There is no getting away from it, running a business or charity means relying more and more on technology, so it’s increasingly important to make sure we are aware of the impact that malicious software (malware) can have.

Larger organisations often have departments dedicated to protecting them from cyber-attacks, but small businesses and charities generally don’t have the resources for this, which makes them particularly vulnerable should an attack be successful.

So, in this blog we’ll discuss the dangers of malware to SMEs, the potential consequences, common methods of attack, common mistakes made by small businesses and measures that can be taken to reduce vulnerability to attacks.

The impact of malware

Small businesses are often a target for cybercriminals, and malware is a common tool used to exploit them. The consequences of a successful malware attack can be devastating, and can include:

1. Data theft: Malware can allow attackers to steal sensitive business and customer data, leading to data breaches that can result in reputational damage, the Information Commissioners’ Office (ICO) imposing remedial actions and loss of customers.
2. Financial loss: Malware can be used to steal banking credentials or initiate fraudulent transactions, ICO fines and blackmail demands leading to significant financial losses for small businesses.
3. Operational disruption: Malware can disrupt business operations, leading to downtime and productivity losses that can again result in financial losses.

According to the Cyber Security Breaches Survey 2023, when compared to 2022, the deployment of up-to-date malware protection has fallen from 83% to 76% among businesses in the UK, and down from 68% to 63% among charities. As attacks increase, to reduce your protection really doesn’t contribute to a successful growth strategy for your business or charity.

Malware can be introduced into a small business's network in several ways, including:

• Phishing emails: These are a common method used by cybercriminals to distribute malware. These emails can be disguised as legitimate emails from trusted sources and/or contain links or attachments that download malware onto the recipient's device.
• Malicious websites: Cybercriminals can create fake websites that mimic legitimate websites to trick users into downloading malware.
• Infected software: Cybercriminals can also distribute malware by hiding it in infected software or applications.

Small businesses often fall victim to malware attacks due to several common mistakes, including:

1. Failure to update software (known as patching): Not regularly updating software leaves systems vulnerable to malware attacks.
2. Lack of awareness: Owners and employees may not have adequate information on the dangers of malware, leaving their business vulnerable to phishing attacks.
3. Lack of backup and recovery plans:
4. Failure to test these plans regularly may mean your business is unable to recover from a malware attack.

Five tips recommended in the Small Business Guide from the National Cyber Security Centre are:

Tip 1: Install (and turn on) anti-virus software: This is often included for free within popular operating systems - should be used on all your devices, whether a computer, laptop or phone.

Tip 2: Prevent staff from downloading dodgy apps: Only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware that might cause harm. Prevent staff from downloading third-party apps from unknown vendors/sources, as these will not have been checked.

Staff accounts should only have enough access required to perform their role, with extra permissions (i.e. for administrators) only given to those who need it. When administrative accounts are created, they should only be used for that specific task, with standard user accounts used for general work.

Tip 3: Keep all your IT equipment up to date (patching): For all your IT equipment (tablets, smartphones, laptops and PCs), make sure that the software and firmware (a computer programme embedded in the hardware to help it function and communicate with other software) is always kept up to date with the latest versions from software developers, hardware suppliers and vendors.

Operating systems, programmes, phones and apps should all be set to 'automatically update' wherever this is an option. At some point, these updates will no longer be available (as the product reaches the end of its supported life), at which point you should consider replacing it with a modern alternative.

Tip 4: Control how USB drives (and memory cards) can be used: We all know how tempting it is to use USB drives or memory cards to transfer files between organisations and people. However, it only takes a single cavalier user to inadvertently plug in an infected stick (such as a USB drive containing malware) to devastate the whole organisation.

You can reduce the likelihood of infection by:

• Blocking access to physical ports for most users
• Using anti-virus tools
• Only allowing approved drives and cards to be used within your organisation - and nowhere else

These requirements could be implemented as part of your company policy to prevent your organisation being exposed to unnecessary risks. You can also ask staff to transfer files using alternative means (such as by email or cloud storage), rather than via USB.

Tip 5: Switch on your firewall: Firewalls create a 'buffer zone' between your own network and external networks (such as the Internet). Most popular operating systems now include a firewall, so it may simply be a case of switching this on. For more detailed information on using firewalls, refer to the Network Security section of the NCSC's 10 Steps to Cyber Security.

In conclusion, malware attacks can have devastating consequences for small businesses and charities, including data theft, financial loss, and operational disruption. But the good news is that there are simple steps that can be taken to protect your business, such as regular software updates, employee education, and backup and recovery plans.

By being vigilant and proactive, we can mitigate the risk of malware attacks and protect both our business continuity and our customers. The WCRC can help you raise awareness across your organisation, and also with the implementation of security polices to protect your business. Please get in touch to learn more.