Cybersecurity of the SME sector - high risk and the need to improve standards
Small and medium-sized businesses are becoming more and more attractive targets for cybercriminals – both direct and also as a starting point for larger attacks across a supply chain. Unfortunately, these companies often lack the experts, systems and budgets to successfuly withstand cyber attacks. Meanwhile, today's business landscape means that any organisation can be potentially at risk, regardless of its size.
Many small and medium enterprises have already realised that they are exposed to the same dangers that affect large corporations. Unfortunately, such reflections often come when they already experience the attack.
According to the Cisco 2018 Security Capabilities Benchmark survey, more than half of all cyber attacks (54%) have resulted in financial losses of over US$500,000, including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs.
Bearing in mind the scale of the threat, it is important for small and medium-sized companies to take appropriate steps to protect themselves and their clients and partners.
Over half of medium-sized companies have experienced security breaches
The report "Small, but powerful" by Cisco, concerning the cyber security of small and medium enterprises, presents information collected from 1815 representatives of the SME sector from 26 different countries. The study not only shows the landscape of threats to which "small and medium" is exposed, but also presents tips on how they should defend themselves against attacks in the near future.
According to the report, 53% of respondents experienced a security breach in the last year. Often, these activities had a long-term negative financial impact: loss of income, customers, business development opportunities or additional repair costs
The most important data from the report:
• 30% of companies in the SME sector stated that security incidents cost them less than $100,000, and 20% lost $1,000,000 - $2,499,999.
• Small and medium-sized companies record about 5,000 cyber-security alerts per day.
• Companies from the SME sector analyze 55.6% of alerts related to cyber security.
• The most common types of attacks are those targeted at employees of companies, e.g. phishing (79%), advanced persistent threats - Advanced Persistent Threat attacks (77%), ransomware (77%), DDoS attacks (75%) and the spread of attacks using using the BYOD trend - Bring Your Own Device (74%).
Maximizing the effectiveness of security measures
Increasingly, companies thoroughly analyse cyber security issues and invest in personnel and technologies that will allow them to face the growing scale of threats. In a situation where SME's employ more specialists, they would most often invest in:
• Increasing the safety of endpoints by implementing more advanced anti-malware protection. This is the most common answer given by 19% of respondents.
• Improving the security of network applications - 18%.
• Implementation of anti-intrusion technologies as a key way to stop network attacks - 17%.
In comparison to organisations employing over 1000 people (i.e. those of enterprise class), companies from the SME sector rarely rely on solutions based on technologies such as machine learning or automation. Small and medium enterprises are looking for suppliers who integrate artificial intelligence and machine learning with existing solutions, instead of implementing new, additional projects. An example of a solution that enables this is Cisco Encrypted Traffic Analytics, which has implemented machine learning algorithms that detect malicious code in encrypted traffic without decrypting it.
Companies also take into account the solutions needed to maintain the current work environment, including constantly updating mobile devices connected to corporate networks and the growing importance of applications in the cloud. Adoption of the cloud has significantly increased in recent years: in 2014, 55% of companies in the SME sector maintained part of their network resources in the cloud; in 2017, this number increased to 70%. Companies scale resources and often take into account external security solutions, including those from Managed Security Service Providers.
Because small and medium-sized enterprises have problems recruiting experts responsible for cyber security, they need to maximize existing resources. Over half of these organisations entrust the preparation of a cyber security strategy to external companies. Often, they also outsource the development of responses to possible crises and security monitoring.
What is the recipe for SMEs?
Unfortunately, there is no "miracle cure" for cyberthreat. Organisations can, however, take action to transform their company in terms of security awareness,which is made up of activities promoting network protection both at the employee and organisation level. They can also provide staff with knowledge that will allow them to recognise and avoid situations that may allow an attack to happen.