Too small to target? Why cyber security is vital for all SMEs

A few years ago, a junior team member at my ad agency opened what looked like a Google Docs file from a supplier. They'd been corresponding that day and expecting a quotation. Perfect timing (and dumb luck) for the scammers.

The "document" was actually an image linking to a fake Google log-in page hosted on the website of an unsuspecting small business in Australia.

Within seconds of my colleague entering his credentials, the scammers had used his details to send a similar email from him to everyone in his contacts – which is when our phones began to ring. An IT problem became a potential reputational crisis in less than the time it takes to make a cup of tea.

That incident taught me something crucial about why small businesses face such unique challenges around cyber security.

You're not the target, you're the weapon

Most small business owners think they're too small to target. "We don't have anything valuable to steal," they say. But they're missing the point entirely.

Cyber criminals don't care only about your bank balance. They care about your contact list. Your relationships. Your reputation. And small businesses aren't always the target. They're also the weapon used to reach bigger targets.

The numbers tell the story. Fifty-eight per cent of UK businesses surveyed reported experiencing an attack in the past 12 months, yet only 22% have an incident response plan.

Forget the Hollywood hacker in a hoodie choosing a target. These processes hit hundreds or thousands of targets simultaneously with very little effort. It's not personal. It's automated, efficient and playing a numbers game.

AI is making it worse

Before AI, phishing emails were often easy to spot. Generic language, obvious grammar mistakes, vague requests that could apply to anyone. Now, every message can be tailored and personalised using information that's publicly available online.

It's the difference between a psychic medium's cold reading and a private detective's detailed surveillance. Except the surveillance process is fast and automated.

There's been a 1,265% increase in malicious phishing emails since late 2022. These aren't mass-produced anymore. They're crafted specifically for you, using your LinkedIn profile, your recent social media posts and your publicly listed suppliers.

Change how you think about your laptop

Here's what I tell clients who resist implementing proper security measures: stop thinking of your laptop as where your data lives.

Instead, think of it as an access point to data stored securely elsewhere.

Once that mindset shift happens, everything becomes clearer. If you lose or damage your laptop, or someone steals it, none of your data disappears. You can be up and running on a new device within hours, not days.

The penny drops when clients upgrade to a new laptop and see how simple the switch becomes. Or, when they start working seamlessly between their iPhone, MacBook and desktop computer without copying files around.

Security doesn't have to restrict flexibility. It can enable it.

Turn security into your secret weapon

It's easy to think of cyber protection as a cost centre, but you're potentially missing the bigger opportunity.

As small businesses scale and start working with larger organisations, they encounter formal procurement processes. Every tender asks questions about data protection and information security and require a security certification to be able to bid.

So, getting certifications like Cyber Essentials doesn't just protect you. It unlocks access to contracts with much bigger organisations than you've worked with before.

Building a security culture that actually works

The National Cyber Security Centre (NCSC) recommends distributing cyber security responsibility across your organisation rather than assigning it to one person.

Smart advice, but how do you make it work in a 10-person business where everyone's already wearing a number of different hats?

Here's how.

• Start by working with an expert to get systems set up properly.

• Train a champion in your business to lead on security day-to-day.

• Then create a culture where everyone has a stake in security.

• Actively celebrate when team members spot phishing emails or scams. Share the details so everyone learns. Reward curiosity about security rather than punishing mistakes.

• Celebrate the catches and don't punish the misses, as tempting as that might be. Instead, treat them as an opportunity to learn and improve your protections for next time.

The fire safety approach

When business owners read that one in two SMEs will experience a cyber breach, they need to make a crucial mindset shift. With risk levels that high, it's a matter of when, not if.

You wouldn't wait until the building was on fire to buy an extinguisher or plan an escape route. You put defences in place and create a response plan before you need it. The same logic applies to cyber security.

Don't let perfect be the enemy of good

The NCSC's five key recommendations work because they're practical:

1.        Data backups

2.        Malware protection

3.        Mobile security

4.        Password management

5.        Phishing awareness

Start getting the basics in place as soon as you can. Aim for continuous improvement rather than perfection.

Get great systems in place that automatically apply security baselines to everyone's devices. Manual configuration breeds inconsistency. The one setting you miss on one device becomes the weak point that cyber criminals exploit.

If technical stuff bamboozles you, don't be afraid to ask experts for help. Being a small business owner can be lonely and you don't have to figure out cyber security on your own.

The goal isn't to become unhackable, but to become a harder target than the business next door, while building systems that actually make your life easier.

Your contact list is valuable. Your reputation is valuable. Your future growth opportunities are valuable. Keep them safe!

Jon Davies is a business mentor and small business software consultant who helps overwhelmed business owners become more confident leaders by automating processes, improving security, enabling collaboration and improving profitability. You can find out more at Second Brain Consulting.