When 800,000 bots hit a handbag shop, every small business should sit up

A handbag repair shop should not need a crisis war room, yet one Saturday it did. The Handbag Clinic watched its website slow to a crawl, then crash. Later, the team learned that more than 300,000 bots had been pointed at a single page in a denial of service blast. By the next day a further 500,000 bots, mostly sourced from Brazil, tried again. Quick work and new controls got the site back in about 12 hours. Weekend takings still fell from the usual £20,000 to £4,000. Add the cost of extra software and you see how a digital shove can rattle a £5 million business.

If the giants can be humbled, smaller firms feel exposed. Marks and Spencer just showed how brutal a modern breach can be, with a profit collapse tied to one incident, heavy consulting bills, and a long clean up. The lesson is not despair. It is discipline. The tools to survive exist, and most are dull on purpose.

Deepfakes turn fear into urgency. A managing director hears her own voice ask for an urgent £50,000 payment that she never authorised. Staff listen to a friendly message, only to learn it was fabricated by an AI tool. It is unnerving to hear your voice say things you did not say. That is the point. Criminals industrialise the con. They do not need to target you by name. They spray the internet and see who clicks, who pays, and who panics.

Small companies carry the thinnest buffers. An insurer’s survey suggests that many firms below £1.1 million in turnover hold less than £50,000 in spare cash. One mistake can burn through that in an afternoon. The answer is not more panic. It is a checklist you can run when tired, busy, and under pressure.

Here is the boring, effective playbook.

1. Payments, trust but verify. For any new or changed bank details, pick up the phone, call a known number, and send a £1 test payment before you send the balance. Build a sign off sheet for accounts. No exceptions.

2. Identity, raise the bar. Turn on multi factor authentication across email, finance, cloud storage, and admin tools. Use a password manager. Ban password reuse. Rotate admin credentials quarterly.

3. Updates, do them on a timetable. Patch operating systems, phones, routers, and point of sale devices. Replace unsupported kit. If a device no longer gets security updates, budget to retire it.

4. Backups, keep one offline. Take daily backups of core systems, keep one copy offline, and test restores monthly. A backup you have not tried to restore is a hope, not a plan.

5. Web resilience, share the load. Put your site behind a content delivery network with DDoS protection, rate limiting, and bot filtering. Turn on basic web application firewall rules. Pre agree failover steps with your web host, including who to call after hours.

6. People, train for the click. Run short phishing drills. Teach staff what fake invoices and lookalike domains look like. Show one deepfake example so they know how real it can sound.

7. Insurance, read the small print. Carry cyber cover sized to payroll and revenue. Confirm that incident response, legal support, and PR are included. Know the hotline number. Store it on paper as well as in the cloud.

8. Drill your response. Write a two page plan that names an incident lead, legal contact, IT support, insurer, and bank. List first actions, isolate affected systems, reset credentials, call your bank, inform customers if data is at risk. Rehearse this once a year. Big companies do. You should too.

For founders, the fear is not only financial. Your business is your name, your livelihood, your legacy. Seeing a login prompt turn into a ransom note feels like a home being ransacked. That emotion is valid. Preparation channels it into action. You will not stop every attack. You can turn a fatal blow into a bad day.

The web has made every small firm more reachable. Payments move faster. Files sync everywhere. That convenience is also an attack surface. Do not mistake quiet months for safety. Criminals automate. They only have to be right once. You have to be ready every time.

The good news is simple. Most defences are cheap, repeatable, and culture driven. Make security a routine, not a project. Put names next to tasks. Check them. Celebrate the dull victories, the patch done on time, the invoice verified, the backup restore that worked. When 800,000 bots arrive on a weekend, you will be glad you did.

Photo Credit: DepositPhotos.com