Don't get caught in the net: How your business can tackle phishing

With cyber-crime becoming increasingly sophisticated, Paul Cullum, Alternative Distribution Manager of HSB Engineering Insurance, discusses how small businesses can prevent a breach of online security

Global ransomware attacks and data breaches may make the news headlines, but it’s not just large businesses and corporate enterprises that are affected by cyber crime. For small- and medium-sized businesses, increased reliance on technology to support their operations makes them vulnerable to attack.

According to the Cyber Security Breaches Survey 20181, 43% of businesses experienced a cyber security attack or breach in the past 12 months. Of those who experienced an attack, 75% were the result of fraudulent emails or being directed to fraudulent websites. These statistics may seem disturbing but they aren’t a surprise.  

While it is still possible to identify a potential phishing attack by the email address used, criminals are increasingly accessing email servers and monitoring traffic for opportunities. The amount of personal data available via social media also means that it is becoming easier for criminals to use your own information to give more credibility to the scam.

We have increasingly seen insurance claims from small businesses falling foul of email phishing and social engineering scams. What is worrying is not only how sophisticated and difficult scams are becoming to detect, but also the amount of money – often thousands of pounds – businesses can lose as a result. 

What can your business do to reduce the risks? 

The first thing to realise is that it is more a question of when rather than if your business suffers a cyber attack. You may not think you are at risk, but cyber criminals know that they can exploit data or finances by targeting you. 

Hardware and software defences, such as backing-up data, installing system updates and using anti-virus software, are an essential part of your overall cyber security risk management plan. However, these measures may only go so far if awareness of cyber risks among your employees is low. 

With Business in the Community's (BITC) recent cyber research highlighting that more than a third of small businesses (less than 50 employees) think that employee training is not necessary2, it is easy to see why cyber-criminals view employees as a vulnerable entry point. Training and education are therefore simple but vital steps all businesses can take to reduce the risk of attacks.  

There are numerous resources available to help you. The BITC readiness test is a good place to start; enabling you to evaluate your cyber risk exposures and access useful resources. Implementing the National Cyber Security Centre’s cyber essentials will also help to a business is more cyber resilient. Insurance also has a role to play, with many cyber insurance policies providing access to experts such as forensic IT specialists, PR agencies and legal support to assist a company following a cyber incident. 

With more reliance on online activities, devices and connected technology to run businesses, cyber criminals will undoubtedly become more sophisticated. Being aware of the risks, ensuring security measures are in place and educating employees are all vital steps you can take to reduce the likelihood of your business becoming a victim of a cyber attack.


1. Department for Digital, Culture, Media & Sport: Cyber Security Breaches Survey 2018

2. Business in the Community: Would you be ready for a cyber attack? Report – March 2019