Skip to the main content.
Why Cyber Security Matters To SMEs

Why Cyber Security Matters To SMEs

It's Not Just Big Businesses that endure the most cyberattacks

Small and medium-sized businesses are just as vulnerable and, in many ways, more so. Cyber security for SMEs is a priority topic this year, and as far as we can tell, will stay so in the foreseeable future.

Micromix specializes in the development and application of crop and plant nutrition for companies ranging from farmers through commercial fruit growers to sports turf providers. A ransomware attack encrypted 10 years of data and left them without IT systems and unable to serve their customers. To compound the issue, they had no reliable data backup. With no other choice, the company paid the ransom to retrieve their data.

According to the 2017 cybersecurity breaches survey, two-thirds of medium-sized firms in the UK suffered at least one cyber security breach or attack in the previous year.

What makes SMEs vulnerable?

1. Some don’t accept there is a pressing need to act

While many SMEs understand the cyberthreat and spend what’s needed to protect themselves, others lag. They don’t believe it could happen to them, have other priorities, or think they have all the protection they need.

Almost half of SMEs plan to spend £2,000 or less on cybersecurity this year. More worryingly, a quarter doesn’t know how much they will spend, or if they will spend at all.

2. Small businesses are often seen as an easier way of getting at a bigger target

Attacks on SMEs are unlikely to produce the same return to criminals as a successful attack on a large enterprise, but there’s another reason why they are attractive: they often hold data on behalf of those bigger companies.

SMEs provide services as diverse as cloud data storage, M&A consultancy, and debt collection, all of which means they hold commercially sensitive data that, in the wrong hands, could form the basis of a ransomware demand to their customer.

3. SMEs often keep quiet if there’s a security breach

Requests for modest ransoms – hundreds of dollars, for example – are more likely to be paid by small businesses anxious to avoid the glare of publicity that could unsettle larger customers and shrink their sales pipeline.

So, does it matter?

The financial cost of disruption and recovery

A cyberattack often results in a financial cost to the business. Although actual costs are difficult to find – not many companies will reveal them for obvious reasons – the average for a mid-sized company is estimated as £3k and £1.5k for a small business, although this rises steeply to £20k for larger companies.

However, if the full impact – reputation damage, loss of business, time is taken to recover —  is added, it’s likely the actual cost will be much higher. It can take days, and often weeks, to recover from an attack. For severe data loss – like that experienced by Micromix – it could take months to restore your reputation, even if the ransom is paid.

All of this can be helped, and the worst avoided, with a robust business continuity plan, but these don’t tend to be high on the list of business priorities for a hard-pressed SME.

Reputation damage leading to customer loss

As discussed earlier, SMEs often serve bigger companies and if an attack results in the loss of their sensitive data, it could mean the end of the relationship. They also need to comply with regulations, like GDPR, that stretch across the supply chain.

Non-compliance, and appearance on the regulator’s blacklist, means they could not only lose contracts but also be barred from government work. Ultimately, if the business impacts are serious enough, the business could fold.

5 steps for SMEs to reduce cyber security business risk

There’s a lot for businesses to do to make sure they’re well protected... consider these a good start.

  1. Accept there is a baseline budget for cyber defense and build it into your annual business plan. The amount will vary by type of organization — size, industry, customer type – but you should be able to work out a number. According to Gartner, organizations spend an averageof 6 percent of their IT budget on IT security and risk management, but the number can vary from 1 to 13 percent. Consider it an investment, not a cost.
  2. Perform an annual cybersecurity risk and threat assessment to make sure cybersecurity doesn’t end up at the bottom of your in-tray. There are freely available checklists that help ensure you don’t miss anything.
  3. Take care of the technology basics: protect your network, control access to systems, and provide secure tools for remote working.
  4. Since cybercriminals are primarily interested in data, make sure you know what you’ve got and where it is. Be extra rigorous in protecting commercially sensitive information.

Number 5 is staff awareness training, and that’s the subject of our next post

The main vulnerabilities and threats for SMEs

A vulnerability is a weakness inside the business – people, technology, business process – and a threat is an activity (human or otherwise) that exploits a vulnerability. Knowing your vulnerabilities and the threats that might exploit them is the first step in planning an effective cybersecurity defense.

Some of the more common vulnerabilities are listed below:

People

Technology

Emailing to an insecure address or wrong recipient User Access Controls
Installing unauthorized software and apps Users are given access to systems they don’t need
Removing or disabling security tools User accounts left in place after employee leaves
Downloading & installing unauthorized apps Software & Hardware
Opening spam emails Vendor updates/patches not applied to hardware or software
Sharing business info on social media Old Browsers and vulnerable plug-ins
Connecting personal devices to company networks Legacy systems – can’t easily be updated to address the latest threats
Writing down passwords and sensitive data Infrequent or absent data backups
Insecure method for file sharing Network
Storing unencrypted data on mobile devices Weak Firewall
Portable devices not stored securely Insecure WiFi networks
Insecure passwords  

 

More from the Trenches!

Creating a Culture of Information Security Amongst Your Staff

Creating a Culture of Information Security Amongst Your Staff

Information security: How you can cultivate the right culture among your staff. Cyber security leadership is in a bind. How do you create a culture...

4 min read

True Tales Blog: UPS Change of Address

True Tales Blog: UPS Change of Address

Problems With Mail delivery are Universal Everyone has a story of something going wrong with the postal service delivering their mail. My personal...

1 min read

Good Reads: The Aon 2023 Cyber Resilience Report

Good Reads: The Aon 2023 Cyber Resilience Report

Aon's Cyber Solutions combines digital risk management services, Professional Risk Solutions and their Global Risk Consulting Practice. They recently...

4 min read