Cyberattacks – the true cost to small & medium sized businesses

Cyberattacks - Hacker

If you run or work in a busy small and mid-sized business (SMB) in London, the last thing on your mind is probably how to protect your business from cyberattacks.

But whether you’re based in London or not, it is reported that 54% of SMBs experienced a cyberattack in 2022 – a 15% increase since 2020.

The Internet has been a revelation and a revolution. It’s changed our personal and business lives beyond recognition. But, as soon as your enterprise launches a website or signs up for an e-mail service (both pre-requisites for successful commerce today) you’re at risk of cyberattacks. Therefore, even early on you must establish a secure IT infrastructure if you want to protect your company from cyber threats.

In this blog post we crunch the numbers about cybersecurity threats, see how well prepared SMBs are and highlight what you can do to protect yourself. Here’s where you can find out more about:

How prepared is the SMB community when it comes to cyberattacks?

The UK government’s 2023 research on cyberattacks suggests the majority of SMBs are unprepared when it comes to asking the question ‘How can companies protect against hackers?’. The figures show:

  • A decrease in preventative measures –  firewalls, password policies, restricting admin rights – mainly due to micro businesses and SMBs
  • The risk of cyberattacks is much greater for medium sized businesses (50-249 employees) – 59% experienced breaches in the last 12 months, versus 32% for small businesses
  • Small businesses aren’t able to identify as many breaches due to lessened monitoring and logging
  • Small businesses aren’t prioritising cybersecurity due to worries about the current economic climate

The impact of a lack of resources

A clear disadvantage for SMBs is typically the lack of resources for cybersecurity protection. Whether it’s not having expert IT staff, the free floorspace to host a secure equipment room or the budget to afford leading defensive technology, SMBs are left more vulnerable.

For example, according to Sage’s new report, 51% of SMBs shared their difficulties in keeping ahead of emerging cyber threats and minimising the risk to their business. Further facts make for sobering reading:

  • Sage reveals that 45% of UK SMBs aren’t sure of what security is needed for their business
  • The same report shows that 57% of UK SMBs are asking for more support with education and training
  • In 2022, 32% of businesses outsourced cybersecurity resources, down from 38% in 2021, due to small businesses cutting back
  • In 2022, small businesses struggled the most in meeting the basic cybersecurity requirements. This was based on a lack of confidence in performing basic tasks, such as setting up firewalls, detecting and removing malware, and storing or transferring personal data securely.

So what’s the typical cost of a cyberattack for SMBs?

Overall, the average cost of the most disruptive data breach for a business in the past 12 months has been £1,100. However, as the size of the business increases so does the cost.

Additionally, the specific costs for micro and small businesses to identify breaches with an outcome was £1,450. For medium and large businesses this average rose to £4,250.

Prevention is always better than cure

Here’s our rundown of the top cybersecurity threats the typical small and medium sized business in London faces and our suggestions to combat them. Don’t worry, we’ve considered any budgetary, space, or staff restraints you may trade under.


Malware is particularly difficult to detect and costly to remediate and further mitigate. Cybercriminals can be motivated by many factors which may be unknown to your organisation. For example, cyberattacks may be carried out for financial gain from extortion, coercion, fraud or stealing sensitive and classified information that can be sold to the highest bidder.

Recommendations: First and foremost, make sure you back up all important data. Plan it, make it part of your everyday processes, and test it frequently. Use what’s known as the ‘3-2-1 Rule.’ That means having three copies of your data, this could be on a workstation, in the cloud and on an external drive array, for example. Alongside this put your data on two different forms of media, perhaps a hard drive and the cloud. Finally, have one complete copy held offsite.

Also ask a managed IT service provider (MSP) in London about a budget-friendly endpoint protection solution. An MSP can offer the expertise of an IT specialist, helping to block the sophisticated tactics of cyberattacks and defend your network.

Web-based attacks

Using an Internet browser and your own website as a launch pad can open avenues for attack. Often, cybercriminals can access and steal confidential client information or compromise your site to make it infect visitors.

Recommendations: The majority of web-based attacks use your website’s functionality weaknesses via code they input to your site’s entry fields. Therefore, you need to control the types of user input your website accepts.

Again, it may be helpful to talk to a managed services provider in London if you don’t have an in-house IT specialist or team. An MSP will have security experts at hand to audit your site for potential weaknesses and correct them. Also, ensure that any app developers or coders working for you are programmed with security uppermost in their minds.

Distributed Denial of Service (DDoS) attacks

DDoS attacks often result in extended downtime for your website, costing you valuable opportunity, customers, productivity and, of course, profitability.

Recommendations: A good quality and well-configured content delivery network (CDN) can help prevent DDoS attacks and provide infrastructure DDoS protection. It may be useful to get an expert opinion, so talk to your managed IT service provider about the Arbor DDoS solution.

But make sure you plan ahead anyway to establish processes to help your business deal with one. There should be ways to communicate with your customers, suppliers and partners should your website go down.

Phishing and social engineering attacks

This year, a frightening 79% of businesses experienced phishing. Social engineering attacks are especially worrying now that they are more sophisticated, polished and can carry other sorts of risk (like ransomware) right into the heart of your enterprise.

Recommendations: Staff training must be your first line of defence. Help your people to secure your business by empowering them to identify and deal with anything suspicious such as phishing emails or links to dodgy websites. Start with creating a culture of cybersecurity awareness amongst your team. Afterwards, you can prioritise training to encourage effective digital and data security practices for everyone in your organisation.

The threat from within

Unhappy current and former staff can sometimes act out in malicious ways, which can be a threat to your data security. But insider breaches may not always be in a way you imagine. Most often, it’s people who are simply negligent, inattentive, careless or abuse their privileges that become an accidental insider and trigger a data breach.

Recommendations: Include the threat of insider breaches to your data security in your staff training. It reduces the likelihood of a future problem through accidents and carelessness, although not necessarily deliberate or malicious acts.

In addition, you can also utilise admin restrictions to control what devices, programs, files and records your people have access to. Check the credentials of everyone who has access to your systems; ensure their identity, expertise and experience are as claimed. This way you can control and prevent the running of any unauthorised code that’s been delivered to one of your devices, however it’s been delivered. Remember to include your in-house people, remote workers and temporary or contract staff in all the above checks and balances.

Out of sight must not mean out of mind

According to Apricorn’s latest research, lost or misplaced devices account for 18% of data breaches in UK businesses. Similarly, 17% of security leaders cited a lack of encryption as the cause of their business’ data breaches.

The truth is, a mobile device can be used by any member of your team to remotely and legitimately access, view, edit, share and download all sorts of confidential documents to their device. This is not only worrisome considering the increase in vulnerability of iOS phones over the last decade, but also due to the possibility of it being lost or stolen. If the phone hasn’t been protected with a suitable passcode and the files encrypted, your IT infrastructure, data, intellectual property, customer information and reputation are all under threat.

Another danger for remote workers is their repeated connections to unsecured public Wi-Fi networks around London and beyond, which can easily be hacked.

Recommendations: Education and good governance are vital. On top of this, talk to your team and your MSP about the following additional safeguards:

  • Implement a ‘Role-based Access Control’ (RBAC) model which restricts an individual’s network access based upon their job
  • Make good password and passcode management the heart of your data security regime
  • Use password managers with two-factor authentication (2FA) and Single Sign-On (SSO) solutions
  • Install remote wiping technology on all your devices
  • Insist on Bring Your Own Device (BYOD) best practice in case members of your team want to use their own kit.

There’s no such thing as business as usual after a cyberattack

Although 47% of medium businesses may have a formal incident response plan to cyberattacks, only 20% of all businesses who experienced a cyberattack change precautions in the aftermath. What’s more, a cybersecurity or data breach isn’t just inconvenient and tiresome.

Only just over half of all UK businesses (57%) have a policy to not surrender to ransomware payments. The fear of losing sensitive data can lead to even riskier action with equally devastating consequences.

Losing valuable intellectual property and compromising your confidential data can do more than simply cause operational and reputational damage. The financial costs can also be astronomical. For example, noncompliance with GDPR laws could cost your business as much as £17.5 million or 4% of your annual turnover, whichever is greater.

As part of an SMB, you must take the cybersecurity threat seriously to protect your company from cyberattacks.

If you want to start the process and secure your business’ data from cyberattacks, feel free to speak to our highly trained team for more information. At totality we offer industry-leading managed IT services, to ensure efficiency, security, and optimal performance of your digital infrastructure. We’ve earned the Feefo Platinum Trusted Service Award for the third year in a row, promising the strongest commitment to our clients to provide unrivalled business IT support London.