Skip to main content

Top eight security threats every small business CEO should know about

(Image credit: Image source: Shutterstock/deepadesigns)

Cyber attacks are on the rise – according to Malwarebyte’s annual State of Malware report, malicious ransomware attacks across the globe rose by 700 per cent last year. If that’s not unsettling enough, the UK is leading the pack, as the most targeted region in the world, following a 134 per cent rise in threats against British machines. With each advancement in technology comes new ways hackers, industrial spies and state-sponsored operatives exploit and wreak financial havoc on their targets. At its most basic level, the goal of a cyberattack is to steal and exploit sensitive customer, employee and financial data ultimately toying with some of an organisation’s most crucial componants. Therefore, business leaders need to be as aware of cyber security threats and how best to prevent them, as they are of financial or operational concerns. 

Organisations of every size hold a responsibility to invest in the necessary security measures. The Government’s 2018 Cyber Security Breaches Survey showed that nearly half of all UK businesses have been hit by a security breach in the last year. Attacks on high-profile corporates might hit the headlines, but the reality is that small businesses are far more likely to fall victim to a cyber-attack, who see them as a soft target. It’s easy to see why. Most large corporates will have dedicated IT teams whose sole function it is to ensure that cybersecurity policies and protection remains robust. Small businesses won’t typically have the same level of understanding or resource available to their disposal. As a consequence, security patches are left to go out of date, leaving holes to appear which any opportunistic hacker can then exploit.

According to our own research, 62 per cent of small and medium sized businesses do not have a current and active cybersecurity strategy in place. The cost of a cyberattack ranges too. Security firm Symantec estimates the average cost of breaches to be somewhere in the region of £130,000. As well as the financial cost, there could be an impact on productivity, staff time, brand and reputation costs and in the worst case scenario losing your business entirely.

Cybercriminals work around the clock to create new threats, so small businesses must remain vigilant to a persistent and evolving threat. Some of the top cybersecurity threats you should be aware of include:


Short for malicious-software, malware is a blanket term used for any software that has been specifically designed to damage disrupt, steal or in general inflict some other ‘bad’ or illegitimate action on data, hosts or networks.


Ransomware is a form of malware that locks up computers and demands money in exchanged for the key. Innovations such as cryptocurrency - which prevents payment tracking - have spiked the use of ransomware in the past few years. You’re likely familiar with last year’s WannaCry ransomware attack which saw over 300,000 computers infected across the world. In the UK the NHS saw staff revert to pen and paper post attack, with several services turning away non-critical emergencies.

Business Email Compromise (BEC)

Where an attacker creates an email that appears to come from the head of the company. Many times, this email instructs someone in the company to transfer funds. The best way to combat ‘CEO fraud’, small businesses should invest in the education and training of all staff members to be made aware and cautious of such emails. The National Crime agency recently issued a warning to businesses cautioning them to be weary of short-notice changes to invoice details following the sentencing of a London based BEC cybercrime group, guilty of stealing £1m within an eight month time frame using a similar method.

Supply chain hacking

An attacker hacks a service provider and then uses that company to enter a larger company in their supply chain. In order for small businesses to prevent cyber threats to their supply chain, leaders need to implement strict controls on your supply chain network. You’ll need to identity everyone part of your supply chain and asses if they have access to sensitive data.

Remote access Trojan (RAT)

Hackers control a computer through remote means. The RAT often gains access when an employee opens a fraudulent link or attachment in an email, which allows the malicious software to bypass firewalls. This means cybercriminals are able to watch and listen through the camera and microphone, record onscreen activity, alter files and distribute malware to other computers within the network.

Drive-by downloads

Attackers embed malware within an ad that’s posted on a reputable site, enticing users to click on it. The most effective way to protect company devices against drive-by downloads is using ad-blockers to reduce exposure to malicious advertisements.

Spyware infections

Spyware can steal user and company information, waken the security of devices and increase malware infections. Spyware downloads itself onto your computer via an email you opened or a website you visited and scans your hard drive for personal information. It differs from a virus, in that a virus is a piece of code that causes damage to your computer either by deleting or corrupting files.

Security breaches via IoT

The internet of things (IoT) is making it harder for companies to determine which devices are connected to their network and hackers are moving fast to exploit security weaknesses in these devices. To better protect yourself against the risk cyber-attacks, small businesses must continue to invest in employee education, cyber insurance, encryption and data backup.

What now?

Ultimately, if you keep customer, employee or financial data of any kind you are a target for cyberattacks and if your business uses technology to communicate or store this data you’re at risk. The first step in avoiding a data breach is accepting that no matter the level of investment and safeguards, networks can and most likely will be breached eventually. Although technological advancements are designed to protect, there will always be threats; from careless and naive employees to malicious insiders or external hackers. Data is a precious commodity and in the wrong hands can cause serious harm.

Mitigating against these risks and other emerging threats requires a co-ordinated approach right across the business, starting at the very top of the organisation. Far too many CEOs mistakenly believe cyberthreats are an IT problem. IT lacks the organisational authority to run a cybersecurity programme effectively. IT professionals have operational and technical responsibilities, but they cannot run a competent cybersecurity programme from the first-amongst-peers position.

CEOs have to take back the authority they have abdicated to IT. Only the CEO has the decision rights necessary to make the trade-off calls that have to be made. A CEO is the only corporate officer with sufficient authority to say, “HR, we are going to rewrite a policy. I am going to get corporate counsel involved. We are going to make sure this is done in concert with operations.” They are the air traffic control tower for the organisation. Business leaders must take security risks seriously and assume greater responsibility not only for preventing them, but in forecasting the crucial next steps following an incident.

Geoff Lawrence, Director, Vistage (opens in new tab)
Image source: Shutterstock/deepadesigns

Geoff Lawrence is a Director at Vistage, a peer advisory organisation designed for CEOs and executive leaders looking to drive better decisions and results for their companies.