Cyberattacks peak in February – What can SMEs do to protect themselves?

As February draws to a close, IT managers may breathe a sigh of relief. Statistics show that February is one of the highest risk months for cyberattacks, with an average of 83 companies breached every year, according to a study conducted by a cloud hosting platform.

The research, carried out by secure hosting specialist Cloudways, identifies multiple months of the year where businesses may be at heightened risk of a cyber security breach. These include key buying season months between October and December.

With cyberattacks proving devastating for customer trust – and potentially carrying the risk of fines for businesses under GDPR regulations – it’s essential that business owners remain aware of the risks and how to stay ahead of them.

Millions of breached records

The troubling stats reveal that February averages 3,837,375,163 breached records – meaning confidential data is compromised, stolen, or viewed by cybercriminals. These types of breach can expose businesses to revenue loss and severe reputational damage.

But, even as February comes to an end, companies must remain vigilant. Cloudways data finds that March, October, and December are also high-risk months, which dangerously overlaps with peak sales season for some enterprises.

A cybersecurity breach can tarnish customers’ trust in a brand – some 45% of customers state they would not use a company if their data was compromised in a cyberattack.

SMEs need to take additional caution as they are particularly vulnerable to the unpredicted and burdensome costs that cyberattacks embody. In fact, 60% of SMEs fall victim to a cyberattack within the first six months of operation and 19% said that an average cyberattack could cost their business up to £4,200.

Tina McKenzie, Policy Chair of the Federation of Small Businesses (FSB), says, “The digital economy presents a huge opportunity for small firms to reach new markets and customers, but these benefits come with challenges.”

McKenzie adds that the threat “sheds light on how vulnerable small firms become targets of criminals in the cyberspace, when they’re often less able to absorb the cost of crime.”

Cyberattacks are becoming more normalised

These statistics reflect the vulnerability that all businesses, regardless of their size, experience as reliance on digital working grows.

Just last month JD Sports was hit by a cyberattack that exposed the personal data of 10 million customers. And, as recently as yesterday, the Copenhagen Airport website was inaccessible to users due to a breach.

The threat of data breaches has become so commonplace that 54% of SMEs in the UK experienced some form of cyberattack in 2022. This figure is alarmingly up from 39% in 2020, according to a study conducted by Vodafone.

Andrew Stevens, Vodafone’s UK Head of Small and Medium Business, says, “These findings reflect a lack of adequate skills and information to equip small business owners with sufficient protections, and while we welcome the progress that has been made by Government with the establishment of nine regional Cyber Resilience Centres across England and Wales, it’s clear that more needs to be done to convince SMEs that they need to be investing in cybersecurity to protest their business, especially during a cost-of-living crisis where they are most vulnerable.”

What can SMEs do?

Cyberattacks will continue to evolve and morph into malign technologies, despite efforts made by organisations to shield themselves. Most recently, reports have shown that cybercriminals are weaponising ChatGPT to build malware, dark web sites, and other tools to launch cyberattacks.

There is a degree of inevitability to cyberattacks, warns Haris Pylarinos, Co-Founder of Hack the Box, an upskilling platform that gamifies cybersecurity training, and was highly ranked in our Startups 100 list for 2023.

“Everyone has to realise sooner or later there will be a breach to every organisation,” says Pylarinos. “What you should focus on is how you can reverse the damage.”

Pylarinos revealed that it is important to switch mentalities regarding cyberattacks. He argues that it’s not about trying to prevent a cyberattack from happening, but about understanding how an attacker operates, identifying when a hack is happening, and acting accordingly.

“Understanding and knowing about the hack and taking action against it is already a win because all organisations eventually have a breach,” he encouragingly adds. “The win there is how soon you figure it out and how you can minimise the damage.”

However, rather than making cybersecurity training a one-off occurrence, Pylarinos stressed it should become a persistent practice amongst enterprises.

“Businesses have to take it seriously and not consider it just a compliance exercise, and for them to take it seriously they have to understand the criticality of it,” and added, “you have to understand that it’s not something that a regulatory authority made us do because we must, it’s something that will impact the business, we have to understand that and we have to act accordingly.”

Despite the inevitability of cyberattacks, there are certain steps that businesses can take to be better positioned for when it does eventually happen.

Paul Haverstock, VP of Engineering at Cloudways, recommends having updated software as this can resolve issues from previous versions that make systems more vulnerable to hacks. “Any outdated software that exists within an organisation’s infrastructure is potentially a ticking time bomb, so it’s important to have a robust patch management policy in place to ensure that all software is updated on a regular basis.”

As cyberattacks become more normalised, businesses that embrace the importance of consistent cybersecurity training will therefore be better positioned to stay ahead of the curve.