The UK retail sector was recently the target of a spate of cyberattacks with M&S, Co-op and Harrods all falling victim. But it wasn’t just household names that were attacked.
Food distributor, Peter Green Chilled, was targeted disrupting the operations of the large supermarkets they supplied. Adidas has also been attacked, with customer data stolen, not directly, but via a third-party breach.
While these attacks have targeted the retail sector, third-party security is the greater issue. Supply chain challenges were identified as the biggest barrier to achieving cyber resilience by 54% of large organizations, according to a WEF report.
General Manager of Adlumin at N-able.
Security is a challenge for companies of all sizes, but especially for mid-market and smaller businesses that lack the security budgets of large corporations.
And there are a lot of small businesses. In 2024, 5.45 million businesses were categorized as small, employing less than 50 people—99.2% of the total business population.
But the data these organizations must protect is just as sensitive, and the threats they face are just as severe as their larger counterparts—especially if they are used as a stepping stone for bigger targets.
Taking the simple route
SMBs are seen as ‘low-hanging fruit’ for cybercriminals. It’s a perfect recipe: small business owners buy one security layer, such as an anti-virus solution, and lack the knowledge or budget to adopt the correct, additional layers required for reliable resilience.
They may think they don’t have much that a cybercriminal wants to target. However, once an attacker has a foothold, there is often potential for them to make a big profit. Many SMBs service larger corporations.
That link can give hackers access to the jackpot: customer data, employee files, bank details, and other sensitive information.
In our recent State of the SOC report, our MDR team found that 56% of threat detections stem from user endpoints.
How many of these smaller businesses are fully aware of employees' devices and the protection installed on them?
For example, do delivery drivers have a layered defense on their work mobile phone, including real-time threat detection, AI detection, and threat hunting capabilities?
The potential consequences of a cyberattack—stolen data, financial losses, downtime, and more—can be devastating for SMBs. Reputational risk can be even worse. Can partners and customers trust that they will be safe?
Sometimes, cost can seem a prohibitive factor, but the cost of a breach will far outweigh that of proactive security.
Investing in the proper security solutions can help organizations remain secure and ensure business continuity and reputation.
Understanding risk exposure
SMBs should start with a risk-based security approach, ensuring smarter spending. By understanding risk, funds can be allocated to high-impact risks and limit “tool sprawl”, where too many solutions are thrown at the problem.
Compliance frameworks like GDPR and NIST require a business to demonstrate compliance, which can be evidenced through this risk assessment. Below is a good place to start:
Step 1: Identify and classify assets
As in life, ‘taking stock’ is an important part of business and security. Without knowing what assets are on a network, they can’t be secured.
Start by categorizing them into hardware, software, data and networks. Next, rank them based on business importance (what happens if this asset is compromised?), data sensitivity, and compliance requirements.
Step 2: Identify threats and vulnerabilities
This index can now be assessed for weaknesses. First, vulnerability scanning can identify vulnerable applications.
Then, check for outdated applications and OS vulnerabilities through unpatched software to ensure strong access controls using the principle of least privilege and MFA.
Staff training can be implemented to mitigate phishing and social engineering, and finally, penetration testing can identify weak points in the network.
Step 3: Assess impact and likelihood
A risk matrix of high, medium, and low risks means security efforts can be prioritized by understanding both the potential impact and the probability of occurrence. Compliance requirements should also be factored in here.
Conduct a Business Impact Analysis (BIA) and ask: What happens if a system is compromised? How long can the business function without it? What are the financial and reputational costs?
Step 4: Prioritize risks
Prioritize risks ranked with the highest likelihood and most serious business impact first. These risks will require immediate action, such as implementing endpoint security.
All stakeholders across the business, including legal, finance, and leadership, should be brought in to ensure risk decisions align with business goals.
A risk-first approach is key
SMBs find themselves in a seemingly impossible situation. Cybercriminals target them for their access to sensitive information or to larger organizations in their wider supply chain.
Due to their size, many will lack the cyber maturity, expertise, and resources to defend themselves. But unless they make changes, they will remain a more tempting target than bigger businesses.
They can’t change everything all at once. By adopting a risk-based approach to guide a strengthened cybersecurity approach and ensuring high-impact risks are mitigated as an absolute priority, SMBs can prioritize their security posture.
We've featured the best ransomware protection.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.