.jpg)
Listen here instead:
If you’re like most SMB leaders, you might think cyber criminals aren’t interested in you. This is not the case. The recent arrests following the attacks on M&S, Co-op, and Harrods may seem like stories for the bigger Organisations, but the same tactics used against those household names are already being turned on smaller businesses. The reality is you don’t have to be the richest person on the street to get burgled — just the one who left the door unlocked.
In this article, I’ll unpack what’s happening beneath the headlines: who’s behind these attacks, how their tactics work, and most importantly, what SMBs like yours can do now to protect your business, your customers, and your reputation. Because being small is no longer a shield, it’s a risk.
–
What This Article Covers:
- The Dangerous Assumption: “We’re Too Small to Be a Target”
- Who Is Scattered Spider, and Why Should SMEs Know Their Name?
- Security Starts in the Mind, Not the Stack
- Turning News into Action
The Dangerous Assumption: “We’re Too Small to Be a Target”
In a recent article, Callum Archer explained why the recent cyber attacks on the NHS and M&S aren’t just headline news – they’re a wake-up call for SMBs. This is a message worth repeating, because one of the biggest misconceptions amongst small businesses I still come across is that they’re too small, too niche, or too under-the-radar to attract the attention of threat actors.
But that couldn’t be further from the case. The reality is that attackers are actively seeking smaller businesses as entry points into larger supply chains, or as easy wins with low risk and high return. In other words, SMBs are the low-hanging fruit for hackers simply because many don’t take cyber security as seriously as they should (and therefore don’t have the preventative measures firmly in place). So, as you can imagine, believing that your business is “too small to get hit” only exacerbates the issue.
Check out this article for a deeper dive into why SMBs are primary targets.
I get it, you might understand the risks, but without a dedicated IT team – whether internal or external to your organisation – there’s only so much you can do. We’ve seen attackers exploit default credentials, unpatched systems, and basic email weaknesses that are common in smaller organisations without having an IT manager. But this is where working with a trusted managed service provider (MSP) comes in: I’m sure we can all agree that keeping your business protected is a non-negotiable.
Whether you’re managing a 20-person agency or running a global empire, the attack surface looks the same:
- Key systems built on cloud platforms like Microsoft 365 or Google Workspace
- Sensitive customer or payment data hiding locally on users devices
- Internal messaging tools like Slack or Teams to make simple requests
As powerful as these platforms may be, they become vulnerable when they’re poorly secured. One UK logistics company, operating for 158 years, was brought to its knees by a simple email breach. It wasn’t a lack of resources that shut them down, but a lack of preparedness. Something as simple — and inexpensive — as better email security and human awareness could have made all the difference.
You might be thinking something along the lines of, ‘That’s all well and true, but there are so many more businesses out there that’d be more valuable. What would a cyber attacker want with my little mom and pop shop?’ Short answer: the customers you serve. Many SMBs have much larger clients, which in this case would be the ultimate target. So, your business would essentially act as a bridge for them to hack into their servers. This is what we in the business call “island hopping” or a “supply-chain attack”: hacking into a smaller business to penetrate more significant networks through the path of least resistance. When an attacker compromises your system, they’re not just breaching your business: they’re potentially accessing your clients, your suppliers, and your entire ecosystem.
Sometimes, hackers simply have personal vendettas and take matters into their own hands. Something as small as poor service to a disgruntled customer can turn into a cyber incident. Moreover, with ransomware-as-a-service now available on the dark web, anyone with a grudge and a little money can launch a targeted attack against your business. They might not even hack you directly, but simply upload all your data onto the dark web for other bad actors to do as they please.
Who Is Scattered Spider, and Why Should SMBs Know Their Name?
The name Scattered Spider has become synonymous with some of the most high-profile cyber attacks in recent months. They’re not just your average ransomware gang: they’re strategic, calculated, and frighteningly effective.
Their primary weapons of choice are:
- Social engineering: They make friends with your staff. They impersonate trusted figures. They send realistic deepfake emails or make convincing phone calls. It’s all about gaining trust (and our polite English culture doesn’t exactly help us here).
- MFA fatigue: By bombarding users with push notifications, they wait for the moment someone clicks 'approve' out of sheer exhaustion or frustration.
- Insider recruitment: Some employees might be tempted to assist an attacker — willingly or not — if they’re unhappy or under pressure.
We’re seeing a shift where these attackers aren’t just executing attacks; they’re selling the means to execute attacks. This includes ransomware kits, login credentials, and access to compromised infrastructure. Last year the World Economic Forum ranked cyber crime 4th in the top five global risks over the next two years. It’s a lucrative business: threats are scalable, industrialised and becoming more automated.
Security Starts in the Mind, Not the Stack
Cyber security isn’t a checklist — it’s a behaviour that requires a mindset and cultural shift in the organisation. And this starts at the top: leaders should model caution and curiosity: verify before you trust, question before you click. You don’t want anyone in the business saying, “They told me to do it, so I just did." Whether it’s sending a separate email to confirm a request, or calling someone directly to double-check a payment change — these small actions can prevent major breaches.
All of this is emphasised in Human Risk Management, but cyber security training isn’t just about creating user awareness, it’s about knowing your people. Who consistently clicks phishing tests? Who ignores MFA prompts? Do you run simulations to identify these patterns? Because if you do, you can intervene early — before a real attacker gets in.
Turning News into Action
If you take one thing away from the news about M&S or Harrods, let it be this: no one is too small to be a target.
Hackers aren’t just after your money: they’re looking for any weaknesses that will lead them to a bigger target or just give them bragging rights on the dark web. And that means every SMB has a responsibility — to themselves and to their customers — to build a secure foundation.
As someone who lives and breathes cyber security every day, I’ve seen how fast things can unravel when protection isn’t prioritised. Let’s put an end to the idea that SMBs are “too small to matter.”
The threats may be growing, but so are your options for staying ahead of them. Whether it’s endpoint management, backup, cloud monitoring or user awareness training, we’re here to help – talk to our team about how we can help you stay protected.
