Jessica Pillow, Founder and Managing Director of Pillow May Accountancy, has seen an increase in the number of cyber attacks that small businesses are experiencing. Just recently, one of her clients was hacked, and sent out an email alerting her to this. “Fortunately, as a result of previously receiving hacked emails from clients, we now have some really strong barriers and firewalls on our email system.”

There have been plenty of warnings about prevalent cyber attacks at the moment, and in Pillow’s view, SMEs are particularly vulnerable. 

“There are more traps now than ever, and cyber attackers are getting more and more clever. Perhaps that’s the impact of AI. It’s more personalised and more believable, involving not just email but phone calls and SMS. So it can look like it’s coming from a legitimate company.”

The 2023 Cyber Security Breaches Survey showed a decline in cyber security investment among smaller businesses. For example, the proportion of micro businesses that considered cyber security a high priority decreased from 80% in 2022 to 68% this year. Cyber hygiene measures such as password policies, network firewalls, restricted admin access and updated software are all in decline. This was highlighted as a cause for concern by ICAEW earlier this year.

Pillow believes that the stresses caused by the cost-of-living crisis have a lot to do with the decline in cyber security investment and the anecdotal increase in breaches that she has seen among small businesses. 

“They are more vulnerable to attacks, and they are perhaps more likely to respond to urgent requests and pressure to avoid further stress. You don’t necessarily have that presence of mind to question what you’re asked.”

On top of this, Pillow does not get the impression, from speaking to business owners, that they take cyber security particularly seriously. There is not enough emphasis, for example, on keeping software up to date, and many businesses still don’t use two-factor authentication for sensitive systems. Part of the problem is that many do not believe that hackers will take any notice of them. 

“It’s a view that ‘there’s nothing we’ve got of any value’, but of course, every business has payments going out. They have valuable customer contacts. There’s always going to be something of value for cyber attackers.”

While a successful hack on a larger company might deliver a big payday for cyber attackers, it’s easier to get smaller amounts from several smaller organisations. “We put monitoring software into our systems so that we could see how many attempted attacks we were stopping, and the number of hackers that attempted to get past our firewall was quite shocking. I’m not sure many people realise how prevalent it really is.”

Pillow is particularly aware of the risks of cyber attacks. Her firm experienced a major incident a few years ago, after a client’s email system got hacked and the attackers used it to conduct phishing attacks. “There wasn’t really a way of telling that the emails were dodgy in themselves. There were red flags that we should have picked up, but unfortunately we didn’t, because it was holiday time.”

As a result of this attack, Pillow and her team redoubled their cyber security efforts and made considerable improvements to their systems and processes (Pillow’s insights from the attack will be covered in detail later in this series). If small businesses and firms were to invest in anything, she recommends looking into education and training for employees. 

“People are nearly always the weakest link. We pay for cyber awareness training through our IT provider, which costs £3.76 per user per month, so it’s not a fortune. I get reports to see if my employees have done the training and I can chase them up and make sure that they are looking at it regularly. We also get constant reminders to update software. We have engaged with a phishing protection service that sent traps through our email system to ensure that people were being vigilant. Those that missed the traps were asked to do some more detailed training.” 

Cyber security should be something that every business should think about every two weeks, she says. Touching base and reminding people about the risks is sometimes all that’s needed. “Really it’s about cultivating a healthy scepticism. When we get emails or other communications from clients, we need to ask: does this make sense? Anything out of the ordinary could be a sign of an attack.”