Cybersecurity is a very real threat to the UK’s 5.5 million small and medium enterprises (SMEs).

The often-limited cybersecurity tools many SMEs use to protect their operations mean they are the weakest link, making them an easy target for cyber criminals.

Attacks can be devastating, resulting in anything from destroying vital systems and leaking confidential customer information to demanding significant ransom payments. In most cases, they end up costing significant amount of money and resources.

While SMEs are battling a number of pressing issues including rising inflation, energy costs and weaking demand, they cannot afford to ignore cybersecurity in the year ahead.

A growing threat

According to insurer Hiscox, one small business is hacked every 19 seconds, while four in five (79%) SMEs have experienced a cyberattack in the past 12 months, according to research from Typetec.

One in four UK SMEs has been targeted by ransomware within the past year, with almost half (47%) of those falling victim having paid the ransom to regain access to their files or systems. The survey by Avast found that SMEs targeted by ransomware suffered significant ill-effects from cyberattacks: 41% lost data while 34% lost access to devices.

The UK government’s Cyber Security Breaches Survey 2022 found that 31% of businesses estimate they were attacked at least once a week. One in five businesses (20%) say they experienced a negative outcome as a direct consequence of a cyberattack, while one third (35%) experiencing at least one negative impact.

Even the largest firms with the biggest budgets are worried. Research from EY and IIF found that 72% of global chief risk officers (CROs) view cybersecurity as the top risk in the year ahead. The number of CROs citing cyberattacks as the top geopolitical risk jumped from 39% last year to 62% this year.

With geopolitical tensions and economic challenges set to continue, we can expect the amount and sophistication of cyberattacks to increase in the year ahead.

Dropping budgets amidst other priorities

Awareness of cybersecurity measures has grown post-COVID 19. As small businesses relied more on online sales to help them weather ongoing lockdowns and embraced remote working practices, many also ramped up efforts to protect their operations.

However, despite increased awareness of the growing cyber threat, a third of SMEs (32%) do not have an effective disaster recovery plan in place.

Even larger firms feel unprepared, with 58% of CROs citing their firm’s inability to manage cybersecurity risks as their top strategic risk over the next three years.

Worse yet, the average cybersecurity budget for a small business is set halve in 2023 despite four in five (79%) SMEs having experienced a cyberattack in the past 12 months, a new survey from Typetec shows. SMEs will spend an average of around £50,000 on cybersecurity over the next year, compared to around £100,000 in 2022.

This reduction is broadly down to SMEs struggling in other areas. Smaller businesses tend to run on tighter margins and current economic uncertainty is threatening the future of many.

That said, one cyberattack is all it takes to destroy a business, so it’s vital SMEs continue to invest in their defences.

How to protect your business

Cybersecurity is not a zero-sum game. Attackers just need to be right once so it’s vital SMEs put in the right measures to thoroughly secure their business and shrink their attack surface.

There are several simple things businesses can do to protect themselves:

Policy – An achievable starting point is simply setting out a clear cybersecurity and information security policy and ensuring everyone in the business is well aware of protocols and best practices. This would also involve establishing clear rules on how devices are used, how teams share documents and so on.

Government advice and accreditation – The National Cyber Security Centre (NCSC) has dedicated information available for small businesses providing practical technical advice which can significantly reduce the chances of a business becoming a victim of cybercrime. It even offers a Cyber Essentials accreditation which can demonstrate your businesses has adequate measures in place, providing reassurance to clients.

Preventing unauthorised access – Tailored and controlled access can be another effective way of improving cybersecurity. By making this as granular as possible, senior managers can control the features their team members can access. If unauthorised access were to occur, it would make it easier for the security team to identify and address the source without the risk of system-wide contagion.

Security protocols – Any system needs to incorporate the latest security and encryption protocols, even if a business feels it is too small to be worth a cybercriminal’s time. This can include multi-channel two-factor authentication, four-eyes checks, a complete audit trail of all activity, continuous backups and much more.

Amid unprecedented levels of volatility and global uncertainty, cybersecurity has returned to the top of the list of near-term risks for businesses across the globe. It’s important SMEs prioritise their cyber defences and regularly review, test, challenge and update measures to protect their business from the rising cyber threat.