ICAEW.com works better with JavaScript enabled.

SMEs must wise up to cyber security risks

Author: ICAEW Insights

Published: 05 Oct 2023

Cyber security awareness month: cyber security has dropped down the priority list for small businesses during the cost-of-living crisis, but it would be a mistake to assume that smaller organisations aren’t at risk.

Jessica Pillow, Founder and Managing Director of Pillow May Accountancy, has seen an increase in the number of cyber attacks that small businesses are experiencing. Just recently, one of her clients was hacked, and sent out an email alerting her to this. “Fortunately, as a result of previously receiving hacked emails from clients, we now have some really strong barriers and firewalls on our email system.”

There have been plenty of warnings about prevalent cyber attacks at the moment, and in Pillow’s view, SMEs are particularly vulnerable. 

“There are more traps now than ever, and cyber attackers are getting more and more clever. Perhaps that’s the impact of AI. It’s more personalised and more believable, involving not just email but phone calls and SMS. So it can look like it’s coming from a legitimate company.”

The 2023 Cyber Security Breaches Survey showed a decline in cyber security investment among smaller businesses. For example, the proportion of micro businesses that considered cyber security a high priority decreased from 80% in 2022 to 68% this year. Cyber hygiene measures such as password policies, network firewalls, restricted admin access and updated software are all in decline. This was highlighted as a cause for concern by ICAEW earlier this year.

Pillow believes that the stresses caused by the cost-of-living crisis have a lot to do with the decline in cyber security investment and the anecdotal increase in breaches that she has seen among small businesses. 

“They are more vulnerable to attacks, and they are perhaps more likely to respond to urgent requests and pressure to avoid further stress. You don’t necessarily have that presence of mind to question what you’re asked.”

On top of this, Pillow does not get the impression, from speaking to business owners, that they take cyber security particularly seriously. There is not enough emphasis, for example, on keeping software up to date, and many businesses still don’t use two-factor authentication for sensitive systems. Part of the problem is that many do not believe that hackers will take any notice of them. 

“It’s a view that ‘there’s nothing we’ve got of any value’, but of course, every business has payments going out. They have valuable customer contacts. There’s always going to be something of value for cyber attackers.”

While a successful hack on a larger company might deliver a big payday for cyber attackers, it’s easier to get smaller amounts from several smaller organisations. “We put monitoring software into our systems so that we could see how many attempted attacks we were stopping, and the number of hackers that attempted to get past our firewall was quite shocking. I’m not sure many people realise how prevalent it really is.”

Pillow is particularly aware of the risks of cyber attacks. Her firm experienced a major incident a few years ago, after a client’s email system got hacked and the attackers used it to conduct phishing attacks. “There wasn’t really a way of telling that the emails were dodgy in themselves. There were red flags that we should have picked up, but unfortunately we didn’t, because it was holiday time.”

As a result of this attack, Pillow and her team redoubled their cyber security efforts and made considerable improvements to their systems and processes (Pillow’s insights from the attack will be covered in detail later in this series). If small businesses and firms were to invest in anything, she recommends looking into education and training for employees. 

“People are nearly always the weakest link. We pay for cyber awareness training through our IT provider, which costs £3.76 per user per month, so it’s not a fortune. I get reports to see if my employees have done the training and I can chase them up and make sure that they are looking at it regularly. We also get constant reminders to update software. We have engaged with a phishing protection service that sent traps through our email system to ensure that people were being vigilant. Those that missed the traps were asked to do some more detailed training.” 

Cyber security should be something that every business should think about every two weeks, she says. Touching base and reminding people about the risks is sometimes all that’s needed. “Really it’s about cultivating a healthy scepticism. When we get emails or other communications from clients, we need to ask: does this make sense? Anything out of the ordinary could be a sign of an attack.”

You've been hacked!

ICAEW marks the 20th anniversary of global Cyber Security Awareness month with a series of resources to help you know what to do when a cyber attack happens.

Cyber Security Awareness month 2023

Cyber Security Annual Lecture

Join this evening lecture to hear from the UK Information Commissioner as he explores technologies impacting data security and individual privacy.

Cyber Security Annual Lecture

You may also be interested in

ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
ICAEW Community

Do you use Excel in your organisation? Are you using it to its maximum potential? Develop your skills and minimise spreadsheet risk with our Excel resources. Join the Excel Community

Finance in a Digital World - support for ICAEW members and students on digital transformation and technology
Finance in a Digital World

ICAEW has worked with Deloitte to develop Finance in a Digital World, a suite of online learning modules to support ICAEW members and students, develop awareness and build understanding of digital technologies and their impact on finance.