What small businesses can learn from real-world cyberattacks

Tinesh Chhaya has spent over 25 years in cyber security and built four start-ups in the sector.

After stepping back from the industry following a difficult period, he's now back launching Foundercrush.ai, an early-stage AI platform that acts as a virtual co-founder to help entrepreneurs navigate the complexities of starting and running a business.

His extensive experience includes surviving multiple cyberattacks, providing him with unique insights into the realities facing small businesses in an increasingly dangerous digital landscape.

Real-world cyber threats

Tinesh experienced firsthand the sophistication of modern cyberattacks, as well as investigating major breaches for clients. The UK's National Cyber Security Centre (NCSC) director, Richard Horne, has described advanced AI tools like Anthropic's Claude Mythos as a potential "net positive" for UK cyber defence, if secured against misuse, urging organisations to focus on basic security measures like patching and legacy system retirement.

Tinesh's company suffered a phishing attack where fraudsters impersonated him via email, attempting to trick his finance team into making an urgent £17,000 to £18,000 payment.

Tinesh recalled:

"It didn't sound anything like me. I don't say 'dear', and I'm very quick with my words."

Fortunately, his outsourced finance person recognised the inconsistency and flagged the suspicious message.

More seriously, his best friend's IT managed services company faced a devastating ransomware attack from the Russian state-sponsored group REvil. The attack cost approximately £100,000 per week in downtime, nearly destroying the 20-year-old business that managed IT systems for major clients.

Learning from consulting work

Through his cybersecurity consulting firm, Tinesh investigated numerous breaches, including a £250 million revenue pharmaceutical company that lost £400,000 weekly to a ransomware attack originating from an Indian supplier.

He says AI models like Mythos aren't creating new attack methods but are significantly speeding up the discovery of existing vulnerabilities, meaning organisations must compress patching timelines from days to minutes.

He explained:

"Security teams often don't like us when we come in because we're holding a mirror in front of these folks."

The pharmaceutical investigation revealed shocking gaps; despite handling sensitive data for major pharma companies, it only performed backups weekly instead of every 30 minutes.

Essential advice for small businesses

With Anthropic's Mythos model capable of automatically detecting vulnerabilities and creating complete attack chains, having identified thousands of zero-day vulnerabilities, including decades-old flaws in major systems, Tinesh emphasises that small businesses must focus on the fundamentals:

• Regular backups: "If you've backed up everything, you set up a new server and just start rolling again," he advised.

• Third-party risk assessment: Understanding that suppliers with access to your systems may not maintain the same security standards.

• Disaster planning: Having manual fallbacks when digital systems fail.

• Financial buffers: Allocating 6 to 8% of IT budgets to cyber security and maintaining cash flow for emergency responses.

• Staff training: Basic cyber security measures, including regular security updates, robust access controls, and comprehensive logging, remain crucial with the NCSC's Cyber Essentials scheme helping organisations protect against common threats.

"It's really all the basics. Let's not overcomplicate it," Tinesh stressed. With cyber insurance now mandating security awareness training for all staff, preparation has become both a practical necessity and a legal requirement.

His new venture, Foundercrush.ai, aims to help entrepreneurs navigate these challenges by providing AI-powered operational support from company registration to ongoing compliance, freeing founders to focus on growth.

People also read:

• The £47,000 mistake that can end a small business

• Why SMEs are dangerously unprepared for global cyber threats