Every day, we read news of another business that has fallen foul of a cyber-attack, whether it be through phishing or nasty malware – no one is immune. Businesses are still battling against an onslaught of attacks and despite years of warnings many are failing to get to grips with good cyber hygiene. It’s a huge concern as AI threats advance the spread, sophistication and believability of AI attacks, leaving businesses increasingly -and dangerously- exposed.

According to Howden’s research, half (52%) of UK businesses, representing 1.3 million private sector companies, have suffered at least one cyber attack in the past five years, equating to a whopping £44bn of lost revenue.

While cybercriminals may have their sights set on large enterprises with a treasure trove of data to shield, small and medium-sized businesses (SMEs) are the most vulnerable to malware attacks. And this comes at a considerable cost. Analysis from Vodafone Business shows that small businesses across the UK are losing £3.4 billion a year thanks to inadequate cybersecurity measures. So, with the stakes so high, what’s holding back organizations from getting their cyber hygiene in order?

Why SMBs are easy targets

For starters, an SMB’s entry point might not be as closely guarded as larger counterparts, and many don’t have robust enough security postures to mitigate malware attacks. Furthermore, when they do face a threat, many lack awareness of what a malware attack looks like or aren’t armed with the best knowledge to mitigate or remediate the issue. Limited budgets play a huge part, with many IT teams doing their best to plate-spin with limited resources.

A study, commissioned by GoTo, finds that 58% of IT decision-makers are experiencing burnout and struggling with soaring workloads amid increasing digital demands. With an ever-demanding job and without being armed with the right tools, they are not being set up for success when battling cybercriminals’ seemingly endless box of tricks.

Human error entry points are the primary way criminals get the upper hand. Some small businesses may offer less training on security best practices for employees, leaving cybercriminals to exploit human errors, such as employees clicking on malicious links and using weak passwords to breach systems. Easy mistakes can have a big impact.

The average cost of a cyber breach for SMEs in the UK is estimated at £8,460. The power of AI will only make matters worse, with advancements expected to fuel sophisticated multichannel attacks. Not included in this is the cost of reputational harm and potential loss of business.

Being on the pulse of evolving attack strategies

We’re seeing new players emerge every day with sophisticated strategies. The most common threat types are phishing, social engineering attacks and malware but hackers are always looking to sharpen their tactics by leaning into new technology and exploiting new wrinkles on old threats. Ransomware as a service (RaaS) makes accessibility of these tools to small-time crooks even easier.

Across these threat types, there are specialist players. Opentext’s Nastiest Malware report found that the worst malware offender last year was ransomware group LockBit. Known for its resilience and relentless pursuit of critical targets, LockBit has successfully dodged multiple law enforcement crackdowns.

According to the FBI’s Internet Crime report, LockBit was reported in 175 attacks on critical infrastructure, underscoring its staying power and adaptability. The caliber of these threats is high, and unfortunately, LockBit is on a long list of other prolific offenders.

Experts also identified the most relentless and adaptive malware trends impacting industries worldwide, with ransomware aimed at critical infrastructure coming out on top. In response, organizations were projected to increase their cybersecurity investments by 14.3% last year, reaching more than $215 billion.

It’s not just businesses turning to AI to help with efficiencies. Cybercriminals are increasingly using artificial intelligence to develop highly personalized threats and we’re seeing new tactics such as deepfake technology come into play, endangering a lot of businesses. Education and upskilling on these threats is vital.

The recipe for cybersecurity success

Prevention plays an important role in safeguarding SMBs. Although it may seem basic to some, proactive cybersecurity measures, such as regular updates, multi-factor authentication, data backups, and penetration testing, are all key parts of the puzzle.

Companies also need to ensure that they have defined security policies and procedures to avoid any leak of information. This is where employee education comes in. As the gatekeepers of information, their cybersecurity literacy and awareness of policies can determine the success of your strategy. Engaging and realistic attack simulations and scenario-based training can be used to identify those who need upskilling while simultaneously flagging any training gaps.

As IT Leaders, you need to test and adapt your strategies. Test your incident response plans and refine them as required. This should be constantly evolving just like threat strategies. Deploying the 3-2-1 backup rule (where you have three copies of your data, stored on two different types of media, with one copy kept off-site) will help to ensure continuity if you are a target. Finally, working with a cybersecurity partner can support IT professionals to plan, and execute comprehensive safety measures.

While headlines on cyber attacks can cause alarm, there is a silver lining. The ongoing media attention on ransomware and cybersecurity raises awareness. It pushes more organizations to proactively prioritize cybersecurity investments. Not only does this commitment protect their data and people, but it also ensures they aren’t the next victim featured on the front page.

We’ve featured the best malware removal.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Steven Wood is EMEA Director at Carbonite.