SMEs have long been a favourite hunting ground for cyber criminals. Big enough to be of interest in terms of data held and yet often small enough not to have an adequate level of cyber security in place – or even be aware that they are at risk.
Perhaps that’s why 65% of SMEs suffered a cyber attack across 2019-20 compared to 46% of all businesses on average. And, as research from NatWest found, they don’t just get hit once. SMEs that suffered a breach were hit an average of six times each in that period – that’s once every two months.
This is the latest in a series of blogs covering the damage done by so-called ‘cyber security myths’. We’ve recently looked at home workers – who, due to the Coronavirus, are proving to be a rich source of new attacks. Now, in this latest blog, we turn our lens towards SMEs.
The numbers show a particular vulnerability of SMEs to cyber crime. But, the good news is that the more aware you are of these areas of danger, the more robust your level of cyber security can be.
The real cost of cyber attacks on SMEs
Research by business insurer Hiscox found that the average mean cost of a cyber security breach for an SME business in 2019 was £11,000. However, nearly 10% paid out in excess of £20,000. This figure includes costs such as ransom payments, hardware replacements and indirect factors such as business interruption.
But, if an SME is unable to recover from an attack, the real cost may be business extinction. Research by insurer Gallagher in 2019 found that 23% of SMEs admitted they couldn’t survive for more than a month if unable to trade following a cyber attack incident – putting around 57,000 of UK SMEs at risk of collapse. A relatively short-term denial of access to premises or systems paralysis following an attack could cause irreversible, possibly fatal damage.
It’s a classic risk dilemma. Dodge the bullet of the cyber criminal and an SME may wonder what all the fuss about. Suffer an attack – then it’s a far greater headache than it needed to be. Prevention is always easier (and a lot cheaper) than a cure.
So, what are the myths the cyber criminals want you to believe?
We’ve got beneath the surface of some of the main myths potentially damaging the cyber security of SMEs – separating the facts from the confusion.
Myth: SMEs are under less threat as hackers are only interested in larger businesses
This is often perpetuated by media coverage of large-scale attacks. It’s easy to believe it’s always the banks and airlines that suffer attacks as that’s what we tend to see reported. Which is why some SMEs believe that, with such big fish to catch, surely the bad guys won’t be interested in their modest business that’s not even a household name. That’s exactly why their guard is often down and the door wide open.
Fact: If you are online and hold any form of customer or financial data, you are a target – and at risk. Cyber criminals are opportunists and scan for vulnerable systems, then attack. They may not even be targeting SMEs specifically – they’ll just wait to see which systems are vulnerable and don’t have any preventative measures in place. They may be interested in large businesses, but it’s often the smaller ones that let them in.
Myth: Only companies that take payments online are at risk of cyber crime
Cyber criminals aren’t just interested in stealing online payments. Often the data held by SMEs is of far greater value. The more sensitive, the better – customer data, accounts, medical or legal records – causing immense damage to reputation if their loss were revealed. This is why some SMEs resort to paying a fee to get their access back – i.e. through a ransomware attack.
Fact: All SMEs are at risk and whilst hacking of payment processing software is an obvious tactic, cyber criminals can benefit from stealing a wide range of data from businesses.
Myth: The IT department looks after cyber – so we don’t have to
People can believe that having an IT department in place means cyber security is taken care of. Yes, you can have firewalls in place, use VPNs, mobile device managers – but all of it counts for nothing if employees become complacent and click on a phishing link or pay an invoice as a result of a fake email.
Fact: Believing that IT = cyber security is a dangerous myth. Having the kit in place alone isn’t a cyber security strategy. Employees need to realise that it’s human vulnerability that is often the real weakest link – and that’s what the attacker wants to exploit. A relatively small investment in awareness training will pay for itself many times over if it foils a cyber incident.
Myth: We outsource our IT to a local provider – and they take care of our cyber security for us
There are many good IT providers offering services to SMEs that include cyber security as part of their overall offer. The danger lies when the emphasis is purely technical and weighted towards IT systems and networks (at the expense of the awareness aspects), resulting in ignorance of the threats posed by humans.
Fact: Your IT provider is not in your business, using your systems and opening your emails. They can’t be alert for you and human error often poses the biggest risk. What’s more, they are not responsible for your physical security – often an oversight with cyber security. Cyber security is not only about digital security.
Myth: Cyber security is too complex and too expensive for an SME to implement
There is no shortage of best practice advice about cyber security. But some firms find the prospect of finding out for themselves daunting, unsure of what to do and where to go, especially if they lack the internal skills and resources, and available time. So, they remain worried about being hacked, in the mistaken belief that it’s going to be too complex for them to put a solution in place.
Fact: Basic cyber security measures can protect against the majority of threats – such as using strong passwords, keeping software up to date and becoming Cyber Essentials accredited. That’s why Ascentor has developed CyberWyse – a smart packaging of the UK’s best-known cyber security measures for SMEs that will provide all you need to protect your business from basic cyber attacks.
Find out more about CyberWyse here.
We’ve shared a number of stats and costs of cyber attacks in this article. However you cut the figures, they suggest that SMEs are simply more vulnerable to cybercrime and, in the worst case scenario, may not survive. To risk an attack, especially through a wrongly held belief that’s easy to fix, could put everything on the line.
If this article has raised awareness of some of the cyber security issues facing SMEs, the next step is to take tangible action. It’s not only essential for your own business, it will send a strong message to your customers that you take cyber security seriously and help you stand out from competitors.
No SME is too small to be attacked; but equally, with the right approach to cyber security, every business has the means to defend itself against the vast majority of attacks.