cyber security attacks article

Lessons Learned the Hard Way: How Major Cyber Attacks in 2023 Can Be a Wake-Up Call for SMEs in 2024

The world feels pretty unsettled for many at the moment, with political destabilisation and threats to peace across the globe. Unfortunately, the online world is no different, with hacks and ransomware a constant threat to businesses large and small.

Major Cyber Security Attacks in 2023

National Security Attacks

This was abundantly clear in 2023, when the UK government’s National Security Strategy Committee released a report about the consequences for national security of ransomware attacks. The Committee described some of the most serious attacks as follows:

“Victims included the UK’s NHS, US FedEx, Deutsche Bahn, Honda, Nissan and LATAM Airlines. Many including the NHS were not targeted specifically but were hit in opportunistic attacks due to software vulnerabilities. The British Library experienced a major ransomware attack in November 2023 and in the days before publication of this report London’s King Edward Hospital was attacked with threats to leak members of the Royal Family’s medical records, and there were reports that Sellafield the UK’s most hazardous nuclear site had been hacked into by cyber groups closely linked to Russia and China.”

They go on to describe how “swathes of UK critical national infrastructure (CNI) – much of which is operated by the private sector – remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems”.

Royal Mail Attack

Early in 2023, anyone trying to send a parcel overseas will have been all too aware of the cyber attack that ground Royal Mail’s international postage system entirely to a halt. Printers in a distribution centre in Belfast started printing the attackers’ demands, which Royal Mail confirmed to be a ransomware attack by someone using LockBit encryptors.

This was not a quick fix (as those of us with a late Christmas parcel for an American friend sitting on their hall floor for weeks can confirm) – Royal Mail announced the hack on 11th January 2023 and it was only on 2nd February 2023 that the company confirmed things were mostly back in action.

Electoral Commission Attack

Then on 8th August 2023, the Electoral Commission announced that there had been a gigantic data breach the previous October, giving hackers access to “the name and address of anyone in Great Britain who was registered to vote between 2014 and 2022, the names of those registered as overseas voters during the same period, and the names and addresses of anyone registered in Northern Ireland in 2018” as well as the Commission’s email systems.

The Wakeup Call – SMEs have to take responsibility for their own cybersecurity

Most of us aren’t dealing with issues of national security, but we’ve all got responsibilities under GDPR, we’ve got responsibilities to our customers, clients, partners and colleagues, and we don’t want a data breach to damage our reputation, our finances or our standing in the community.

We don’t want to have to interrupt our work to repair systems or deal with a crisis, and we don’t want the infrastructure our businesses rely on – or provide – to be compromised.

Key Advantages of taking control of Cyber Security for Small Businesses

Data breach fines can be costly

It’s expensive, too, as HM Treasury can fine your business for failing to adequately protect itself against cyber threats.

Businesses can be fined up to £17.5 million or 4% of annual global turnover under UK GDPR legislation for the most serious infringements that compromise the data you hold, as companies like Meta (fined €1.2billion and €390 million), TikTok (fined €345 million and €12.7 million) and Spotify (fined €4.9 million) all found to their (extensive) cost in 2023.

Even the Cabinet Office got an eye-watering £500,000 fine in 2021 for a GDPR breach, though the Information Commissioners Office later reduced this to £50,000.

Avoidance less stressful than dealing with fallout

The National Security Strategy Committee report mentioned above concludes that the government is not doing enough, its chair Dame Margaret Beckett saying, “The UK has the dubious distinction of being one of the world’s most cyber-attacked nations. It is clear to the Committee that the Government’s investment in and response to this threat are not equally world-beating, leaving us exposed to catastrophic costs and destabilising political interference.”

So it falls to us, as small businesses, to take every possible step to prevent and avoid cyber attacks, rather than try to deal with the fall-out if (or when) our website or database is the unlucky recipient of intruders whose aim is to exploit any weakness and extract as much from us as they can.

The Cyber Security Framework is Already Established – CyberEssentials

Astonishingly, at the time when the Electoral Commission’s hack gave 45 million people’s personal data to hackers, the Commission had failed its Cyber Essentials audit, due to “outdated software on around 200 staff laptops and the use of unsupported iPhones”, according to a whistleblower. Cyber Essentials is a certification that shows that organisations are aware of cybersecurity risks, and that they are taking appropriate precautions to protect themselves against the most common threats.

As of May 2023, 35,434 UK organisations had been awarded Cyber Essentials certifications awarded in the previous 12 months, 8,407 of which were for Cyber Essentials Plus, which assesses for more stringent criteria. Joining those organisations and getting certified is a vital step to make sure your SME is knowledgeable about your cybersecurity and equipped to reduce the risk of hacks and attacks.

Five Immediate Cyber Security SME Actions To Do Today in 2024

So what can SMEs do to stay safe (and solvent) in 2024?

1. Password Security

Get on top of your password security. As sophisticated as some cyber attacks now are, some are as simple as exploiting the knowledge that some people still use really common passwords. Responsible password management can be a quick and easy fix for your organisation

2. Software Updates

Don’t use ancient and unsupported software and systems. If your computers are running on Windows 98 or you’re using software that hasn’t been supported since 2014, your business is at serious risk. Update your drivers, download the most recent versions of your software, and update your website’s CMS, too. There are people whose job it is to constantly update these systems against all the newest threats, so take advantage of that by staying up to date

3. Internal assignment for data and online protection

Even if you’re overwhelmed at the prospect, you need to know that somebody in your organisation is taking responsibility for data and online protection. If that’s not you, make sure you know who it is – and that they are on top of their brief. If there’s nobody who understands the details, get an outside IT support service involved who thrive on the granular complexities of cybersecurity.

4. Be aware of current cyber attacks

Sign up for Early Warning. According to the National Cyber Security Centre, “Early Warning is a free NCSC service designed to inform your organisation of potential cyber attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere”.

5. Take the First Step towards Certification.

Get certified! Cyber Essentials and Cyber Essentials Plus are reliable ways to make sure you’re doing everything you can to protect your company data.