadays, you no longer need IT teams to stand up servers in order to get your company up and going. You don’t need to be an IT expert in order to set up the company email or even build the first website. You don’t start worrying about security until there is a problem,” she says.

“This means that companies in the SMB space often exist for quite some time without fully trained IT staff and security concerns are not high on their priority list as they are focusing on growing the company."

Rachel Rothwell, regional director of UK and Western Europe at Zyxel, agrees and believes the reason many businesses don’t have cyber security high up on their list of priorities is that they presume they’re too small or not valuable enough to be targeted by malicious actors.


Preparing for AI-enabled cyber attacks

MIT technology review insights


“They assume that larger enterprises are more at risk, considering their bigger revenues and that they possess huge data banks of sensitive information,” she tells IT Pro. “What SMBs won’t appreciate is that they are actually the most exposed and the most vulnerable to ransomware attacks.

“A useful rule of thumb is that for SMBs that undergo a data breach or cyber attack, the odds of them closing within six months is around 60%.”

Being realistic about your resources

Another reason that small businesses are fast becoming a target for cyber criminals is their lack of in-house resources.

Research carried out by Vanson Bourne on behalf of Connectwise in 2019 found that over half of SMBs recognise that they do not have the in-house skills to deal appropriately with security issues and only 41% have specific cyber security experts working within their business.

This situation has only been aggravated by the COVID-19 pandemic. The crisis fuelled a shift to remote working, making it harder for many companies to meet requirements for security certifications and to keep on top of threats. It has also meant that, as of June 2021, an estimated 47,000 small UK tech companies are in financial distress and unlikely to be able to afford to spend on souping up their security arsenal, according to research from Begbies Traynor.

With that in mind, organisations must be realistic about what they can do with the time and resources available, according to Mark Lomas, cyber security expert at managed service provider Probrand.

“The harsh truth is that it might not be possible to stop every attack. However, SMBs can limit the damage, especially if they accept that a breach is inevitable and plan for it,” he tells IT Pro.

“Known as a ‘Zero-Trust’ approach, the idea is to increase your layers of defence by segmenting your systems, and creating more obstacles for hackers to get over if they breach an initial external barrier. This could include the use of multi-factor authentication technology, for example, which requires multiple checks of the user, ensuring only those who have permission to access certain areas can do so.”

Onkar Birk, chief operating officer, and CTO at Alert Logic, also believes there are some small steps SMBs can take to ensure they’re protected against rising cyber security threats, from ensuring visibility across an entire network to having comprehensive detection coverage across the company environment, desktop, cloud, SaaS applications, and data centers.

“Attacks don’t happen where you expect them,” he says. “There is a short list of actions that gets an SMB perhaps 80% covered – hardening security and scanning for vulnerabilities and configuration issues often are key. The last 20% is always the hardest. This is why SMBs increasingly turn to managed detection and response (MDR). MDR can provide security hardening to prevent an attack once a vulnerability is detected, and quickly alerts an organisation for response in order to minimise and contain attacks, regardless of where it is in your environment.”

"It only takes one conversation"

Many believe that while a lack of resources is a major factor for SMBs, their biggest cyber security weakness comes in the form of the employee.

Don Macintyre, interim CEO at the UK Cyber Security Council, says: “The breaches are happening not via those specialist trained cyber security staff but by staff who are not trained at all.

“It’s imperative that the UK’s SMBs recognise cyber security specialists need to work across all divisions of a business. Comprehensive cyber security skills, including supply chain security management in all organisations – regardless of their size – within a supply chain, form an essential part of ensuring its end-to-end security and a risk that needs to be addressed by the leadership team of any business.”

Rothwell agrees, and believes that in order to best protect themselves against ransomware attacks and data breaches, education is key.

“Your local independent coffee shop would be horrified to learn how exposed they are by using the same network to supply guests free WiFi that they use to support their card machines and run their online accounting software,” she says.

“It only takes one conversation with a security expert and some very simple measures put in place, then they can adequately protect themselves and their customers from threats, and go back to fully concentrating on running their business.”

Carly Page

Carly Page is a freelance technology journalist, editor and copywriter specialising in cyber security, B2B, and consumer technology. She has more than a decade of experience in the industry and has written for a range of publications including Forbes, IT Pro, the Metro, TechRadar, TechCrunch, TES, and WIRED, as well as offering copywriting and consultancy services. 

Prior to entering the weird and wonderful world of freelance journalism, Carly served as editor of tech tabloid The INQUIRER from 2012 and 2019. She is also a graduate of the University of Lincoln, where she earned a degree in journalism.

You can check out Carly's ramblings (and her dog) on Twitter, or email her at