60% of small companies that suffer a cyber attack or breach are out of business within six months, according to data from the National Cyber Security Alliance. Small businesses that previously escaped the attention of cyber criminals are now increasingly targeted by these catastrophic attacks. If you’re an SME, cyber security is more important than ever.

If your businesses IT security is lacking, you’re an easy target for a global criminal industry predicted to cause £4.5 trillion in damages every year by 2019. A data breaches resulting from a cyber attack now results in a 20% loss in revenue for companies, according to data from Cisco.

You may already be being targeted by cyber criminals and it’s only a matter of time until your business is attacked, especially if it’s not secure. But there are ways to reduce the risk. Here are 5 ways your SME is being hacked and how to prevent them.


It’s continually reinforced that you should not click a link in a suspicious email, but people still fall for phishing scams. The sophistication of these techniques continues to increase and phishing emails look more authentic than ever.

Phishing is incredibly effective; the FBI suspect it was a phishing email that opened the door to Sony Picture’s network, unleashing the huge ransomware attack in 2014.

How to stop it

It’s the responsibility of everyone in the organisation to follow safe procedures when interacting with emails. Phishers play to emotions and sense of trust, so make sure your organisation’s cyber education can stay one step ahead of the criminals.

You can also help prevent phishers from accessing your business accounts. Use tools like multi-factor authentication on business accounts and an encrypted password manager to reduce the likelihood of hackers getting access.

The Internet of Things (IoT)

There’s an Internet of Things (IoT) revolution going on right now and the number of internet-connected devices is rising at an exponential rate.

However, with increasing numbers of IoT devices, new opportunities for hackers are emerging as a lack of security investment makes these devices an easy target for cyber criminals.

Hackers can create botnets formed of inconspicuous IoT devices, like fridges or DVRs, which can be used to direct DDoS attacks at unsuspecting businesses. These botnets are immensely successful, having already caused the largest DDoS attack in history.

One unnamed university network was recently reduced to a crawl as it buckled under traffic directed from 5000 of its own connected devices, including vending machines. The unknown hacker developed malware to breach each device by brute-forcing easily guessable factory-set passwords.

How to stop it

SMEs must pay close attention to the network settings of their IoT device – including anything from an office router to your new Amazon Echo.

All connected devices should also be included in regular IT asset inventories and all default credentials like passwords must be replaced with safe passwords immediately and updated regularly.

Techniques for defending your organisation from DDoS attacks caused by IoT botnets range from writing scripts to filter out malicious traffic to installing specialised on premise equipment. For a closer look at this detailed subject, take a look at this post from Network World.


Ransomware is on the rise across the globe and 86% of all SMEs were targeted by this type of malware in 2016.

Once access to a business’s network or systems is acquired, typically by tricking employees into running malicious code on their computers, ransomware holds your critical files, data and connected-devices hostage. Ransomware code can then spread quickly across a company network as it encrypts sensitive files and data.

Ransomware-encrypted files will be unusable an unrecoverable and your computers will be taken over. They’ll be locked, displaying only one message: how much your business must pay to your captor.

Until a decryption key can be sourced – which the cyber criminals will be glad to sell you for a price – your business will be in complete lock-down.

Without a decryption key, it’s unlikely you’ll be able to crack the encryption. An average computer would take 6.4 quadrillion years to crack RSA 2048 encryption, typically used by ransomware.

How to stop it

Prevention is key to avoiding ransomware. Antivirus software is essential, but it must be reinforced with an effective ransomware strategy and employee education around cyber security threats.

If your business is serious about reducing the risk of ransomware you should consider training members of your IT team in cyber security. There are dozens of ways to train to survive a ransomware attack, like EC-Council’s Certified Ethical Hacker (CEH) GIAC’s GCIH certification.

Regularly backing-up your systems and data is also crucial, and this will allow you to recover your data from a previous state. However, the encrypted data will remain unrecoverable.

Paying up is not recommended, but some companies do acquiesce to the criminals. However, even businesses that do pay-up are not guaranteed to regain access. You’ll also be funding a criminal enterprise and the attackers could simply attack your business again. Honour amongst thieves? Think again.

If you’re struck by ransomware, shut down your systems to prevent it spreading, then restore from backup if possible. Some security firms advise not destroying ransomed data because new tools may be built later on to decrypt these files.


Physical media devices, like USBs given out in handfuls at conventions, could contain malicious code designed to infiltrate businesses and launch devastating attacks, including ransomware lock downs.

If an infected device is used on your company machines, it could bypass your conventional security defences.

This type of hacking is by no means new, but people still fall for the scam. In 2016, one Google researcher dropped 300 USB drives on a college campus, 45% were picked up and plugged into a computer.

If this was a malicious strategy, malware could easily be transferred from the drive to infect an entire network.

If you work in a small businesses, these attacks should worry you, especially if your responsible for IT security, because these devices rarely raise suspicions. If a labelled device with the name of an ongoing project appeared on one of your employee’s desks, they might just plug it in.

How to stop it

Because this technique relies on ignorance, employee education is crucial for. There must be a drive in small businesses to combat sabotage and employees must understand the associated risks.

Low-tech hacking

Sometimes even the most basic techniques are all that’s needed to pilfer passwords and sensitive data. ‘Visual hacking’ that involves snooping over shoulders or taking photographs of logins is rarely discussed, but the dangers are real.

One undercover operative posing as a contractor within offices (as part of a Ponemon Institute experiment) was able to obtain sensitive information – like passwords – 88% of the time.

How to stop it

Once again, cyber security education is critical. If you’re in an office with regular external visitors, you should be teaching your staff to:

  1. Refrain from sharing key customer or business information with others
  2. Remove information from business documents where possible
  3. Obscure sensitive information that can’t be removed

Businesses should also be wary of how public their workspace is. Employees should be encouraged to lock their workstations and you should check security cameras to make sure they’re not pointed towards a screen that holds sensitive information.

What’s next for cyber crime?

As the number of attacks on businesses continues to rise, cyber experts are already predicting how organisations will be hacked in the future. From AI cyber criminals to ethical hackers, businesses must continue to adapt to future threats.