Know your enemy: the threats small businesses actually face

Phishing, ransomware, social engineering, malware, credential stuffing, insider mistakes, denial of service. The actual menu of threats facing UK small businesses — in plain English, without the drama.

_Part 2 of 12 in the Cyber security for the small business series._

Before you can defend your business you need to understand what you are defending it against. This month we look at the seven threats that account for the great majority of incidents at small businesses, in plain English. None of these is exotic. They are everyday occurrences, and understanding them is the first step towards making them less effective against you.

Phishing

Phishing is, by a considerable margin, the most common cyber threat any organisation faces. It is the practice of sending fraudulent messages — usually emails, increasingly text messages and social media DMs — that impersonate a trusted entity in order to trick the recipient into doing something harmful. Clicking a malicious link. Opening an infected attachment. Entering login credentials on a fake website. Transferring money to a fraudulent account.

Phishing works because it exploits trust, habit, and time pressure. A well-crafted phishing email looks like a legitimate message from your bank, your email provider, a courier company, or HMRC. It arrives when you are busy. It creates a sense of urgency. It requires only a moment's inattention to succeed.

Variants include spear phishing (targeted at a specific individual, using personal information), whaling (targeting senior executives), and business email compromise (where the attacker gains access to a real email account and uses it to send fraudulent requests to colleagues or clients). We will cover phishing properly in May. For now, know that this is the front door.

Ransomware

Ransomware is malicious software that encrypts your files and demands payment — usually in cryptocurrency — for the decryption key. Modern ransomware often also steals your data before encrypting it, giving the attackers a second lever: pay up, or we will publish your confidential information online.

For a small business, ransomware can be devastating. If your files, your accounting system, your customer database, and your emails are all suddenly inaccessible, your business effectively stops. Ransom demands range from a few hundred pounds to tens of thousands, and paying provides no guarantee of recovery.

Ransomware typically arrives via phishing emails, compromised websites, or by exploiting unpatched software exposed to the internet. The same defences that protect against phishing and poor patching also protect against ransomware. The single best protection is, as we will see in September, decent backups.

Social engineering

Social engineering is the umbrella term for any attack that manipulates people rather than technology. Phishing is one form, but social engineering also includes phone calls from "technical support" asking for remote access, people posing as delivery drivers to gain physical access to your premises, and even searching through your rubbish bins for useful information (known, rather grimly, as dumpster diving).

The common thread is that social engineering exploits human nature: our desire to be helpful, our respect for authority, our reluctance to question someone who seems confident. These are good qualities in most contexts. They become vulnerabilities only when someone deliberately exploits them.

Malware

Malware is the general term for any software designed to cause harm. It includes viruses (which attach to legitimate files), worms (which spread across networks), trojans (which disguise themselves as legitimate software), spyware (which monitors your activity), and the ransomware we have already discussed.

Malware can arrive via email attachments, malicious downloads, compromised websites, infected USB drives, or through vulnerabilities in outdated software. Once installed, it can steal data, monitor your keystrokes, encrypt your files, or give an attacker persistent access to your systems.

We will look at malware properly in August.

Credential theft and password attacks

Attackers collect usernames and passwords from data breaches — the headlines about millions of accounts being leaked — and try those same credentials against other services. This works because people reuse passwords. If your email address and a password you use for a shopping website appear in a breach, and you use the same password for your business email, the attacker now has access to your email without needing to hack anything. They simply log in.

Automated tools can test millions of stolen credentials against thousands of websites in hours. This is known as credential stuffing, and it is one of the most common methods of account compromise.

You can check whether your email address has appeared in known breaches at haveibeenpwned.com, run by security researcher Troy Hunt.

Insider incidents

Not all threats come from outside. Disgruntled employees, careless staff, or former employees whose access was not revoked can all cause significant harm. This is not about mistrusting your team — it is about having sensible controls that protect everyone, including the employees themselves.

Most insider incidents are accidental rather than malicious: someone sends a file to the wrong recipient, leaves a laptop on a train, falls for a phishing email. Intentional harm is rarer but can be more severe, particularly when someone has privileged access to financial or customer systems.

Denial of service

A denial of service attack floods your website or internet connection with so much traffic that legitimate users cannot get through. If your business depends on a website — for sales, bookings, or customer communication — even a few hours of downtime can cost real money.

Whilst large-scale distributed denial of service attacks tend to target bigger organisations, small businesses can be caught in the crossfire or specifically targeted by competitors, disgruntled customers, or extortionists.

The thread that runs through this list

Notice that most of these threats are not technically sophisticated. Phishing relies on someone in a hurry clicking a link. Ransomware needs an entry point that was already there. Credential stuffing requires no skill at all. Social engineering requires only the patience to lie convincingly on a phone call.

That is genuinely good news. It means the defences are also not technically sophisticated. They are habits, configurations, and procedures that any business can put in place without specialist staff or expensive tooling.

What February looks like

If you want to do one thing this month, ask the team — at the next coffee break, not in a formal meeting — whether anyone has ever received a phishing email at work. The answer is yes. Listen to what happened. Was it spotted? Was it reported? Did anyone click? The conversation is more useful than any training video.

In March we will look at what an incident actually costs a small business — and why the indirect costs nearly always dwarf the direct ones.