Cyber, fraud and data risk: a problem for SMEs

There can be a tendency for some SMEs to treat cyber risk as something that happens to other people.

Typically, the instinct is that criminals will target larger businesses with a higher volume of customers, deeper pockets and more valuable data.

That was never a safe assumption, and it’s becoming increasingly untenable..

Rather than a shift towards more sophisticated, targeted attacks on large corporates, scammers are looking at higher volume, opportunistic activity aimed at businesses that are easier to access.

It’s not always about a catastrophic systems breach. Significant damage can be caused by a member of staff who gets caught out by an ordinary looking email (a payment request that fits the usual pattern) or a process that relies just a little too heavily on trust.

The risk (not always what you might expect)

When clients talk about cyber risk, it’s the headline grabbing stories of ransomware or major data loss that come to mind but the threat can be much simpler. One of the most common scenarios is payment diversion.

This involves a supplier’s email account being compromised (or imitated). A request then comes through notifying a change in bank details (in the usual format with a convincing email chain). Only later does it become clear that the funds have gone elsewhere.

At that point, in most cases, the original obligation to the supplier hasn’t been discharged. The money has gone, and the invoice remains payable.

Where informality becomes exposure

The underlying issue in many of the instances in which SMEs are caught out is not necessarily the technology but rather the process.

Efficient SMEs often operate with lean teams and a degree of informality that allows decisions to be made quickly. The level of agency is a necessary and (for the staff) often a welcome element of working for a smaller business. It also works well commercially. However, it can lead to vulnerabilities.

Payment details are updated without independent verification and approval processes (if they exist) become compressed or just bypassed due to time pressure. Over time, the inherent risk associated with faceless, voiceless emails can begin to atrophy.

The ingrained ability we have to recognise even small inconsistencies when dealing with real people is not the same when we glance at familiar email addresses, signatures and logos. We ignore familiar, irrelevant stimuli, failing to pick up the inconsistencies. It’s not laziness; it’s latent inhibition. A cognitive mechanism in which we see what we expect to see.

Similarly fraudsters can send messages purporting to come from senior individuals, stressing the need for urgent payments or disclosures of information. This plays into the concern by staff that they may disrupt the business by checking or escalating rather than any technical sophistication.

If it feels plausible and arrives at the right moment, people can get caught out.

The legal consequences are often an afterthought

It is only once the immediate issue has been identified that the legal implications start to come into focus. There are usually several layers to this.

First, the contractual position. If payment is made to the wrong account, the starting point is usually straightforward but uncomfortable: the original obligation has not been discharged as the supplier has not been paid. The money is gone, and the invoice remains payable, often with little practical prospect of recovery.

Second, there is the question of data. Even relatively contained incidents can trigger obligations under UK data protection law where personal data is involved. In some cases, businesses may have as little as 72 hours to assess the risk, decide whether the incident is reportable, and make a notification. That decision often has to be taken quickly, with incomplete information and while the facts are still emerging.

Finally, there is the internal governance dimension. Directors are under a duty to exercise reasonable care and diligence. That does not require eliminating risk altogether, but it does require being able to explain what controls were in place and why.

Where an incident exposes a complete absence of basic safeguards (such as verification of payment changes or staff training) that position can become difficult to justify under scrutiny, whether from insurers, regulators, auditors or stakeholders.

What makes a difference

The encouraging point is that often many of the most effective safeguards are not especially complex. Businesses that avoid these issues tend to do a small number of things consistently well.

They verify changes to payment details, every time, using a known and trusted contact point. Not most of the time but every time. They avoid relying on a single individual to approve payments, particularly where the request is unusual or time-sensitive. They create an environment in which staff are comfortable pausing and asking questions, even where the request appears to come from a senior colleague. It’s a cultural point about feeling confident to ask questions. It’s often overlooked, but it matters.

The managers also have (at least) a basic understanding of what needs to happen if something does go wrong. They can react quickly in identifying who needs to be involved, what steps should be taken immediately, and when external advice is required.

None of this is particularly sophisticated. It’s understood and documented (with regular and consistent reminders).

Adopting the right mindset

Cyber and fraud risk is still too often treated as a technical “IT” issue and dealt with reactively when a problem arises. In practice, it is a business risk with legal consequences, and it can help to approach the issue on that basis.

For SMEs, the objective is not to build a version of the infrastructure demonstrated by larger corporates but to identify where the business is most exposed and to put in place practical controls that are proportionate and consistently applied.

It won’t lead to immunisation from incidents but when something does happen, these businesses are in a far stronger position to contain the damage, justify their approach and deal with the aftermath.

Final thoughts

SMEs are often targeted because they are accessible, predictable, and, in many cases, underprepared. The uncomfortable reality is that most cyber and fraud incidents do not involve especially sophisticated tactics. They succeed because they exploit small gaps in otherwise sensible processes.

Closing those gaps does not require a wholesale overhaul of your policies and processes. It requires monitoring, consistency, and a willingness to challenge the assumption that “this won’t happen to us”. That assumption can often be the starting point for the problem.

How Morr & Co can help?

If you have any questions or would like any further information on the content of this article, please do not hesitate to contact our Corporate & Commercial team on 0333 038 9100 or email info@morrlaw.com and a member of our expert team will get back to you.

Disclaimer
Although correct at the time of publication, the contents of this newsletter/blog are intended for general information purposes only and shall not be deemed to be, or constitute, legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.