Safeguarding Your SME Business: Navigating the Rising Tide of Cyber Threats

Every day, the impact of cunning cyber attackers on small to medium sized enterprises like yours increases rapidly. From vulnerabilities in your supply chain to a potentially incomplete response plan, the possible weak spots in your company are endless in the eyes of a sophisticated hacker. More than ever, SMEs must seek expert security advice to navigate these treacherous waters and shield against ever-evolving threats. Don’t wait for legislation; act now.

According to the UK government’s own words, said legislation is likely not to arrive before 2025 (and most certainly won’t go into force until 2026 at the earliest).

Legislative Limbo

The UK government missed what is probably its last chance to update such laws before a general election this year, one year after prematurely declaring that the UK’s cyber laws had been “updated.” The King’s Speech, which marked the official start of Parliament in the United Kingdom in November 2023 and laid out the government’s complete legislative programme for the upcoming session, did not mention these laws being passed.

The NIS Regulations were initially passed in 2018 in response to a European Union directive. They set security standards for providers of critical infrastructure and key digital services and required reporting in the aftermath of disruptive assaults.

Due to the current legislative thresholds, many cyber attacks have yet to be recognised as NIS incidents. These limits are based on the impact of a cybersecurity incident on the delivery of critical services, such as whether an attack interrupted energy output at a power plant or whether a cyber attack stopped a rail company from operating services. Because the current standards need to assess the depth of the attackers’ computer network access or if the culprits have the potential to disrupt any critical services, they risk depriving government authorities of adequate visibility into how targeted their sectors are.

The amended laws will seriously raise the threshold for required reporting, with fines of up to £17 million for noncompliance. Why not get ahead of the game?

The threat of future fines for your business is not the only reason to act. According to the ICO, ransomware attacks in the UK have reached a record high, with 700+ organisations compromised. This directly affects the personal data of over 5.3 million individuals—for context, about the population of Nairobi or Melbourne.

Latest UK Attack Update

Late last year, even the Royal Family’s official website was targeted in a denial-of-service attack claimed by the Russian group Killnet, proving that even the most highly protected websites can be affected. We also saw cyber breaches in the least expected places in the same period. St Augustine Academy, a Maidstone secondary school, saw their pupil and parental data seized and encrypted in September. This left parents uncertain about the safety of their personal information and showed us that similar attacks can occur anywhere. Highgate Wood school was also targeted in the same month – forcing it to close – alongside several schools in Suffolk, Wiltshire and elsewhere in Britain.

The UK’s Department for Science, Innovation & Technology (DSIT) states higher education institutions (HEIs) are “more severely affected” than schools, with 60 per cent of those attacked experiencing financial loss or data compromise – a stark comparison to just 24 per cent of average businesses. 45 per cent report having breached accounts weaponised for illegal purposes, which incurs a much more substantial problem for universities than other large entities. In light of this, according to the chair of UCISA (the member-led professional body for practitioners within education), HEIs are also much better informed and, overall, more aware of the risks than other education sector members.

Unveiling the Dark Reality of Cyber Assaults

These attacks may look superficial but illuminate a genuine and sinister threat. Companies that store our most sensitive data are bombarded with attacks daily, even data as personal as our DNA. On October 6, 2023, 23andMe revealed it had fallen victim to a data breach.

The attack targeted 1 million users with Ashkenazi Jewish heritage, selling phenotype information, personal photographs, links to hundreds of potential relatives, and, most devastatingly, raw data profiles.

The hacking group Golem claimed that among the data were “the wealthiest people in the US and Western Europe,” such as the Royals, Rockefellers, and Rothschilds—a claim that has yet to be confirmed. This delicate data was sold for a meagre sum, often for no more than ten US dollars, depending on the data a buyer purchased. This catastrophic incident has forced DNA companies to employ multi-factor authentication logins as a default.

Closer to home, KNP Logistics, one of Britain’s largest privately-owned logistics companies, declared itself insolvent in September 2023. The culprit? A ransomware attack back in June left 730 redundant employees in its wake. KNP could not secure the urgent investment needed to bounce back, and investor trust was severely eroded due to the compromised financial information and critical operating systems. The firm has been added to the long list of the Akira ransomware gang’s helpless victims, making a public example of the threat that the NCSC describes as “one of the most significant cyber threats facing the UK.”

Crafting a Robust Defence Strategy

Keeping you and your team updated on emerging attacks targeting businesses your size is paramount for protection. These recent attacks and statistics underscore the pressing need for SMEs to have a comprehensive response plan and understand the diverse array of daily attacks threatening businesses.

At Thrive, we have extensive experience working with SMEs to help them raise barriers and protect themselves from the most determined cyber attacks. Get in touch with Thrive now and secure your business’s future today.