Lessons Learned the Hard Way: How Major Cyber Attacks in 2023 Can Be a Wake-Up Call for SMEs in 2024

The world feels pretty unsettled for many at the moment, with political destabilisation and threats to peace across the globe. Unfortunately, the online world is no different, with hacks and ransomware a constant threat to businesses large and small.

This was abundantly clear in 2023, when the UK government’s National Security Strategy Committee released a report about the consequences for national security of ransomware attacks. The Committee described some of the most serious attacks as follows:

“Victims included the UK’s NHS, US FedEx, Deutsche Bahn, Honda, Nissan and LATAM Airlines. Many including the NHS were not targeted specifically but were hit in opportunistic attacks due to software vulnerabilities. The British Library experienced a major ransomware attack in November 2023 and in the days before publication of this report London’s King Edward Hospital was attacked with threats to leak members of the Royal Family’s medical records, and there were reports that Sellafield the UK’s most hazardous nuclear site had been hacked into by cyber groups closely linked to Russia and China.”

They go on to describe how “swathes of UK critical national infrastructure (CNI) – much of which is operated by the private sector – remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems”.

Early in 2023, anyone trying to send a parcel overseas will have been all too aware of the cyber attack that ground Royal Mail’s international postage system entirely to a halt. Printers in a distribution centre in Belfast started printing the attackers’ demands, which Royal Mail confirmed to be a ransomware attack by someone using LockBit encryptors.

This was not a quick fix (as those of us with a late Christmas parcel for an American friend sitting on their hall floor for weeks can confirm) – Royal Mail announced the hack on 11th January 2023 and it was only on 2nd February 2023 that the company confirmed things were mostly back in action.

Then on 8th August 2023, the Electoral Commission announced that there had been a gigantic data breach the previous October, giving hackers access to “the name and address of anyone in Great Britain who was registered to vote between 2014 and 2022, the names of those registered as overseas voters during the same period, and the names and addresses of anyone registered in Northern Ireland in 2018” as well as the Commission’s email systems.

Most of us aren’t dealing with issues of national security, but we’ve all got responsibilities under GDPR, we’ve got responsibilities to our customers, clients, partners and colleagues, and we don’t want a data breach to damage our reputation, our finances or our standing in the community.

We don’t want to have to interrupt our work to repair systems or deal with a crisis, and we don’t want the infrastructure our businesses rely on – or provide – to be compromised.

It’s expensive, too, as HM Treasury can fine your business for failing to adequately protect itself against cyber threats.

Businesses can be fined up to £17.5 million or 4% of annual global turnover under UK GDPR legislation for the most serious infringements that compromise the data you hold, as companies like Meta (fined €1.2billion and €390 million), TikTok (fined €345 million and €12.7 million) and Spotify (fined €4.9 million) all found to their (extensive) cost in 2023.

Even the Cabinet Office got an eye-watering £500,000 fine in 2021 for a GDPR breach, though the Information Commissioners Office later reduced this to £50,000.

The National Security Strategy Committee report mentioned above concludes that the government is not doing enough, its chair Dame Margaret Beckett saying, “The UK has the dubious distinction of being one of the world’s most cyber-attacked nations. It is clear to the Committee that the Government’s investment in and response to this threat are not equally world-beating, leaving us exposed to catastrophic costs and destabilising political interference.”

So it falls to us, as small businesses, to take every possible step to prevent and avoid cyber attacks, rather than try to deal with the fall-out if (or when) our website or database is the unlucky recipient of intruders whose aim is to exploit any weakness and extract as much from us as they can.

Astonishingly, at the time when the Electoral Commission’s hack gave 45 million people’s personal data to hackers, the Commission had failed its Cyber Essentials audit, due to “outdated software on around 200 staff laptops and the use of unsupported iPhones”, according to a whistleblower. Cyber Essentials is a certification that shows that organisations are aware of cybersecurity risks, and that they are taking appropriate precautions to protect themselves against the most common threats.

As of May 2023, 35,434 UK organisations had been awarded Cyber Essentials certifications awarded in the previous 12 months, 8,407 of which were for Cyber Essentials Plus, which assesses for more stringent criteria. Joining those organisations and getting certified is a vital step to make sure your SME is knowledgeable about your cybersecurity and equipped to reduce the risk of hacks and attacks.

So what can SMEs do to stay safe (and solvent) in 2024?

Get on top of your password security. As sophisticated as some cyber attacks now are, some are as simple as exploiting the knowledge that some people still use really common passwords. Responsible password management can be a quick and easy fix for your organisation

Don’t use ancient and unsupported software and systems. If your computers are running on Windows 98 or you’re using software that hasn’t been supported since 2014, your business is at serious risk. Update your drivers, download the most recent versions of your software, and update your website’s CMS, too. There are people whose job it is to constantly update these systems against all the newest threats, so take advantage of that by staying up to date

Even if you’re overwhelmed at the prospect, you need to know that somebody in your organisation is taking responsibility for data and online protection. If that’s not you, make sure you know who it is – and that they are on top of their brief. If there’s nobody who understands the details, get an outside IT support service involved who thrive on the granular complexities of cybersecurity.

Sign up for Early Warning. According to the National Cyber Security Centre, “Early Warning is a free NCSC service designed to inform your organisation of potential cyber attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere”.

Get certified! Cyber Essentials and Cyber Essentials Plus are reliable ways to make sure you’re doing everything you can to protect your company data.