With similar data to larger organisations and lower cyber defences, SMBs have become an attractive target for cybercriminals. When successful, their attacks have devastating consequences for businesses without critical data backed up, or resources to mitigate the severity and contain any damage.

In the digital age, it’s essential for SMBs to be proactive when it comes to cyber security. Your first step in building a better security posture starts with education. We’ll take you through the most common online threats affecting small and medium businesses, and provide tips on how you can prevent them.

Phishing Attacks

Attackers send fraudulent emails posing as a trusted individual or organisation, prompting the user to act in the form of sharing sensitive information (such as login credentials or credit card details), or clicking a malicious link. A successful attack can result in financial loss, identity theft, compromised accounts, or unknowingly downloading malware (including ransomware). Phishing attacks are responsible for two out of every three ransomware attacks.

A variant of this is spear phishing, where the attacker researches their intended recipient, and uses personalised information to increase the credibility of the targeted communication. An example of this could be an unexpected email from someone in your organisation prompting you to click on suspicious links or attachments.

Prevention: When your team is often the last line of defence against a phishing attack, being able to identify these emails is critical. Users who receive a suspicious email should check for an unusual email address, spelling and grammatical errors, avoid opening attachments, and check the destination of links by hovering over them. For more tips to spot a phishing email, read our guide here.

You can also safeguard your team against phishing emails by implementing robust email security measures. This includes software that filters emails, and uses AI and machine learning analysis to stop phishing emails and other threats from reaching your inbox.


Malware is an umbrella term for a range of cyber threats that use malicious software to damage or exploit the affected system or device. This threat can be unknowingly installed on a user’s device when they visit affected websites, click on an infected URL or attachment in an email, or download software updates that have been manipulated by hackers with malicious code. Examples of malware include viruses, ransomware (read more about this below), fileless malware, spyware that tracks and records user activities including login credentials and payment information, and computer worms that self-replicate and infect other devices. In the first half of 2022 alone, there were 2.75 billion malware attacks.


Ransomware is a form of malware that holds an individual or organisation’s files or devices at ransom, using encryption to render it inaccessible. Victims are pressured to pay the ransom by the hacker; however, doing this doesn’t guarantee they’ll regain access or their data will be uncorrupted. Research has also found that 80% of the businesses that did pay were targeted again, and experienced a second ransomware attack in future. This threat is on the rise care of Ransomware as a Service (RaaS), a subscription model that allows cybercriminals to access tools and quickly launch attacks without developing their own variant.


Ensuring your business is safeguarded against malware and ransomware is critical as attacks continue to rise. The best way to do this is by implementing comprehensive cyber security measures including installing antivirus as well as software and system updates, and implementing firewalls, email security, and endpoint protection. You should also ensure your staff are up to date with cyber awareness training best practices, and backup your data.

Password Attacks

In the digital age, online software, services, and social media platforms are essential to run your business — but when hackers get a hold of your login credentials they can gain access to financial information, or access and compromise company systems critical for day-to-day operations.

Cybercriminals use a range of methods to gain credentials, including brute-force, credential stuffing, and social engineering.

    • Brute-force attacks
      This tactic employs manual trial and error methods, including trying common passwords, or uses software to gain unauthorised access to accounts.
    • Credential stuffing
      A form of brute-force attack, this method uses stolen login credentials, often obtained from a data breach, to attempt to access other accounts held by the individual.
    • Social engineering
      This attack can occur through phishing emails, employing social engineering to manipulate users into providing their login credentials by imitating a genuine organisation. An example of this is an email requesting login verification via a link that directs the user to a social engineering website. This website will then record the information inputted by the user.

Password reuse over work and personal accounts is a regular occurrence for 51% of people, and more than 50% of passwords include the user’s name or date of birth which can be easily learnt through social media accounts. It’s clear that poor password habits remain common among most users — making the job of hackers deploying password attacks easier. This is even more concerning when 80% of breaches occur through compromised accounts, which are difficult to detect and can take up to 250 days to identify.


From a user perspective, these attacks can be prevented through better password habits. This includes using multi-factor authentication (MFA), changing passwords periodically (try every few months), ensuring they’re complex, and avoiding password reuse.

Insider Threats

Originating from inside your business, these threats can be malicious or negligent. Whilst the former is typically less common for SMBs, negligence or human error often plays a part in the success of cyber attacks. Examples of this threat include behaviour that increases the business’ online vulnerability such as bad password habits or engaging with phishing emails, or the unintentional sharing of data or confidential information.

Prevention: Cyber awareness training is key to lower the severity of negligent insider threats for your business. Equipping your team with the knowledge to identify and avoid attacks, and properly handle material is essential to mitigate the risk of these threats, and the consequences they can have on your business’ reputation and bottom line.

How Ever Nimble can strengthen your cyber defences  

The best way to protect your business against these common cyber attacks is prevention, and proactively implementing safeguards is critical. As part of our MSSP offering, Ever Nimble is committed to working with SMBs to provide robust and comprehensive cyber security solutions. We partner with world-leading security vendors and design bespoke, cost-effective packages to strengthen your cyber resilience. Learn more about our cyber security services, and how we can safeguard your business against online threats, here.

With 90% of cyber attacks successful due to human error, it’s also essential to keep your staff’s cyber security awareness up to date so that they can make informed decisions when faced with an online threat. Our CAT program offers a complete solution to test, train, measure, and reduce human risk. Learn more about this service here.

Share This