Small business guide to cyber attacks – prevention and loss
More than 600,000 UK businesses say they experienced a cyber breach or attack in the last 12 months. Government figures also show that criminals aren’t fussy about the size of business they target; 25% of small businesses and 42% of medium-sized businesses were victims of cyber crime in 2024.
By Alan Boswell Group
- What’s the average cost of a data breach for a small business?
- What is a cyber incident response plan?
- What should I do if my business suffers a cyber attack?
- Which businesses need cyber security the most?
- How can cyber insurance help my business?
- Cyber security resources and tools for small businesses
- Cyber insurance from Alan Boswell Group
In this article
- What’s the average cost of a data breach for a small business?
- What is a cyber incident response plan?
- What should I do if my business suffers a cyber attack?
- Which businesses need cyber security the most?
- How can cyber insurance help my business?
- Cyber security resources and tools for small businesses
- Cyber insurance from Alan Boswell Group
We look at the most common types of cyber attacks and what you can do to minimise the risk of cyber crime to your business.
Common types of cyber attacks targeting small businesses
Interviews carried out by the Department for Science, Innovation and Technology (DSIT) highlight growing awareness of the sophistication of cyber crimes as technology improves. One method that’s becoming more mainstream is the use of AI impersonation.
Nevertheless, there are numerous methods criminals use to target businesses; the most common include:
Phishing
Phishing is the most popular method used by criminals (85% of businesses experience phishing attacks). This is when criminals will try to trick you into downloading malicious software or visiting dangerous websites. In some cases, criminals will try to persuade you to reveal sensitive information, such as passwords.
Examples of phishing attacks include fake bills demanding payment or urgent messages from your bank saying your account’s been compromised. As criminals become more sophisticated, it can be hard to identify phishing, but tell-tale signs to look for include:
Poor spelling and grammar in emails and messages.
Email or web addresses that aren’t quite right (such as govuk.co.uk instead of .gov.uk).
Urgent demands for action, for example, asking you to pay outstanding tax or credit card bills.
Demands for passwords or personal information, such as your date of birth.
Links to websites or attachments you’re not expecting.
Malware
Malware is malicious software, designed to infect your computer systems. Criminals use malware to steal information, which can then be sold or used to hold you to ransom.
There are various types of malware, including:
Viruses – these infect your systems and can either stop your computers from working or result in lost data. They’re often hidden in attachments or files you download. Like a biological virus, these can spread throughout your network.
Trojan virus – this type of malware is disguised as a useful piece of software (for example, an update). When it’s downloaded, criminals can use it to access, delete, or alter information.
Spyware – designed to target sensitive information and send it back to the criminal, potentially including keystroke recordings for password access.
Adware – this collects information about the way you use your computer and then sends you relevant adverts that might interest you. Not all adware is dangerous, but it can redirect you to malicious sites or carry viruses that activate when you click on an ad.
Ransomware – this is when criminals use software to encrypt or lock you out of key files. They can then demand a ransom to release your data.
Password attacks
This happens when criminals attempt to crack your password to gain access to your computer network or systems.
Common techniques include a ‘brute force attack’ where hackers will try every possible combination until they find the right password. For criminals, this process is time-consuming and relies on their use of powerful computers. Unfortunately, brute force is often successful thanks to weak passwords.
Another popular method used by criminals is the ‘weak password’ approach. This assumes that many people reuse the same password for a variety of apps and websites. If they’ve already successfully found a password, they’ll then try to use it across different platforms in the hope that it will work.
Business email compromise (BEC)
These attacks can be very difficult to spot. Criminals impersonate trusted sources within your business and try to trick others into releasing sensitive information. For example, an attacker might pretend to be someone in HR or finance and try to persuade someone into giving them personal details or sending them money.
Distributed denial-of-service (DDoS) attacks
A DDoS attack may sound complicated, but it’s essentially when criminals disrupt the flow of traffic to your website, ultimately causing it to crash.
As with other types of cyber attacks, there are different types of DDoS attacks:
Volumetric attacks, which send (fake) traffic to your website.
Protocol attacks, which break the regular rules (protocols) between computers so that your network becomes confused and collapses.
Application attacks which make complicated requests or slow down your network to the point where it stops processing requests altogether.
Aggregators
Aggregators are quickly emerging as one of the biggest cyber threats to businesses. Instead of targeting individual businesses, cyber criminals are shifting focus to operations which serve many businesses, for example, payroll services, IT/HR services, accountants and lawyers. Aggregating a cyber attack in this way gives cyber criminals multiple opportunities for success.
Cyber incidents can occur at any point in a digital supply chain and aren’t always the result of a hack but may be a simple mistake.
What’s the average cost of a data breach for a small business?
According to the latest government Cyber Security Breaches Survey, businesses lost an average of £1,600 in the last 12 months thanks to cyber breaches. Where there was a clear outcome to the breach, those costs increased to an average of £8,260.
For small and medium businesses with limited customers, cyber breaches and attacks can be devastating. Particularly if consumer information is stolen or leaked. Not only are there financial consequences, but there’s also reputational damage to deal with too.
Practical steps to prevent cyber attacks
Criminals can be smart, but there are plenty of practical steps your business can take to minimise the risk of an attack:
Staff training
Keeping staff up to date with the latest scams, phishing emails, and cyber threats goes a long way to preventing cyber breaches in the first place.
Strong passwords
Ensure employees understand the importance of having a strong and unique password for each application they use. Password manager apps can help them keep track of the passwords they’re using.
Multi-factor authentication (MFA)
This adds extra security by asking users to verify their identity a second time. This could involve using a code sent to their phone or emailed to them. It’s quick and easy to set up, but can make a big difference to security levels on essential applications and platforms.
Update software and backup files
Keep software and systems updated so they’re always operating on the latest version. Files should also be regularly updated offsite or using a cloud-based platform.
Install a firewall and antivirus protection
A firewall keeps your network separate and monitors the traffic coming in, stopping anything it thinks is malicious. There are different types of firewalls and antivirus protection available, so it’s worth investigating various options to find one that best suits your business. If you’re not sure about where to start, a cyber security consultant can help.
Network segmentation
This is where you ringfence specific areas so that access is limited to certain users; for example, finance data is kept on one network, while HR details are stored somewhere else. Limiting access won’t stop a breach, but it can limit the damaging effects of one.
Website security
If you’re browsing websites, look for the ‘https’ prefix in the web address. It stands for ‘hypertext transfer protocol secure’, which simply means the data sent between the browser and the website is encrypted and secure. It’s important because it makes it less likely that anyone can stumble across your transaction and steal sensitive data (like credit card details).
What is a cyber incident response plan?
A cyber incident response plan (IRP) is a document that outlines how your business will deal with a cyber security incident. It’s essentially a plan of action that aims to minimise the impact of a cyber breach or attack.
You can create a cyber incident response plan yourself or hire a cyber security expert who will also identify risks, as well as find solutions for you.
How do I create a cyber incident response plan?
Your incident response plan should be reviewed and updated regularly, and set out:
Key contacts
Define key members of staff who will each deal with a specific aspect. For example, who will notify those affected, who will contact your insurer, or who will manage broader customer communications.
This part should also include details about how you’ll communicate internally and externally if your networks have been compromised.
A flowchart of processes
This outlines the steps to take in the event of a breach or attack. In smaller businesses where it’s just you or a handful of staff, this can be a big help and make it clear what needs to be done.
If you’re in a regulated industry, it’s worth including which regulatory bodies you need to inform.
Define the incident and its impact
Outline types of cyber incidents and how they might affect your business. You can then work out the level of impact each incident might have. For example, a phishing email might lead to malware being downloaded, affecting your internal systems. However, a password attack could result in the theft of sensitive customer data, potentially affecting a larger number of people and damaging your firm’s reputation.
Identifying the risks and threat level enables you to focus on areas that require tighter security. It also means you can create bespoke procedures for each type of incident.
Test and review
You should regularly review and test your incident response plan. It should reflect updates in training, outline the newest cyber scams and risks, and specify what staff should look for.
If a breach does happen, this should be included in your review along with any lessons learned from the incident.
What should I do if my business suffers a cyber attack?
If your business suffers a cyber attack, your incident response plan should set out the actions you need to take. If you have cyber insurance, you should contact your insurer first, as they will normally have experts available to help you and a process that they work through.
Key steps include:
Identifying the incident – what type of attack was it, and what’s the potential impact.
Containing the damage – isolate affected systems to stop any damage from spreading.
Eradicating the threat – remove malware or other malicious elements (this will likely involve the help of a cyber security expert).
Recovering systems and data – if you can, restore systems and data from backups.
Notifying affected parties – inform all relevant parties about the incident, including any regulators you need to report to.
Learning from the incident – when you’ve resolved the incident, carry out a review to identify lessons learned and how to improve security.
Which businesses need cyber security the most?
All businesses that use technology or software are at risk of a cyber breach or attack. For criminals, data is valuable and can be sold or used to hold firms to ransom. If you store, process, or manage other people’s data, this makes you a target, for example:
If you’re a retailer that stores customer addresses, credit card numbers, or bank details.
If you keep a database of contractors or suppliers.
If your organisation is regulated, such as education, healthcare, and finance.
If you’re a micro or small business and don’t have the resources to manage the consequences of a cyber breach.
How can cyber insurance help my business?
Cyber insurance covers a range of digital threats, compensating you for losses and helping you get your business back on track. Policies vary but can be tailored to meet the specific risks you face in your day-to-day activities.
Typically, cyber insurance policies cover:
Breach expenses to investigate the source of the attack.
Data loss which pays to recover corrupted data.
Legal expenses for professional fees.
PR and notification expenses to inform anyone affected and minimise reputational damage.
Business interruption, which compensates you for lost income as a result of the attack.
Extortion and fraud costs caused by data theft or compromise.
Regulatory costs.
Liability for claims made against you from affected parties.
Many cyber insurers also have their own cyber experts who will help you in the event of a cyber attack.
Cyber security resources and tools for small businesses
As technology continuously improves, it can be hard to stay up to date with the latest in cyber security. To make it easier for you to keep on top of news and guidance, we’ve put together this list of resources and tools for you to access whenever you need extra support:
Action Fraud – the UK’s national reporting centre for fraud, including cyber crime. If you think you’ve been a victim of cyber criminals, you can report it here.
Cyber Essentials – this is a certification programme that can help keep your business safe from cyber criminals.
Cyber Incident Response – this is a scheme that provides support and services to organisations that have been victims of cyber crime.
The Federation of Small Businesses – supporting small businesses to stay cyber resilient.
Information Commissioner’s Office – information about GDPR and penalties for breaching data protection laws.
National Crime Agency – investigates serious crimes including modern slavery, trafficking, and cyber crime.
National Cyber Security Centre – this is the UK’s cyber security body helping businesses, the public sector and individuals stay safe online.
Cyber insurance from Alan Boswell Group
Cyber insurance won’t stop you from being affected by cyber crime, but it can help minimise the financial and reputational cost to you. Any policy you choose should reflect the risks you face with levels of cover that enable you to get back to business as soon as possible.
If you’d like to talk through your options and understand how cyber insurance can help your business in a time of crisis, speak to a member of our team on 01603 218000. You can also head to our cyber insurance hub for more information, advice, and guides.
Need help with your insurance?
Whether you need a quote, have a general enquiry, or want to talk it through over the phone, we're here to help.
Send an enquiry
Related guides and insights
What is a cyber incident response plan?
A cyber incident response plan (IRP) outlines your business’s approach to handling a cyber security incident. Here’s why all businesses should have a plan to protect against the threat of cyber attacks.
GDPR & Cyber insurance
Everybody in the business world is talking about GDPR at the moment. However, we should not overlook the wider business considerations which sit within appropriate data management and the risks and liabilities these present.
What is cyber insurance?
In todays connected world digital security should be high on the priority list. Here’s how cyber insurance can help keep you and your customers safe.
What is a DDoS attack?
Recent government research reveals that nearly half of UK businesses have suffered a cyberattack. But cybercrime takes many forms, including DDoS attacks. Here’s how they work and what you can do to protect your business.