Assessing the Cyber Risk to Small Business 2019

Having a cyber security plan or strategy is something that has long been associated with larger enterprise organisations, but with the continued rapid increase of online threats and weekly reports of data breaches, this is no longer the case.

In the last few years Small and Medium businesses have become common targets for hackers and cyber criminals. As large enterprises spend big money on securing the organisation, SMB’s are the opposite often having no thoughts, plan, or budget for security, making them easy targets for attackers.

The main issue why smaller companies don’t prepare and secure their business is that they don’t think it will ever happen to them. They feel that:

  • They are too small to be of interest to attackers.
  • They have nothing of value worth stealing.
  • If they do get attacked, they don’t believe it will impact their business or its reputation.

The reality is small businesses simply do not understand the risk and impact of a cyber-attack. According to a report by Hiscox 47% of Small businesses (1-49 employees) and 63% of Medium businesses (50-250 employees) across the UK, Europe and the US, have been impacted by a cyber-attack in 2019 and this is only getting worse each year.

In an effort to stem this continued downward slide, Ironshare work with UK based SMB’s to assess and improve their cyber maturity, with an ultimate goal of reducing the risk of cyber-attack for each organisation.

Key Assessment Findings

During 2019 Ironshare have performed numerous Cyber Assessments for Small and Medium businesses, with some unsurprising results. Below we share with you some of the key findings from our assessments.

IT System & Application Updates

Keeping systems up to date with the latest versions is one of the leading core fundamentals in Cyber Security. This significantly reduces both the number of vulnerabilities in your systems and the likelihood of successful attack.

Unfortunately, 53% of those assessed did not have a regular patching process to update their IT systems or software applications.

Those that did have a patching process, mostly focused on Windows patching and neglected software applications and network devices. Remember that your patching process must include all IT systems and software not just Windows.

Patching Stats
User Education                 

Another cyber fundamental is User Awareness training. By educating your users, who are typically the weakest link in your organisation’s security, you can prepare them to spot signs of malicious activity.

Our assessments show that 51% failed to provide their users with fundamental security awareness training.

Even the most basic of user education is better than none. Try to provide awareness into the most common threats, such as phishing attacks, social engineering and online fraud to better prepare your users.

If your budget can reach, then we also recommend implementing phishing simulation campaigns, to enhance education and provide insight into the users that may prevent the biggest risk to your company. Evidence shows that company directors / VIPs often present the biggest risk.

Default Passwords

Default passwords are configured by the vendors of new hardware and software. They are readily available from the internet, giving attackers an easy way to gain access to devices on your network.

We found that 42% of customers had Default Passwords present on one or more network connected devices.

Like with patching above you need to ensure that all default credentials are replaced during the deployment of new hardware and software, including network, printer and IoT devices, not just Windows systems.

System & Data Backups

Backups are essential in today’s world that relies on information and data to succeed. Backups ensure that in the event of a disaster or cyber attack you can quickly recovery your data with reduced impact to business.

Unsurprisingly 65% did not have an Offline Backup solution in place. This is a common gap in the security of organisations and is as common in large enterprises as it is in small business.               

We recommend implementing an offline backup solution to ensure that your organisation’s data is safe. Malware infections such as Ransomware can delete or encrypt your files; which makes performing offline backups vital to retaining your data in these situations.

Don’t fall into the trap of thinking that because your data is in the cloud that it is backed up, this is often not the case. A separate solution is normally required. Also be sure that your backup is truly offline and away from the systems you want to protect. Storing backups on network shares or storage, or always available USB drives is not an offline backup.

Web and Email Security

Web and Email are the two biggest methods for delivering threats on the internet today. Over 95% of successful attacks start with an email, which can deliver malware as an attachment or direct users to a malicious web site that can then deliver malware or steal your data.

83% of customers had no or only limited protection from web or email threats.

We all know that Anti-Virus and Firewalls are fundamental security components of any network, but they fall very short when blocking modern day threats. This is why you need multiple layers of security.

You should always consider implementing a secure web or email gateway, to control which places your users can access on the internet and ensure that bad email is filtered before reaching your users. This will help defend against common malware and phishing attacks.

Vulnerability Management

What you don’t know about, you cannot protect. This is relevant to both Vulnerability and IT asset Management. Understanding your assets and knowing the vulnerabilities that may exist in them is critical to establishing and maintaining a strong cyber security posture.

With 86% having no capability in place to identify and manage vulnerabilities across their IT assets, the risk to small business is huge.

We recommend carrying out annual vulnerability assessments as a minimum. This is another area that can help to prioritise items when trying to create a new cyber action plan.

Internet Exposed Services

Knowing and controlling what services you make available to the public via the internet, is critical to securing an organisation. Having excessive or vulnerable services exposed, increases a hacker’s opportunity to launch a successful attack.

64% of customers allowed Vulnerable Services and Protocols to be accessible from the internet.

Most of these organisations had management protocols such as Remote Desktop Protocol (RDP) accessible from the internet; this is a common method used by malicious actors to gain access to an environment and launch Ransomware attacks. Ensure that only necessary services are available from the internet, and that management services are only accessible from the internal network.

Multifactor Authentication & Password Security

Of the customers assessed, it was disappointing to find that none were using, enforcing or even recommending the use of Multi Factor Authentication (MFA) to their users.

In addition, only a single customer was recommending the use of Password Managers.

Studies show that approx. 75% of people reuse the same password on more than one website or service. And with the ever-rising number of data breaches, we see the number of compromised accounts continue to increase with them.

Password Managers provide users with a safe way to generate and securely store unique random passwords and reduce the password reuse problem. While MFA adds another layer of security to the users account requiring a one-time passcode and reducing the risk of account compromise.


The assessments and their associated results highlight the fact that most smaller companies are just not preparing themselves effectively and securing their businesses.

Core fundamentals are not being addressed in most cases which leaves organisations vulnerable to the most common of cyber-attacks.

Considering that most of these organisations had experienced some form of security incident in the last 2 years, this is more evidence of how important it is to get the basics in place.

If you are not sure where to start with your cyber security, then begin with completing a Cyber Assessment. Engaging a specialist to assess your business security is a great first step to understanding your risks and gaps. Assessments will help you to focus on the items with the highest risk and deal with these first.

Please don’t be another cyber statistic, start securing your business today!

Ironshare – Security Simplified