Small business cyber security: what you need to know

Published • 15/03/2024 | Updated • 15/03/2024

Management

Small business cyber security: what you need to know

Published • 15/03/2024 | Updated • 15/03/2024

It’s all too easy for cyber security to fall by the wayside when you’re running your own business. After all, as an entrepreneur you’ll have plenty on your plate, from working out how to price a product to strategizing how to use social media for small business success. So, it’s understandable that cyber security threats may not be on your day-to-day radar.

But they really should be. Contrary to popular belief, cyber security threats aren’t just a concern for big companies and government systems – rogue online operators also frequently target smaller-scale enterprises. In fact, a recent report into small and medium-sized businesses revealed that 48% experienced at least one cyber attack in the year leading up to being surveyed.

Small businesses occupy a “sweet spot” in the eyes of cyber attackers – they offer more potential digital assets to plunder compared to individual humans, but are softer targets than big organisations which are likely to be more vigilant about cyber security threats.

If this isn’t something you’ve had time to think about in your business journey, we’ve got you covered in this guide, which is a must-read whether you’re interested in how to make money online or have set up a food and drink business like a restaurant or bar.

We’ll provide the lowdown on threat types, and talk through cyber security tips for small business safeguarding, including implementing the popular NIST cyber security framework. But before we get into all of that, let’s answer a key question.

Why do small businesses need cyber security?

A cyber attack can potentially have an even more profound effect on your business than a physical robbery. That’s because it’s not just your money that’s at risk of being stolen.

If hackers manage to infiltrate your IT infrastructure, they might gain access to:

  • Your personal and/or business banking details.

  • Customer information, including addresses and banking details.

  • Sensitive information about your business, such as product details and small business ideas in the offing.

  • Confidential details on manufacturing details and intellectual properties.

  • The IT networks of businesses you’re working with, such as suppliers and agencies.

Successful cyber attacks can cause financial losses because of direct theft of money and banking information, and because of disruption to your business. Plus, if customers need to be told that their details have been compromised, the reputational harm to your brand could be immense.

With all of this in mind, it’s easy to see why around 60% of small businesses which fall victim to a cyber attack are forced to cease operations within six months of the incident.

Keep your business funds safe

SumUp’s online business account isn’t just free and easy to set up – it’s also got built-in protections to keep your money secure, including 3D Secure verification for every transaction, and fingerprint or face ID to ensure only you have access to your account.

Open your business account now

Types of cyber security threats to watch out for

These days, pretty much every kind of business will have a technological component, from cloud-based software for handling conference calls and delegating tasks to colleagues, to handy tech like card readers which allow customers to pay you in a convenient, fuss-free way.

Such tools can make small businesses run much more efficiently, helping to both boost revenues and maximise customer retention. However, the digitalisation revolution means that business founders need to be more aware than ever about the various methods cyber attackers use to gain unlawful access to valuable information.

Whatever kind of business you’re running or thinking of running – whether you’re only interested in how to make money on the side or have set up a whole new career – these are some of the main small business cyber security threats you should keep an eye out for.

Malware

Malware is short for “malicious software”, a category that encompasses an ever-changing variety of computer programmes that allow cyber criminals to access websites, networks, hardware devices and secure online accounts.

Viruses 

The most notorious type of malware, computer viruses operate in the same way as their biological namesakes. Just as a cold virus infiltrates a host human body to multiply and cause damage, so too does a computer virus enter host computers and other devices, embedding its malicious code within files and operating systems.

The viral code can then replicate and spread, inflicting all kinds of harm from corrupting and deleting files to outright reformatting your hard drives.

You may unwittingly allow a virus to enter your computer system by:

  • Visiting an infected website

  • Opening an email or social media attachment containing the virus

  • Downloading games, tools and other system utilities

  • Installing new programmes that secretly contain viruses

Worms

Computer worms cause damage in the same way as viruses, but there’s a key difference between these cyber security threats.

Viruses require some kind of action by a human in order to activate and spread. In other words, a virus will lie dormant until someone opens an infected file or executes an infected programme.

By contrast, once a worm enters your system – either through one of the viral gateways mentioned above, or through a security vulnerability – it spreads on its own, without being attached to a file or programme. The fact that computer worms can burrow through systems independently makes them especially insidious and dangerous.

Trojan

Trojans, or trojan horses, are malicious programmes which are secretly embedded within seemingly innocent files and programmes – hence the name, referencing the infamous wooden horse used to smuggle Greek soldiers into the city of Troy.

Trojans differ from viruses in that they don’t generally infiltrate other files or spread through your system. Instead, they carry out a specific purpose, such as stealing information or giving a cyber attacker remote access to your device.

Spyware

As the name suggests, spyware is a type of malicious software which secretly runs in the background of your devices in order to monitor your actions. Spyware can track the sites you visit, and monitor the files you download and the emails you send and receive.

What’s more, a type of spyware known as keyloggers will record everything you type into your keyboard, allowing third parties to steal your passwords and banking details.

Like other kinds of malware, spyware can enter your system through security vulnerabilities, attachments and downloaded files.

Phishing

Phishing is when cyber attackers pose as legitimate companies or individuals, to scam targets into revealing sensitive information like usernames, passwords and banking details or installing malware onto their systems.

Say you’ve been exploring business ideas from home and have decided to set up your own graphic design business. A few weeks in, you receive an email from Adobe telling you that the payment details for your Photoshop subscription need to be verified.

The email contains a link to what looks like an official Adobe portal, where you’re directed to enter your payment details. However, the portal is in fact a clever fake, designed to capture those details.

This is a textbook example of how phishing works. Emails are the most common way scammers approach targets, though phishing attempts can also be made through text messages and social media communications, either containing fraudulent links or attachments infected with malware.

According to recent research carried out by the UK government, phishing is the most prevalent cyber security threat to British businesses. This highlights the importance of being incredibly careful when you receive unsolicited messages on any device or platform.

Ransomware

A ransomware attack is a particularly hostile and combative strategy employed by cyber criminals, where they use malware to shut you out of your own systems and data, for example by locking devices or encrypting your files.

They will then demand payment in exchange for allowing you to regain access, and/or not sharing your confidential information with others.

How to prevent cybersecurity attacks

Vive Vivero, vivevivero.com

When running your business, it’s only natural your mind will be on essential tasks like sending invoices, managing your online store and brainstorming things to make and sell rather than cyber security threats. 

But, as we’ve discussed above, the threats are real and entrepreneurs should be vigilant. Let’s look at cyber security best practices for small business safety, which apply to enterprises of all kinds – from business ideas with low investment to larger-scale businesses.

Carry out a risk assessment

Any small business cyber security strategy will rely upon having an awareness of your system and potential risks. The extent of such risks very much depends on the size of your business.

If you’re only interested in how to make money from home, and run your entire enterprise through your laptop, then your risk exposure will be a lot smaller compared to a business that has staff in an office working on multiple devices.

That said, no matter how your business is set up, the same basic questions should be part of your risk assessment:

  • What hardware devices – computers, smartphones, tablets, and anything else – are in use for your business?

  • What software – including software not directly linked to your business – is running on those devices?

  • What cloud-based services are running on those devices, and what cyber safety protocols do these services have?

  • What risk-mitigation solutions, such as antivirus software, are currently in place?

This assessment may take very little time if you’re running a small business entirely on your own, but it will provide the kind of clarity that’s useful when developing your security strategy.

When making use of SumUp tools and services such as SumUp One, the subscription package which provides discounted prices and payouts by 7am the next day, you can feel safe in the knowledge that the most stringent industry standards are in place.

These include the use of 256-bit encryption and PCI-DSS, the highest data security standard used in the credit card industry concerning data transfer and data storage.

Utilise antivirus software

If you don’t already have antivirus software installed on your devices, this should be the first item to be ticked off on your to-do list. 

There are several trusted tech brands offering antivirus software, some of which are specifically tailored to the needs of small businesses, so take the time to shop around and compare what they offer.

The leading antivirus software options are all simple to install across your devices, requiring next-to-no IT skills. You simply subscribe and let the software do its thing.

The best antivirus software will be multi-faceted, providing 24/7 monitoring of emails and files for malware, firewall protection, and URL checks for more secure web browsing. Some options will also come with extra utilities like data shredders and VPN connections.

Keep your software updated

Ensuring all your software, from Windows to individual apps, is fully updated is known as patch management. This is vital, not just for maximising how efficiently they run, but also for protecting your system from cyber security threats like worms and trojan horses.

That’s because outdated, unpatched software can contain flaws and vulnerabilities. Malware can exploit such vulnerabilities to gain access to your system, just as an intruder can enter a home through an open window or unlocked door. 

When the software vendors detect such issues, they make solutions available through patches and updated versions of their products. While some software will automatically update, others may notify you that an update is required, so that you can manually give it the go ahead.

When you consider that, according to one recent survey, unpatched vulnerabilities are the root cause of over 60% of business data breaches, it’s clear to see why you should stay on top of all updates as they’re made available.

This vigilance should apply to all software on any devices used by you or staff in relation to your business – even software that’s not directly connected with work. For example, games and apps should be kept updated so they don’t let in malware that can wreak havoc with work-related files.

Back up your files

All businesses, from bustling restaurants to tiny enterprises based on hobbies that make money, will amass data files over time. These can include documents relating to your products and services, your customer and order histories, your marketing strategy for small business success, and bookkeeping records.

As we noted earlier, such files can be infected by malware. And even with the most stringent small business cyber security protocols in place, there’s always that small but real risk of a successful ransomware attack which could render files inaccessible and bring your business to a halt.

This is why it’s considered best practice to back up your files. This will ensure you have up-to-date, or almost up-to-date, copies of these vital documents, which can be a life saver whether an unscrupulous hacker is holding data to ransom or a simple error has led to files being lost.

The good news is that backing up your files is easier than ever thanks to cloud storage, where third-party companies store your data securely on their systems. For example, cloud storage provider Dropbox retains previous versions of your documents, so you can go back and access them in the case of accidental deletions or deliberate malicious acts.

To be extra careful, you can also periodically save your data to an external device like a USB stick, which will be completely out of reach of cyber criminals as long as it’s disconnected from your computer when you’re not backing up files.

Know how to recognise phishing

Phishing is an ever-present threat for entrepreneurs, with a recent UK government study revealing that almost 80% of British businesses faced at least one phishing attack in a 12-month period.

Here are some red flags that can signal an email or other communication is in fact a phishing attack.

The (low) quality of the writing

Communications from legitimate organisations will be carefully vetted to ensure the content is polished, with no errors when it comes to spelling and grammar. 

The tone of the communication should also pass the smell test. While some phishing messages can be highly sophisticated and fluent these days, many such emails and texts will read as if English isn’t the first language of the sender. Or, they may be stiffly formal, as if AI has been used to churn out the copy. 

You should also look out for the kinds of outdated or generic greetings that legitimate organisations don’t tend to use – for example, “Dear Sir or Madam”.

Poorly-written messages are perhaps the most glaring sign that you’re dealing with a scammer.

Clunky formatting

It’s not just the wording that can give away a malicious presence in your inbox. A strangely formatted email is another red flag, so consider how an email looks.

Is the logo in a strange place on the page? Is it the current logo of the company in question, or an outdated iteration? Is it fuzzy or low resolution, implying it’s been copied and pasted? Are there inexplicable gaps between sentences and paragraphs?

An urgent tone

Another hallmark of phishing communications is a sense of urgency or danger. Many will warn you that you need to click a link or open an attachment right away, in order to rectify a problem, avoid a penalty or claim a reward by a certain time limit.

Of course, legitimate communications may also contain time-sensitive instructions, but as a rule of thumb you should be extra-vigilant whenever receiving this kind of message. If in doubt, get in touch with the organisation yourself to double check.

A suspicious email domain

The email domain is the part of an email address that comes after the “@”, and it can be a major tell when it comes to phishing.

Unless they’re being sent from freelancers, legitimate business emails won’t typically have generic domains like @gmail.com or @hotmail.com. Instead, the domain will typically be unique to their business.

Look out as well for the spelling of the domain – there may be an attempt to mimic a valid-seeming address with a slight difference in spelling which might go unnoticed. Think “shipment-tracking@amazorn.co.uk” rather than “shipment-tracking@amazon.co.uk”.

Another trick phishing scammers use is to place the legitimate company’s name in the email address before the domain. For example, “Amazon-support@gmail.com”. The intention here is to trigger instant name recognition and reassurance in your mind, so be sure to check the full address.

Your email client’s in-built spam filters will hopefully filter out phishing messages without you even knowing about it. However, it’s still important not to take that filter for granted, as clever scammers can sometimes get through to your inbox. If you’re ever in any doubt, do not open attachments or click on links.

Have a secure login protocol in place

You can make life a lot more difficult for cyber criminals by ensuring your login details for online services like email accounts and apps are as hacker-proof as possible. Here are the two main best practice principles to follow.

Use a strong password

Guidance from the UK government’s National Cyber Security Centre states that you should “make sure that somebody who knows you well couldn’t guess your password in 20 attempts.”

Here are some rules of thumb to follow when creating your passwords:

  • Make each password hard to guess – in other words, avoid words related to your life, family, hobbies and anything else a hacker might be able to guess.

  • Create each password from three separate words, none of which should be connected to you or your friends and family, as mentioned above. For example, “donkeycarpetsky”, or “shelfcloudisland”. 

  • Unless a particular piece of software requires it, it’s not essential to use a mix of upper- and lower-case characters and special characters, since length matters a lot more when it comes to security. However, you may still want to throw some of these variations in.

  • Ensure your password is at least 12 characters long – the more, the better.

It’s best practice not to reuse the same password for different accounts, but it’s pretty tricky to remember all the different complex passwords. A good option is using a dedicated password manager such as 1Password, which will both generate secure passwords and keep track of them all for you, autofilling them when needed.

Enable two-factor authentication

Two-factor authentication or 2FA is a security protocol which, as the name suggests,  requires two identification procedures before giving access to an account. For example, after entering a password, a unique code may be sent to your phone or email inbox, which you’ll then have to enter to unlock the account.

It’s good practice to ensure that all business-related accounts have 2FA enabled. If you’re using a passport manager, you should have 2FA enabled for the main account login.

Install a secure POS system

If you run a physical shop, restaurant, bar or café, you can minimise the need for you and your staff to use multiple passwords and access sensitive files on different devices by installing Point of Sale Pro. This allows orders to be taken, payments to be processed, and stock data to be tracked, all through one secure interface.

Book a free POS Pro demo

Use a VPN

VPN stands for “virtual private network”, which provides an effective way to protect your privacy online. It does this by routing your internet activity through an encrypted connection to the VPN provider’s server.

As your activity is routed through the VPN server, your ISP (internet service provider) won’t be able to track your activity, and it will be more difficult for advertisers and other third-parties to keep tabs on you.

Using a VPN can make your internet usage safer when you’re using unsecured public Wi-Fi networks such as in coffee shops and shared office spaces, as the encryption helps lower the risk of hackers snooping on your data. For this reason, it’s often used by businesses with staff working remotely.

Make sure your staff are in the know

Everyone involved in your business needs to be aware of the importance of guarding against cyber security threats. Indeed, vigilance should be a part of your workplace culture, so that it becomes second nature to stay safe when using software and hardware.

Take the time to pass on cyber security advice for small business safety, so your staff are clear about the different types of malware out there, how to spot phishing communications, and other best practices of online security.

Your staff should also be instructed not to download apps or other programmes onto business devices without consulting you first. The provenance of any such apps must be carefully vetted so that you know they’re from reputable vendors. Staff should also be reminded to keep their personal mobile phones secure, as these can provide gateways to your business.

How to tell you’ve been attacked by malware

Hopefully your business files and systems will never be infected by malware. But what are the tell-tale signs that your security may have been compromised?

Slow-running devices

Malware uses up precious system resources and bandwidth, and can therefore interfere with your Wi-Fi speed and cause your devices, operating systems and programmes to become sluggish or even crash.

Of course, there may be other reasons for slower operating speeds, such as insufficient RAM, but this is certainly a red flag for dodgy goings-on.

Pop-ups and random redirects

If pop-up ads are suddenly appearing on your screen – not counting the legitimate promotions that often flash up when you visit websites – then you’ll want to run an immediate antivirus scan.

Similarly, malware can cause your browsers to start acting strangely, redirecting you to unsecured websites and changing your browser’s homepage without your say-so.  

You notice unfamiliar apps and icons

Check out your desktop, toolbar and other menus on your devices. If you spot apps and icons which don’t ring any bells, it may be the result of malware activity.

You can’t access files

One of the most alarming signs of hostile activity is the sudden inability to access your own files on your devices. This may be the result of a ransomware attack which has encrypted your data and will only “release” it in return for payment.

It should be emphasised that malware often lies very low, and provides no clear signs of its presence on your computer, tablet or phone. 

That’s why it’s important to have antivirus protection installed and to maintain best security practices from the very beginning of your business journey, when you’re still carrying out early tasks like working out how to identify your target market.

What to do if you’ve been cyber attacked

If you know one or more of your devices has fallen prey to malware, don’t panic. There are a few important steps you can take to deal with the threat. 

  • Disconnect your device from the internet, so that the malware will no longer be able to leak personal information or infect other devices

  • If you know the malware has entered your system through an app or programme you’ve downloaded, uninstall it immediately

  • Instruct your antivirus software to perform a complete scan – it will hopefully be able to quarantine the threat

  • If problems still persist, you may need to perform a factory reset, which will completely wipe your device – this is a last resort move

  • Reset all login credentials

The NIST cyber security framework

In 2014, concerns around the prevalence of cyber security threats prompted the US National Institute of Standards and Technology (NIST) to publish its guidelines for mitigating the risks.

Known as the NIST cyber security framework, it’s a much-circulated, in-depth resource which may be regarded as too detailed for many smaller scale enterprises. That said, the framework does provide a handy cyber security checklist for small business owners to keep in mind, laying out the following five key “functions” for entrepreneurs to follow.

Identify

This refers to business owners having an essential understanding of how their IT structures function and what physical and software assets are critical to operations. 

For example, a physical asset might be a kiosk interface for allowing customers to order food in a restaurant, while a software asset might be your online store.

The “identify” step also requires pinpointing any potential vulnerabilities which may be exploited, as we suggested earlier when discussing risk assessment.

Protect

The second function of the framework is to “develop and implement the appropriate safeguards to ensure delivery of services”. In other words, adhere to the best practices previously discussed in this guide, such as regular system updates and using secure passports, 2FA, VPN encryption, and other measures.

Detect

As you might expect, this function of the framework advises having threat detection tools in place, such as antivirus monitoring and being aware of any discrepancies and malfunctions which can imply the presence of a threat.

Respond

The framework then moves onto having a proper response plan in place, in the event of a cyber attack. For a small business, this may be as simple as cleaning up your system using antivirus software, or undertaking a factory reset.

However, if your business is larger with many staff members, the framework advises that response plans are discussed with colleagues “to make sure each person knows their responsibilities in executing the plan” and are clear on “any legal reporting requirements or required information sharing”.

Recover

Finally, the recover function is about regaining capabilities and getting back to normal following an attack. This may involve implementing recovery plans, such as restoring previous versions of files from cloud storage, re-installing programmes on devices that have undergone reset, and sending emails to customers and clients to provide reassurance.

Cyber security checklist for small business

Follow these steps to protect your business from malware, phishing attacks and other cyber security threats:

  1. Carry out a full risk assessment of all internet-enabled devices used by your business, paying attention to both downloaded software and any cloud-based platforms in use, and what measures are in place to detect and block any cyber threats that could come your way.

  2. Ensure all your passwords are strong, with each one ideally made up of three separate words; using a password manager is the best way to maximise security and keep track of passwords.

  3. Install antivirus software on all relevant devices, ideally one designed for small business use and offers multi-layered protection such as secure browsing, round-the-clock email vetting and VPN encryption.

  4. Ensure all software is up to date – failing to do this can open up vulnerabilities in your system which cyber criminals can exploit.

  5. Keep back ups of all work-related files using both cloud storage and a removable hard drive, so as to minimise the potential of any malware and ransomware attacks slowing down your business operations.

  6. Be sure you and your colleagues can recognise the tell-tale signs of phishing emails and texts, such as low quality writing, strange formatting and suspicious-looking email domains.

Small business cyber security FAQs

What is a franchise business?

Breaking down the pros and cons of starting a franchise, and what you can expect from your investment.

Read more

How to develop pricing strategies for your business

Discover tried-and-tested pricing strategies for every kind of business, from ecommerce to hospitality.

Read more

Operations management: what you need to know

Learn the comprehensive ins and outs of operations management for achieving maximum business efficiency.

Read more