Skip to content

It’s time to rethink SME cybersecurity. Here’s why

A woman using her laptop

23 Feb 2023

Home > News > About Standard Chartered > Innovation > It’s time to rethink SME cybersecurity. Here’s why
Almost half of cyberattacks are aimed at small businesses. But there are things you can do to prepare.

Is your business being targeted by cybercriminals? Almost half of cyberattacks are aimed at small businesses, but only one in seven are prepared to defend themselves, according to a recent report.1

As part of the SC WIN Scale-Up Support series, we asked our Global Head, Cyber Partnerships and Government Engagement, Nina Paine, to talk about the importance of cybersecurity for small businesses.

Is cybersecurity important for SMEs?

Some small and medium-sized enterprises (SMEs) believe in security through obscurity – the misconception that SMEs can sneak under the radar of cyber-criminals; that they’re too small to be noticed. Unfortunately, that’s not the case. Almost half of all cyberattacks are aimed at small businesses.

I don’t want to scare business owners too much, but a cyberattack can be life threatening for an SME. There are lots of alarming stats about how a cyberattack can impact small businesses.2 The bottom line is that protecting your business from cyberthreats is a matter of survival.

How are SMEs targeted by cybercriminals?

Around nine out of ten cyberattacks start with a bogus link in an email, a type of attack known as ‘phishing’.3 Cybercriminals send fake emails, texts or other messages to victims to trick them into downloading a virus onto their computer, or to somehow steal their personal information. An estimated 1 in every 100 emails sent globally is a phishing email from a cybercriminal.4

What makes it even more alarming is that artificial intelligence (AI) is now able to generate even more convincing phishing attacks, increasing the threat further. Sophisticated AI chatbots allow attackers to create customised and professional-sounding messages in minutes.

However, phishing isn’t the only tool used by cybercriminals. There are a wide range of techniques that are constantly evolving, from ransomware to CEO fraud.

In cases of CEO fraud, which is increasingly common, cybercriminals, who have often already hacked into a company’s computer system, send an email to the CEO purporting to come from someone in the finance team, asking the CEO to authorise a payment of, say, $10,000. The CEO, probably rushing from meeting to the next, says yes without checking the details. The payment is intercepted by cybercriminals, who have usually hacked into the payment system of the business. The payment is gone and it’s very hard to trace.

Has COVID-19 increased the risk to SMEs?

At the beginning of the pandemic, when governments around the world introduced lockdowns, we saw a definite rise in phishing emails. Cybercriminals immediately started to use COVID-19 to target people and businesses at an incredibly confusing and vulnerable time.

More broadly, we also saw a rapid shift to home working. Suddenly, everyone was using their work devices at home, and potentially using personal devices at home to work. Businesses quickly needed to work out how they could make all these devices in people’s homes secure. It was (and continues to be) a huge challenge, and one which is particularly hard for smaller businesses because they don’t necessarily have the luxury of IT or cybersecurity teams.

What do SMEs commonly get wrong about cybersecurity?

The first mistake that is most easily prevented is weak password (or authentication) policies – using easy-to-guess words, repeated or sequential characters. Reusing the same password for multiple online business tools is also common, which may result in a chain of breaches which could disrupt your business quite significantly. Another common mistake you see is the WiFi password written on a whiteboard or printed on a sign at reception for everybody who passes through, without ever changing it. That’s a gift to hackers.

Read this guide about using passwords to protect your company data

The second mistake that a lot of small business owners make is to approach cybersecurity as they would at home – they assume that this level of protection is going to be sufficient as a business. That’s just not the case. For example, purchasing off-the-shelf security software might protect your desktop computers (to a limited extent), but it probably won’t protect the rest of your devices, from work phones to printers and routers.

What can SMEs do to prepare for a cyberattack?

Create a plan that sets out what to do in the event of an attack. It should be easily accessible and, ideally, available in print as well as digitally. Allocate roles, work out procedures and also consider how you might communicate your challenges to customers and colleagues. Then, test your plan. Run exercises on a regular basis to make sure everyone’s clear about who should do what.

Back-up your data. It sounds very dull, but it’s critical to surviving an attack. You can purchase a data back-up solution relatively easily that is based on the cloud (stored in remote servers and accessed online). SMEs might think using the cloud sounds like a security risk, but it can be a great opportunity to outsource data protection relatively cheaply, because a reputable cloud-based solution may be more secure than allocating resources to manage security in your business locally.

Consider staff training. If small businesses do put aside a training budget, it’s probably the first line to be cut when times are tight, and that has certainly been the case recently. But training is critical because it just takes one staff member to click on a phishing email for your whole business to be vulnerable. As well as training your staff about what not to do, think about rewarding them for the right behaviour.

Read this checklist of actions to protect your business from a cyber-attack

What else can leaders do to protect their business?

Women are often more risk adverse in areas of finance, such as investing, which does not always help us. However, that mindset is laudable in cybersecurity, where female leaders need to channel that caution into their businesses too.

It’s essential to lead by example by educating yourself on the risks of cybercrime and then taking the necessary action. Remind your staff whenever you can about the importance of good cyber hygiene. Creating a culture of vigilance and zero-tolerance is probably the most important single step you can take to protecting your business.

Further reading:

GCA Cybersecurity Toolkit for Small Business

Cyber Resilience and Financial Organizations: A Capacity-building Tool Box – Carnegie Endowment for International Peace


  1. State of Cybersecurity Report 2021 | 4th Annual Report | Accenture
  2. 60 Percent of Small Companies Close Within 6 Months of Being Hacked (
  3. CISCO 2021 Cybersecurity Threat Trends
  4. Avanan Global Phish Report 2019