Small business cyber threats explained

The different types of cyber threats facing small businesses are becoming increasingly complex and are changing fast. Staying on top of the them can be difficult while you’re focused on your core business activities.

Also, it can be hard cutting through the jargon to understand what everything really means. Here’s a guide to the different types of threats and terms that you may have heard of – but aren’t quite clear on.


Phishing is one of the more common attacks facing small businesses. It is where cyber attackers pose as a trusted person or contact, usually through email, to get you to click a link in a document that then extracts your log-in, bank or other personal details. The email will usually appear to be from someone you know – so it’s important whenever clicking a link in an email to check carefully that it’s from who it says it is.

Man-in-the-middle attacks

Sometimes fraudster will attempt to gain this information through man-in-the-middle attacks, whereby they sit between the connection of you and another person you are emailing – observing the conversation for personal details or even manipulating it to get you to divulge information. Because attackers usually observe silently this can be difficult to detect – so it’s important not to unnecessarily share personal or financial details over email.


While phishing attacks come by email, vishing attacks are where fraudsters attempt to gain your account information or personal details over the phone. They might even claim to be calling from your bank and ask you for details or to install software – which will actually steal further information. Always check with your bank by ringing them directly before giving out any information.


Cryptojacking is a relatively new threat where cyber attackers secretly install – sometimes through a phishing attack – software onto your computers that then uses your spare processing power to mine cryptocurrency. Often, you won’t even know anything is wrong until your systems start running slowly and your electricity bills rise.

Business email compromise and CEO fraud

Another increasingly common form of attack is email hacking, whereby fraudsters will send a member of your staff an email that looks as though it is from a senior member of the team, instructing them to send money or pay an invoice to an account which is actually held by fraudsters. Sometimes this will even appear as though it is coming from the CEO or business owner. Ensure you have a culture where staff feel like they can check with senior people before doing so.

Supply chain compromises

Not all cyber attacks are a direct attack on your business. Some Cyber criminals now also attempt to get into your systems by exploiting vulnerabilities in your suppliers’ IT systems. With small businesses often turning to managed service providers and IT consultants to support their IT as they grow, this increases the chances of a supply chain compromise – so it’s important to have reputable partners.


Ransomware began as a malicious software (malware) designed to get into your systems and lock your files or operations – until you pay a ransom to access them again. Now, it’s an even more complex threat, with some fraudsters looking to extract your data and threatening to publish it online unless you pay. Ransomware can be hugely disruptive, as it can stop you from operating – and because it compromises your data it can also damage your reputation.


Formjacking is when cyber criminals inject malicious code into your site to gain sensitive customer information from any forms you might have. If, for example, your customers share credit card details via an order form, or contact information through a subscription form, fraudsters will use this code to access those details. Therefore, it’s important that any ecommerce or payments pages are well up to date with the latest security measures.

Storm cloud

Of course, as your business grows, you are more likely to use services that rely on the cloud to store data and financial information. With that trend comes an increased focus among cyber criminals to attack cloud systems. Therefore, it’s important not to think that just because you are using the cloud that you can relax on security across your network – because your network is an entry point to that cloud system.

It’s clear that there are many cyber threats facing small business today and that they are evolving fast. However, there are plenty of steps you can take to protect yourself now you are aware of the different types of attacks and the risks they pose.

We work with Hiscox, who offer a wide range of insurance policies to help protect your business – including cyber and data, professional indemnity and office cover.  

 As an IoD member, you benefit from a 5% discount on their standard rates for the life of your policy.

0800 280 0354

Find out more

Better directors for a better world

The IoD supports directors and business leaders across the UK and beyond to learn, network and build successful, responsible businesses.

Safeguarding your organisation and employees

Browse valuable cyber resources from the IoD.
Internet Explorer
Your web browser is out of date and is not supported by the IoD website. It is important to update your browser for increased security and a better web experience.