Attacks on SMEs are not new. Like larger organizations, they have been on the receiving end of both ransomware and phishing attacks for some time. What is changing, however, is the strategy adopted by the cyber criminals targeting SMEs. Granted, hit and run attacks (i.e. encrypt the business data and then call for the appropriate amount as ransom) still continue but we are now seeing attacks that are far more aggressive in their nature and use a more diverse array of attack vectors.
This could mean life or death for an SME. In fact, recent research from insurance and risk management firm Gallagher warns that 57,000 UK SMEs could collapse following a serious cyber incident which impacts their ability to trade. So why are SMEs a prime target?
This can be attributed to a number of reasons. For starters, we are seeing a willingness to pay a ransom. Around a third say they would rather pay a ransom to a hacker than invest in cybersecurity, according to our latest Risk:Value Report, because they considered it the cheaper option.
Similarly, due to their size, SMEs are grappling with a lack of resources to address cyber risk – a factor also validated by the same report which found that 43% of organizations lack the necessary skills and resources in-house to cope with the number of cybersecurity threats.
Another key reason is the analysis paralysis syndrome. In other words, being unable to make a decision as a result of overanalyzing or overthinking a situation. Complexity in the cybersecurity space hasn’t helped matters. There has never been more choice in security technology which this leaves SMEs struggling to make sense of the overwhelming number of solutions out there. What’s more, many are too often adding more technology as the silver bullet solution but, if SMEs make ill-advised choices, it’s not going to deliver the value they are expecting.
Finally, there is the wait-and-see attitude towards security investment and the assumption that SMEs won’t be targeted by cyber criminals. This couldn’t be further from the truth as business and professional service providers, for example, are often used as a stepping stone for hackers to enter the supply chain of a larger organization and commit a larger scale attack.
So what’s the answer? SMEs must acknowledge that, like large organizations, they are vulnerable and must take proactive security measures to deter the cyber criminals. They also need to avoid unnecessary complexity and take a more focused approach.
While there is no panacea to tackling cyber threats, here are some essential steps for SMEs when trying to stay ahead of the attackers:
- Make cybersecurity a strategic priority and ensure that you involve all parts of the organization – it’s not just the role of the IT department
- Understand what and where your crown jewels are along with the mitigation strategies in the event of a cyber-attack around them
- Regularly review your cybersecurity policy and incident response plans
- Understand your organization’s compliance obligations
- Understand how threats and other technological risks will evolve and that new skills will be needed to address evolving cybersecurity requirements. Consideration must be given on how to meet these challenges by upskilling, recruitment or through the use of third parties
- Review your supply chain. As previously said, cyber incidents increasingly start from suppliers or partners so it’s important you understand your third party vendors’ approach to cybersecurity – and demand improvements where required.